From cf4808af8786d57e66a773a6c1d87d97cc13040c Mon Sep 17 00:00:00 2001 From: nectar Date: Tue, 18 Jan 2005 17:26:56 +0000 Subject: Correct exploitable vulnerabilities documented in http://vuxml.freebsd.org/249a8c42-6973-11d9-ae49-000c41e2cdad.html . --- graphics/xzgv/Makefile | 2 +- graphics/xzgv/files/patch-security-1 | 197 +++++++++++++++++++++++++++++++++++ 2 files changed, 198 insertions(+), 1 deletion(-) create mode 100644 graphics/xzgv/files/patch-security-1 (limited to 'graphics/xzgv') diff --git a/graphics/xzgv/Makefile b/graphics/xzgv/Makefile index f29525db3c01..525ca680a308 100644 --- a/graphics/xzgv/Makefile +++ b/graphics/xzgv/Makefile @@ -7,7 +7,7 @@ PORTNAME= xzgv PORTVERSION= 0.8 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= graphics MASTER_SITES= http://xzgv.browser.org/ \ ${MASTER_SITE_SUNSITE} diff --git a/graphics/xzgv/files/patch-security-1 b/graphics/xzgv/files/patch-security-1 new file mode 100644 index 000000000000..4beba6fadc89 --- /dev/null +++ b/graphics/xzgv/files/patch-security-1 @@ -0,0 +1,197 @@ +diff -urN xzgv-0.8/ChangeLog xzgv/ChangeLog +--- xzgv-0.8/ChangeLog Tue Sep 16 15:08:42 2003 ++++ ChangeLog Wed Dec 15 03:30:46 2004 +@@ -1,3 +1,13 @@ ++2004-11-03 Russell Marks ++ ++ * Added width/height limits to all native picture readers. This is ++ a crude (albeit effective) fix for heap overflow bugs - there may ++ yet be more subtle problems, but I can't really fix them until I ++ know they're there. :-) Thanks to Luke Macken for letting me know ++ about the heap overflow problems (in zgv). I suppose I should also ++ thank "infamous41md" for publishing the original advisory/exploit ++ (again for zgv), even if he didn't bother emailing me or anything. ++ + 2003-09-16 Russell Marks + + * Version 0.8. +diff -urN xzgv-0.8/src/Makefile xzgv/src/Makefile +--- xzgv-0.8/src/Makefile Tue Jan 1 05:37:45 2002 ++++ src/Makefile Wed Dec 15 03:30:46 2004 +@@ -84,18 +84,19 @@ + logo.o: logo.c logodata.h + logoconv.o: logoconv.c + main.o: main.c backend.h readmrf.h readgif.h readpng.h readjpeg.h \ +- readtiff.h resizepic.h rcfile.h filedetails.h gotodir.h updatetn.h \ +- confirm.h misc.h copymove.h rename.h help.h dir_icon.xpm \ ++ readtiff.h readprf.h resizepic.h rcfile.h filedetails.h gotodir.h \ ++ updatetn.h confirm.h misc.h copymove.h rename.h help.h dir_icon.xpm \ + dir_icon_small.xpm file_icon.xpm file_icon_small.xpm logo.h \ + icon-48.xpm main.h + misc.o: misc.c misc.h + rcfile.o: rcfile.c getopt.h rcfile.h rcfile_opt.h rcfile_var.h \ + rcfile_short.h +-readgif.o: readgif.c readgif.h +-readjpeg.o: readjpeg.c rcfile.h readjpeg.h +-readmrf.o: readmrf.c readmrf.h ++readgif.o: readgif.c reader.h readgif.h ++readjpeg.o: readjpeg.c rcfile.h reader.h readjpeg.h ++readmrf.o: readmrf.c reader.h readmrf.h + readpng.o: readpng.c readpng.h +-readtiff.o: readtiff.c readtiff.h ++readprf.o: readprf.c reader.h readprf.h ++readtiff.o: readtiff.c reader.h readtiff.h + rename.o: rename.c backend.h main.h rename.h + resizepic.o: resizepic.c resizepic.h + updatetn.o: updatetn.c backend.h main.h rcfile.h dither.h resizepic.h \ +diff -urN xzgv-0.8/src/reader.h xzgv/src/reader.h +--- xzgv-0.8/src/reader.h Thu Jan 1 01:00:00 1970 ++++ src/reader.h Wed Dec 15 03:30:46 2004 +@@ -0,0 +1,15 @@ ++/* xzgv 0.8 - picture viewer for X, with file selector. ++ * Copyright (C) 1999-2004 Russell Marks. See main.c for license details. ++ * ++ * reader.h ++ */ ++ ++/* range check on width and height as a crude way of avoiding overflows ++ * when calling malloc/calloc. 