aboutsummaryrefslogtreecommitdiff
path: root/graphics/imlib2/files
diff options
context:
space:
mode:
authorStanislav Sedov <stas@FreeBSD.org>2006-11-08 17:18:36 +0000
committerStanislav Sedov <stas@FreeBSD.org>2006-11-08 17:18:36 +0000
commit75397ef2c949234e6ab6a58a3928126ff16374de (patch)
tree78abfc278729f36810136f07a02f933072665485 /graphics/imlib2/files
parented5d8425fb528e621bb502ca24742ba7459ad8c7 (diff)
downloadports-75397ef2c949234e6ab6a58a3928126ff16374de.tar.gz
ports-75397ef2c949234e6ab6a58a3928126ff16374de.zip
- Fix recent vulerabilities in imlib2.
- Bump portrevision Patches obtained from: ubuntu repository (based on)
Notes
Notes: svn path=/head/; revision=176830
Diffstat (limited to 'graphics/imlib2/files')
-rw-r--r--graphics/imlib2/files/patch-src_modules_loaders_loader_argb.c29
-rw-r--r--graphics/imlib2/files/patch-src_modules_loaders_loader_jpeg.c15
-rw-r--r--graphics/imlib2/files/patch-src_modules_loaders_loader_lbm.c48
-rw-r--r--graphics/imlib2/files/patch-src_modules_loaders_loader_png.c16
-rw-r--r--graphics/imlib2/files/patch-src_modules_loaders_loader_pnm.c11
-rw-r--r--graphics/imlib2/files/patch-src_modules_loaders_loader_tga.c75
-rw-r--r--graphics/imlib2/files/patch-src_modules_loaders_loader_tiff.c29
7 files changed, 223 insertions, 0 deletions
diff --git a/graphics/imlib2/files/patch-src_modules_loaders_loader_argb.c b/graphics/imlib2/files/patch-src_modules_loaders_loader_argb.c
new file mode 100644
index 000000000000..7d3d0925140a
--- /dev/null
+++ b/graphics/imlib2/files/patch-src_modules_loaders_loader_argb.c
@@ -0,0 +1,29 @@
+--- src/modules/loaders/loader_argb.c.orig Wed Nov 8 19:39:37 2006
++++ src/modules/loaders/loader_argb.c Wed Nov 8 19:41:38 2006
+@@ -23,7 +23,7 @@
+ load(ImlibImage * im, ImlibProgressFunction progress,
+ char progress_granularity, char immediate_load)
+ {
+- int w, h, alpha;
++ int w = 0, h = 0, alpha = 0;
+ FILE *f;
+
+ if (im->data)
+@@ -36,13 +36,16 @@
+ {
+ char buf[256], buf2[256];
+
++ bzero(buf, sizeof(buf));
++ bzero(buf2, sizeof(buf2));
++
+ if (!fgets(buf, 255, f))
+ {
+ fclose(f);
+ return 0;
+ }
+ sscanf(buf, "%s %i %i %i", buf2, &w, &h, &alpha);
+- if (strcmp(buf2, "ARGB"))
++ if (strcmp(buf2, "ARGB") || w < 1 || h < 1 || w > 16383 || h > 16383)
+ {
+ fclose(f);
+ return 0;
diff --git a/graphics/imlib2/files/patch-src_modules_loaders_loader_jpeg.c b/graphics/imlib2/files/patch-src_modules_loaders_loader_jpeg.c
new file mode 100644
index 000000000000..9ac40f336bd0
--- /dev/null
+++ b/graphics/imlib2/files/patch-src_modules_loaders_loader_jpeg.c
@@ -0,0 +1,15 @@
+--- src/modules/loaders/loader_jpeg.c.orig Wed Nov 8 19:41:41 2006
++++ src/modules/loaders/loader_jpeg.c Wed Nov 8 19:42:43 2006
+@@ -104,8 +104,11 @@
+ im->w = w = cinfo.output_width;
+ im->h = h = cinfo.output_height;
+
+- if (cinfo.rec_outbuf_height > 16)
++ if (cinfo.rec_outbuf_height > 16 \
++ || w < 1 || h < 1 || w > 16383 || h > 16383)
+ {
++ im->w = 0;
++ im->h = 0;
+ jpeg_destroy_decompress(&cinfo);
+ fclose(f);
+ return 0;
diff --git a/graphics/imlib2/files/patch-src_modules_loaders_loader_lbm.c b/graphics/imlib2/files/patch-src_modules_loaders_loader_lbm.c
new file mode 100644
