[BACK]Return to patch-ao CVS log [TXT][DIR] Up to [cvs.NetBSD.org] / pkgsrc / graphics / imlib / patches

File: [cvs.NetBSD.org] / pkgsrc / graphics / imlib / patches / patch-ao (download)

Revision 1.1, Fri Dec 10 09:30:42 2004 UTC (14 years, 10 months ago) by salo
Branch: MAIN
CVS Tags: pkgsrc-2019Q3-base, pkgsrc-2019Q3, pkgsrc-2019Q2-base, pkgsrc-2019Q2, pkgsrc-2019Q1-base, pkgsrc-2019Q1, pkgsrc-2018Q4-base, pkgsrc-2018Q4, pkgsrc-2018Q3-base, pkgsrc-2018Q3, pkgsrc-2018Q2-base, pkgsrc-2018Q2, pkgsrc-2018Q1-base, pkgsrc-2018Q1, pkgsrc-2017Q4-base, pkgsrc-2017Q4, pkgsrc-2017Q3-base, pkgsrc-2017Q3, pkgsrc-2017Q2-base, pkgsrc-2017Q2, pkgsrc-2017Q1-base, pkgsrc-2017Q1, pkgsrc-2016Q4-base, pkgsrc-2016Q4, pkgsrc-2016Q3-base, pkgsrc-2016Q3, pkgsrc-2016Q2-base, pkgsrc-2016Q2, pkgsrc-2016Q1-base, pkgsrc-2016Q1, pkgsrc-2015Q4-base, pkgsrc-2015Q4, pkgsrc-2015Q3-base, pkgsrc-2015Q3, pkgsrc-2015Q2-base, pkgsrc-2015Q2, pkgsrc-2015Q1-base, pkgsrc-2015Q1, pkgsrc-2014Q4-base, pkgsrc-2014Q4, pkgsrc-2014Q3-base, pkgsrc-2014Q3, pkgsrc-2014Q2-base, pkgsrc-2014Q2, pkgsrc-2014Q1-base, pkgsrc-2014Q1, pkgsrc-2013Q4-base, pkgsrc-2013Q4, pkgsrc-2013Q3-base, pkgsrc-2013Q3, pkgsrc-2013Q2-base, pkgsrc-2013Q2, pkgsrc-2013Q1-base, pkgsrc-2013Q1, pkgsrc-2012Q4-base, pkgsrc-2012Q4, pkgsrc-2012Q3-base, pkgsrc-2012Q3, pkgsrc-2012Q2-base, pkgsrc-2012Q2, pkgsrc-2012Q1-base, pkgsrc-2012Q1, pkgsrc-2011Q4-base, pkgsrc-2011Q4, pkgsrc-2011Q3-base, pkgsrc-2011Q3, pkgsrc-2011Q2-base, pkgsrc-2011Q2, pkgsrc-2011Q1-base, pkgsrc-2011Q1, pkgsrc-2010Q4-base, pkgsrc-2010Q4, pkgsrc-2010Q3-base, pkgsrc-2010Q3, pkgsrc-2010Q2-base, pkgsrc-2010Q2, pkgsrc-2010Q1-base, pkgsrc-2010Q1, pkgsrc-2009Q4-base, pkgsrc-2009Q4, pkgsrc-2009Q3-base, pkgsrc-2009Q3, pkgsrc-2009Q2-base, pkgsrc-2009Q2, pkgsrc-2009Q1-base, pkgsrc-2009Q1, pkgsrc-2008Q4-base, pkgsrc-2008Q4, pkgsrc-2008Q3-base, pkgsrc-2008Q3, pkgsrc-2008Q2-base, pkgsrc-2008Q2, pkgsrc-2008Q1-base, pkgsrc-2008Q1, pkgsrc-2007Q4-base, pkgsrc-2007Q4, pkgsrc-2007Q3-base, pkgsrc-2007Q3, pkgsrc-2007Q2-base, pkgsrc-2007Q2, pkgsrc-2007Q1-base, pkgsrc-2007Q1, pkgsrc-2006Q4-base, pkgsrc-2006Q4, pkgsrc-2006Q3-base, pkgsrc-2006Q3, pkgsrc-2006Q2-base, pkgsrc-2006Q2, pkgsrc-2006Q1-base, pkgsrc-2006Q1, pkgsrc-2005Q4-base, pkgsrc-2005Q4, pkgsrc-2005Q3-base, pkgsrc-2005Q3, pkgsrc-2005Q2-base, pkgsrc-2005Q2, pkgsrc-2005Q1-base, pkgsrc-2005Q1, pkgsrc-2004Q4-base, pkgsrc-2004Q4, pkgsrc-, cwrapper, cube-native-xorg-base, cube-native-xorg, HEAD
Branch point for: pkgsrc-2004Q3

