Fix recent XPM buffer overflows as described at

http://www.vuxml.org/freebsd/3d1e9267-073f-11d9-b45d-000c41e2cdad.html.

Obtained from:	GTK+ CVS
Approved by:	portmgr (implicit)

4 files changed, 202 insertions, 0 deletions

diff --git a/x11-toolkits/gtk20/Makefile b/x11-toolkits/gtk20/Makefile
index e7c769969f02..4e3133d15106 100644
--- a/x11-toolkits/gtk20/Makefile
+++ b/x11-toolkits/gtk20/Makefile
@@ -7,6 +7,7 @@
 
 PORTNAME=	gtk
 PORTVERSION=	2.4.9
+PORTREVISION=	1
 CATEGORIES=	x11-toolkits
 MASTER_SITES=	${MASTER_SITE_GNOME:S,%SUBDIR%,sources/gtk+/2.4,} \
 		ftp://ftp.gtk.org/pub/gtk/v2.3/ \
diff --git a/x11-toolkits/gtk20/files/patch-pixbuf-security b/x11-toolkits/gtk20/files/patch-pixbuf-security
new file mode 100644
index 000000000000..6ad822a6b420
--- /dev/null
+++ b/x11-toolkits/gtk20/files/patch-pixbuf-security
@@ -0,0 +1,100 @@
+===================================================================
+RCS file: /cvs/gnome/gtk+/gdk-pixbuf/io-ico.c,v
+retrieving revision 1.34
+retrieving revision 1.34.2.1
+diff -u -r1.34 -r1.34.2.1
+--- gdk-pixbuf/io-ico.c	2004/01/07 00:26:58	1.34
++++ gdk-pixbuf/io-ico.c	2004/09/15 14:32:13	1.34.2.1
+@@ -323,6 +323,14 @@
+ 	
+ 	State->HeaderSize+=I;
+ 	
++	if (State->HeaderSize < 0) {
++		g_set_error (error,
++			     GDK_PIXBUF_ERROR,
++			     GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
++			     _("Invalid header in icon"));
++		return;
++	}
++
+  	if (State->HeaderSize>State->BytesInHeaderBuf) {
+ 	        guchar *tmp=g_try_realloc(State->HeaderBuf,State->HeaderSize);
+ 		if (!tmp) {
+===================================================================
+RCS file: /cvs/gnome/gtk+/gdk-pixbuf/io-xpm.c,v
+retrieving revision 1.42
+retrieving revision 1.42.2.1
+diff -u -r1.42 -r1.42.2.1
+--- gdk-pixbuf/io-xpm.c	2003/03/08 20:48:58	1.42
++++ gdk-pixbuf/io-xpm.c	2004/09/15 14:32:13	1.42.2.1
+@@ -1079,7 +1079,7 @@
+ 	gint key = 0;
+ 	gint current_key = 1;
+ 	gint space = 128;
+-	gchar word[128], color[128], current_color[128];
++	gchar word[129], color[129], current_color[129];
+ 	gchar *r; 
+ 	
+ 	word[0] = '\0';
+@@ -1121,8 +1121,8 @@
+ 				return NULL;
+ 			/* accumulate color name */
+ 			if (color[0] != '\0') {
+-				strcat (color, " ");
+-				space--;
++				strncat (color, " ", space);
++				space -= MIN (space, 1);
+ 			}
+ 			strncat (color, word, space);
+ 			space -= MIN (space, strlen (word));
+@@ -1246,27 +1246,43 @@
+ 		return NULL;
+ 
+ 	}
+-	if (n_col <= 0) {
++	if (cpp <= 0 || cpp >= 32) {
+                 g_set_error (error,
+                              GDK_PIXBUF_ERROR,
+                              GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+-                             _("XPM file has invalid number of colors"));
++                             _("XPM has invalid number of chars per pixel"));
+ 		return NULL;
+-
+ 	}
+-	if (cpp <= 0 || cpp >= 32) {
++	if (n_col <= 0 || n_col >= G_MAXINT / (cpp + 1)) {
+                 g_set_error (error,
+                              GDK_PIXBUF_ERROR,
+                              GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+-                             _("XPM has invalid number of chars per pixel"));
++                             _("XPM file has invalid number of colors"));
+ 		return NULL;
+ 	}
+ 
+ 	/* The hash is used for fast lookups of color from chars */
+ 	color_hash = g_hash_table_new (g_str_hash, g_str_equal);
+ 
+-	name_buf = g_new (gchar, n_col * (cpp + 1));
+-	colors = g_new (XPMColor, n_col);
++	name_buf = g_try_malloc (n_col * (cpp + 1));
++	if (!name_buf) {
++		g_set_error (error,
++			     GDK_PIXBUF_ERROR,
++                             GDK_PIXBUF_ERROR_INSUFFICIENT_MEMORY,
++                             _("Cannot allocate memory for loading XPM image"));
++		g_hash_table_destroy (color_hash);
++		return NULL;
++	}
++	colors = (XPMColor *) g_try_malloc (sizeof (XPMColor) * n_col);
++	if (!colors) {
++		g_set_error (error,
++			     GDK_PIXBUF_ERROR,
++                             GDK_PIXBUF_ERROR_INSUFFICIENT_MEMORY,
++                             _("Cannot allocate memory for loading XPM image"));
++		g_hash_table_destroy (color_hash);
++		g_free (name_buf);
++		return NULL;
++	}
+ 
+ 	for (cnt = 0; cnt < n_col; cnt++) {
+ 		gchar *color_name;
diff --git a/x11-toolkits/gtk30/Makefile b/x11-toolkits/gtk30/Makefile
index e7c769969f02..4e3133d15106 100644
--- a/x11-toolkits/gtk30/Makefile
+++ b/x11-toolkits/gtk30/Makefile
@@ -7,6 +7,7 @@
 