index 000000000000..ab5fb9aacb0f
--- /dev/null
+++ b/graphics/imlib2/files/patch-src_modules_loaders_loader_lbm.c
@@ -0,0 +1,48 @@
+--- src/modules/loaders/loader_lbm.c.orig Wed Nov 8 19:42:46 2006
++++ src/modules/loaders/loader_lbm.c Wed Nov 8 19:47:10 2006
+@@ -421,7 +421,7 @@
+
+ im->w = L2RWORD(ilbm.bmhd.data);
+ im->h = L2RWORD(ilbm.bmhd.data + 2);
+- if (im->w <= 0 || im->h <= 0) ok = 0;
++ if (im->w <= 0 || im->h <= 0 || im->w > 16383 || im->h > 16383) ok = 0;
+
+ ilbm.depth = ilbm.bmhd.data[8];
+ if (ilbm.depth < 1 || (ilbm.depth > 8 && ilbm.depth != 24 && ilbm.depth != 32)) ok = 0; /* Only 1 to 8, 24, or 32 planes. */
+@@ -453,6 +453,8 @@
+ }
+ }
+ if (!full || !ok) {
++ im->w = 0;
++ im->h = 0;
+ freeilbm(&ilbm);
+ return ok;
+ }
+@@ -468,11 +470,14 @@
+ plane[0] = NULL;
+
+ im->data = malloc(im->w * im->h * sizeof(DATA32));
+- if (im->data) {
+- n = ilbm.depth;
+- if (ilbm.mask == 1) n++;
+
+- plane[0] = malloc(((im->w + 15) / 16) * 2 * n);
++ n = ilbm.depth;
++ if (ilbm.mask == 1)
++ n++;
++
++ plane[0] = malloc(((im->w + 15) / 16) * 2 * n);
++
++ if (im->data != NULL && plane[0] != NULL) {
+ for (i = 1; i < n; i++) plane[i] = plane[i - 1] + ((im->w + 15) / 16) * 2;
+
+ z = ((im->w + 15) / 16) * 2 * n;
+@@ -511,6 +516,8 @@
+ * the memory for im->data.
+ *----------*/
+ if (!ok) {
++ im->w = 0;
++ im->h = 0;
+ if (im->data) free(im->data);
+ im->data = NULL;
+ }
diff --git a/graphics/imlib2/files/patch-src_modules_loaders_loader_png.c b/graphics/imlib2/files/patch-src_modules_loaders_loader_png.c
new file mode 100644
index 000000000000..0eeb196eb47d
--- /dev/null
+++ b/graphics/imlib2/files/patch-src_modules_loaders_loader_png.c
@@ -0,0 +1,16 @@
+--- src/modules/loaders/loader_png.c.orig Wed Nov 8 19:47:13 2006
++++ src/modules/loaders/loader_png.c Wed Nov 8 19:48:04 2006
+@@ -83,6 +83,13 @@
+ png_get_IHDR(png_ptr, info_ptr, (png_uint_32 *) (&w32),
+ (png_uint_32 *) (&h32), &bit_depth, &color_type,
+ &interlace_type, NULL, NULL);
++ if (w32 < 1 || h32 < 1 || w32 > 16383 || h32 > 16383) {
++ png_read_end(png_ptr, info_ptr);
++ png_destroy_read_struct(&png_ptr, &info_ptr, (png_infopp) NULL);
++ fclose(f);
++ return 0;
++ }
++
+ im->w = (int)w32;
+ im->h = (int)h32;
+ if (color_type == PNG_COLOR_TYPE_PALETTE)
diff --git a/graphics/imlib2/files/patch-src_modules_loaders_loader_pnm.c b/graphics/imlib2/files/patch-src_modules_loaders_loader_pnm.c
new file mode 100644
index 000000000000..32262a903558
--- /dev/null
+++ b/graphics/imlib2/files/patch-src_modules_loaders_loader_pnm.c
@@ -0,0 +1,11 @@
+--- src/modules/loaders/loader_pnm.c.orig Wed Nov 8 19:48:10 2006
++++ src/modules/loaders/loader_pnm.c Wed Nov 8 19:48:51 2006
+@@ -80,7 +80,7 @@
+ int i = 0;
+
+ /* read numbers */
+- while (c != EOF && !isspace(c))
++ while (c != EOF && !isspace(c) && (sizeof(buf) < (i + 1)))
+ {
+ buf[i++] = c;
+ c = fgetc(f);
diff --git a/graphics/imlib2/files/patch-src_modules_loaders_loader_tga.c b/graphics/imlib2/files/patch-src_modules_loaders_loader_tga.c
new file mode 100644
index 000000000000..422f02f8dbff
--- /dev/null
+++ b/graphics/imlib2/files/patch-src_modules_loaders_loader_tga.c
@@ -0,0 +1,75 @@