Bump PKGREVISION, security fix:

"Multiple buffer overflows in imlib 1.9.14 and earlier, which is used by
gkrellm and several window managers, allow remote attackers to execute
arbitrary code via certain image files."  (1.9.15 is also affected)

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1026

Patch from Pavel Kankovsky.

$NetBSD: patch-ao,v 1.1 2004/12/10 09:30:42 salo Exp $

--- gdk_imlib/utils.c.orig	2002-03-22 15:43:29.000000000 +0100
+++ gdk_imlib/utils.c	2004-12-10 10:15:22.000000000 +0100
@@ -1236,36 +1236,56 @@
   context = 0;
   ptr = NULL;
   end = NULL;
+  memset(lookup, 0, sizeof(lookup));
 
   while (!done)
     {
       line = data[count++];
+      if (!line)
+	break;
+      line = strdup(line);
+      if (!line)
+	break;
+      len = strlen(line);
+      for (i = 0; i < len; ++i)
+        {
+	  c = line[i];
+	  if (c < 32)
+	    line[i] = 32;
+	  else if (c > 127)
+	    line[i] = 127;
+	}
+
       if (context == 0)
 	{
 	  /* Header */
 	  sscanf(line, "%i %i %i %i", &w, &h, &ncolors, &cpp);
-	  if (ncolors > 32766)
+	  if (ncolors <= 0 || ncolors > 32766)
 	    {
 	      fprintf(stderr, "gdk_imlib ERROR: XPM data wth colors > 32766 not supported\n");
 	      free(im);
+	      free(line);
 	      return NULL;
 	    }
-	  if (cpp > 5)
+	  if (cpp <= 0 || cpp > 5)
 	    {
 	      fprintf(stderr, "gdk_imlib ERROR: XPM data with characters per pixel > 5 not supported\n");
 	      free(im);
+	      free(line);
 	      return NULL;
 	    }
-	  if (w > 32767)
+	  if (w <= 0 || w > 32767)
 	    {
 	      fprintf(stderr, "gdk_imlib ERROR: Image width > 32767 pixels for data\n");
 	      free(im);
+	      free(line);
 	      return NULL;
 	    }
-	  if (h > 32767)
+	  if (h <= 0 || h > 32767)
 	    {
 	      fprintf(stderr, "gdk_imlib ERROR: Image height > 32767 pixels for data\n");
 	      free(im);
+	      free(line);
 	      return NULL;
 	    }
 	  cmap = malloc(sizeof(struct _cmap) * ncolors);
@@ -1273,6 +1293,7 @@
 	  if (!cmap)
 	    {
 	      free(im);
+	      free(line);
 	      return NULL;
 	    }
 	  im->rgb_width = w;
@@ -1282,6 +1303,7 @@
 	    {
 	      free(cmap);
 	      free(im);
+	      free(line);
 	      return NULL;
 	    }
 	  im->alpha_data = NULL;
@@ -1355,7 +1377,7 @@
 				  strcpy(col + colptr, " ");
 				  colptr++;
 				}
-			      if (colptr + ls <= sizeof(col))
+			      if (colptr + ls < sizeof(col))
 				{
 				  strcpy(col + colptr, s);
 				  colptr += ls;
@@ -1558,6 +1580,7 @@
 	}
       if ((ptr) && ((ptr - im->rgb_data) >= w * h * 3))
 	done = 1;
+      free(line);
     }
   if (!transp)
     {