 PORTNAME=	gtk
 PORTVERSION=	2.4.9
+PORTREVISION=	1
 CATEGORIES=	x11-toolkits
 MASTER_SITES=	${MASTER_SITE_GNOME:S,%SUBDIR%,sources/gtk+/2.4,} \
 		ftp://ftp.gtk.org/pub/gtk/v2.3/ \
diff --git a/x11-toolkits/gtk30/files/patch-pixbuf-security b/x11-toolkits/gtk30/files/patch-pixbuf-security
new file mode 100644
index 000000000000..6ad822a6b420
--- /dev/null
+++ b/x11-toolkits/gtk30/files/patch-pixbuf-security
@@ -0,0 +1,100 @@
+===================================================================
+RCS file: /cvs/gnome/gtk+/gdk-pixbuf/io-ico.c,v
+retrieving revision 1.34
+retrieving revision 1.34.2.1
+diff -u -r1.34 -r1.34.2.1
+--- gdk-pixbuf/io-ico.c	2004/01/07 00:26:58	1.34
++++ gdk-pixbuf/io-ico.c	2004/09/15 14:32:13	1.34.2.1
+@@ -323,6 +323,14 @@
+ 	
+ 	State->HeaderSize+=I;
+ 	
++	if (State->HeaderSize < 0) {
++		g_set_error (error,
++			     GDK_PIXBUF_ERROR,
++			     GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
++			     _("Invalid header in icon"));
++		return;
++	}
++
+  	if (State->HeaderSize>State->BytesInHeaderBuf) {
+ 	        guchar *tmp=g_try_realloc(State->HeaderBuf,State->HeaderSize);
+ 		if (!tmp) {
+===================================================================
+RCS file: /cvs/gnome/gtk+/gdk-pixbuf/io-xpm.c,v
+retrieving revision 1.42
+retrieving revision 1.42.2.1
+diff -u -r1.42 -r1.42.2.1
+--- gdk-pixbuf/io-xpm.c	2003/03/08 20:48:58	1.42
++++ gdk-pixbuf/io-xpm.c	2004/09/15 14:32:13	1.42.2.1
+@@ -1079,7 +1079,7 @@
+ 	gint key = 0;
+ 	gint current_key = 1;
+ 	gint space = 128;
+-	gchar word[128], color[128], current_color[128];
++	gchar word[129], color[129], current_color[129];
+ 	gchar *r; 
+ 	
+ 	word[0] = '\0';
+@@ -1121,8 +1121,8 @@
+ 				return NULL;
+ 			/* accumulate color name */
+ 			if (color[0] != '\0') {
+-				strcat (color, " ");
+-				space--;
++				strncat (color, " ", space);
++				space -= MIN (space, 1);
+ 			}
+ 			strncat (color, word, space);
+ 			space -= MIN (space, strlen (word));
+@@ -1246,27 +1246,43 @@
+ 		return NULL;
+ 
+ 	}
+-	if (n_col <= 0) {
++	if (cpp <= 0 || cpp >= 32) {
+                 g_set_error (error,
+                              GDK_PIXBUF_ERROR,
+                              GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+-                             _("XPM file has invalid number of colors"));
++                             _("XPM has invalid number of chars per pixel"));
+ 		return NULL;
+-
+ 	}
+-	if (cpp <= 0 || cpp >= 32) {
++	if (n_col <= 0 || n_col >= G_MAXINT / (cpp + 1)) {
+                 g_set_error (error,
+                              GDK_PIXBUF_ERROR,
+                              GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+-                             _("XPM has invalid number of chars per pixel"));
++                             _("XPM file has invalid number of colors"));
+ 		return NULL;
+ 	}
+ 
+ 	/* The hash is used for fast lookups of color from chars */
+ 	color_hash = g_hash_table_new (g_str_hash, g_str_equal);
+ 
+-	name_buf = g_new (gchar, n_col * (cpp + 1));
+-	colors = g_new (XPMColor, n_col);
++	name_buf = g_try_malloc (n_col * (cpp + 1));
++	if (!name_buf) {
++		g_set_error (error,
++			     GDK_PIXBUF_ERROR,
++                             GDK_PIXBUF_ERROR_INSUFFICIENT_MEMORY,
++                             _("Cannot allocate memory for loading XPM image"));
++		g_hash_table_destroy (color_hash);
++		return NULL;
++	}
++	colors = (XPMColor *) g_try_malloc (sizeof (XPMColor) * n_col);
++	if (!colors) {
++		g_set_error (error,
++			     GDK_PIXBUF_ERROR,
++                             GDK_PIXBUF_ERROR_INSUFFICIENT_MEMORY,
++                             _("Cannot allocate memory for loading XPM image"));
++		g_hash_table_destroy (color_hash);
++		g_free (name_buf);
++		return NULL;
++	}
+ 
+ 	for (cnt = 0; cnt < n_col; cnt++) {
+ 		gchar *color_name;