32767 is the obvious limit to use given that ++ * xzgv effectively imposes such a limit anyway. ++ * Adds an extra 2 to height for max-height check, partly to reflect what ++ * the check in zgv does but also to allow for readtiff.c allocating an ++ * extra line (so at least an extra 1 would have been needed in any case). ++ */ ++#define WH_MAX 32767 ++#define WH_BAD(w,h) ((w)<=0 || (w)>WH_MAX || (h)<=0 || ((h)+2)>WH_MAX) +diff -urN xzgv-0.8/src/readgif.c xzgv/src/readgif.c +--- xzgv-0.8/src/readgif.c Sun Mar 3 04:34:32 2002 ++++ src/readgif.c Wed Dec 15 03:30:46 2004 +@@ -8,6 +8,7 @@ + #include + #include + #include ++#include "reader.h" + #include "readgif.h" + + +@@ -103,7 +104,7 @@ + + if(local_colour_map) readcolmap(in); + +- if((image=malloc(width*height*3))==NULL) ++ if(WH_BAD(width,height) || (image=malloc(width*height*3))==NULL) + { + fclose(in); + return(0); +diff -urN xzgv-0.8/src/readjpeg.c xzgv/src/readjpeg.c +--- xzgv-0.8/src/readjpeg.c Tue Sep 16 12:52:04 2003 ++++ src/readjpeg.c Wed Dec 15 03:30:46 2004 +@@ -13,6 +13,7 @@ + #include + + #include "rcfile.h" ++#include "reader.h" + + #include "readjpeg.h" + +@@ -265,7 +266,7 @@ + /* this one shouldn't hurt */ + cinfo.do_block_smoothing=FALSE; + +-if((*imagep=image=malloc(width*height*3))==NULL) ++if(WH_BAD(width,height) || (*imagep=image=malloc(width*height*3))==NULL) + longjmp(jerr.setjmp_buffer,1); + + jpeg_start_decompress(&cinfo); +diff -urN xzgv-0.8/src/readmrf.c xzgv/src/readmrf.c +--- xzgv-0.8/src/readmrf.c Sat Oct 7 14:26:55 2000 ++++ src/readmrf.c Wed Dec 15 03:30:46 2004 +@@ -7,6 +7,7 @@ + #include + #include + #include ++#include "reader.h" + #include "readmrf.h" + + +@@ -91,7 +92,8 @@ + w64=(w+63)/64; + h64=(h+63)/64; + +-if((*bmap=malloc(w*h*3))==NULL || ++if(WH_BAD(w64*64,h64*64) || WH_BAD(w,h) || ++ (*bmap=malloc(w*h*3))==NULL || + (image=calloc(w64*h64*64*64,1))==NULL) + { + if(*bmap) free(*bmap),*bmap=NULL; +diff -urN xzgv-0.8/src/readpng.c xzgv/src/readpng.c +--- xzgv-0.8/src/readpng.c Thu Jul 10 16:13:43 2003 ++++ src/readpng.c Wed Dec 15 03:32:46 2004 +@@ -16,6 +16,7 @@ + #include + #include + #include /* after png.h to avoid horrible thing in pngconf.h */ ++#include "reader.h" + #include "readpng.h" + + +@@ -129,7 +130,8 @@ + } + + /* allocate image memory */ +-if((*theimageptr=theimage=malloc(width*height*3))==NULL) ++if(WH_BAD(width,height) || ++ (*theimageptr=theimage=malloc(width*height*3))==NULL) + { + png_read_end(png_ptr,info_ptr); + png_destroy_read_struct(&png_ptr,&info_ptr,NULL); +diff -urN xzgv-0.8/src/readprf.c xzgv/src/readprf.c +--- xzgv-0.8/src/readprf.c Mon Apr 9 19:08:19 2001 ++++ src/readprf.c Wed Dec 15 03:30:46 2004 +@@ -7,6 +7,7 @@ + #include + #include + #include ++#include "reader.h" + #include "readprf.h" + + #define squaresize 64 +@@ -164,7 +165,7 @@ + bytepp=1; + + n=width*squaresize; +-if((planebuf[0]=calloc(n,planes))==NULL) ++if(WH_BAD(width,height) || (planebuf[0]=calloc(n,planes))==NULL) + { + fclose(in); + return(0); +@@ -173,6 +174,7 @@ + for(f=1;f + #include /* for open et al */ + #include +- ++#include "reader.h" + #include "readtiff.h" + + +@@ -36,7 +36,8 @@ + * spare for the flip afterwards. + */ + numpix=width*height; +-if((image=malloc(numpix*sizeof(uint32)+width*3))==NULL) ++if(WH_BAD(width,height) || ++ (image=malloc(numpix*sizeof(uint32)+width*3))==NULL) + { + TIFFClose(in); + return(0); -- cgit