+--- src/modules/loaders/loader_tga.c.orig Wed Nov 8 19:48:53 2006
++++ src/modules/loaders/loader_tga.c Wed Nov 8 19:54:47 2006
+@@ -319,6 +319,7 @@
+ {
+ unsigned long datasize;
+ unsigned char *bufptr;
++ unsigned char *bufend;
+ DATA32 *dataptr;
+
+ int y;
+@@ -347,6 +348,9 @@
+ /* bufptr is the next byte to be read from the buffer */
+ bufptr = filedata;
+
++ /* bufend is one past the last byte to be read from the buffer */
++ bufend = filedata + datasize;
++
+ /* dataptr is the next 32-bit pixel to be filled in */
+ dataptr = im->data;
+
+@@ -364,7 +368,8 @@
+ else
+ dataptr = im->data + (y * im->w);
+
+- for (x = 0; x < im->w; x++) /* for each pixel in the row */
++ /* for each pixel in the row */
++ for (x = 0; x < im->w && ((bufptr + bpp/8) < bufend); x++)
+ {
+ switch (bpp)
+ {
+@@ -419,7 +424,7 @@
+ DATA32 *final_pixel = dataptr + im->w * im->h;
+
+ /* loop until we've got all the pixels */
+- while (dataptr < final_pixel)
++ while (dataptr < final_pixel && ((bufptr + 1 + bpp/8) < bufend))
+ {
+ int count;
+
+@@ -437,7 +442,7 @@
+ green = *bufptr++;
+ red = *bufptr++;
+ alpha = *bufptr++;
+- for (i = 0; i < count; i++)
++ for (i = 0; i < count && dataptr < final_pixel; i++)
+ {
+ WRITE_RGBA(dataptr, red, green, blue, alpha);
+ dataptr++;
+@@ -448,7 +453,7 @@
+ blue = *bufptr++;
+ green = *bufptr++;
+ red = *bufptr++;
+- for (i = 0; i < count; i++)
++ for (i = 0; i < count && dataptr < final_pixel; i++)
+ {
+ WRITE_RGBA(dataptr, red, green, blue,
+ (char)0xff);
+@@ -458,7 +463,7 @@
+
+ case 8:
+ alpha = *bufptr++;
+- for (i = 0; i < count; i++)
++ for (i = 0; i < count && dataptr < final_pixel; i++)
+ {
+ WRITE_RGBA(dataptr, alpha, alpha, alpha,
+ (char)0xff);
+@@ -473,7 +478,7 @@
+ {
+ int i;
+
+- for (i = 0; i < count; i++)
++ for (i = 0; i < count && dataptr < final_pixel; i++)
+ {
+ switch (bpp)
+ {
diff --git a/graphics/imlib2/files/patch-src_modules_loaders_loader_tiff.c b/graphics/imlib2/files/patch-src_modules_loaders_loader_tiff.c
new file mode 100644
index 000000000000..27ec0d0b290a
--- /dev/null
+++ b/graphics/imlib2/files/patch-src_modules_loaders_loader_tiff.c
@@ -0,0 +1,29 @@
+--- src/modules/loaders/loader_tiff.c.orig Tue Sep 26 23:17:49 2006
++++ src/modules/loaders/loader_tiff.c Wed Nov 8 19:58:57 2006
+@@ -75,7 +75,7 @@
+ raster(TIFFRGBAImage_Extra * img, uint32 * rast,
+ uint32 x, uint32 y, uint32 w, uint32 h)
+ {
+- uint32 image_width, image_height;
++ int image_width, image_height;
+ uint32 *pixel, pixel_value;
+ int i, j, dy, rast_offset;
+ DATA32 *buffer_pixel, *buffer = img->image->data;
+@@ -202,8 +202,15 @@
+ }
+
+ rgba_image.image = im;
+- im->w = width = rgba_image.rgba.width;
+- im->h = height = rgba_image.rgba.height;
++ width = rgba_image.rgba.width;
++ height = rgba_image.rgba.height;
++ if (width < 1 || height < 1 || width >= 16384 || height >= 16384) {
++ TIFFRGBAImageEnd((TIFFRGBAImage *) & rgba_image);
++ TIFFClose(tif);
++ return 0;
++ }
++ im->w = width;
++ im->h = height;
+ rgba_image.num_pixels = num_pixels = width * height;
+ if (rgba_image.rgba.alpha != EXTRASAMPLE_UNSPECIFIED)
+ SET_FLAG(im->flags, F_HAS_ALPHA);
generated by cgit v1.2.3 (git 2.25.1) at 2024-10-06 09:48:52 +0000