Date: Wed, 2 Apr 2008 08:00:08 GMT From: Marcus von Appen <mva@sysfault.org> To: freebsd-ports-bugs@FreeBSD.org Subject: Re: ports/122366: vulnerability on graphics/sdl_image Message-ID: <200804020800.m32808da027601@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR ports/122366; it has been noted by GNATS. From: Marcus von Appen <mva@sysfault.org> To: bug-followup@FreeBSD.org Cc: turutani@scphys.kyoto-u.ac.jp Subject: Re: ports/122366: vulnerability on graphics/sdl_image Date: Wed, 2 Apr 2008 09:40:55 +0200 --ADZbWkCsHQ7r3kzd Content-Type: multipart/mixed; boundary="Kj7319i9nmIyA2yE" Content-Disposition: inline --Kj7319i9nmIyA2yE Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Thanks for the report. A fix for both, the GIF and LBM buffer overflows, is attached. --Kj7319i9nmIyA2yE Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="sdl_image.diff" Content-Transfer-Encoding: quoted-printable diff -Nur sdl_image/Makefile sdl_image.new/Makefile --- sdl_image/Makefile 2008-03-13 15:05:28.000000000 +0100 +++ sdl_image.new/Makefile 2008-04-02 09:33:06.000000000 +0200 @@ -7,6 +7,7 @@ =20 PORTNAME=3D sdl_image PORTVERSION=3D 1.2.6 +PORTREVISION=3D 1 CATEGORIES=3D graphics MASTER_SITES=3D http://www.libsdl.org/projects/SDL_image/release/ DISTNAME=3D SDL_image-${PORTVERSION} diff -Nur sdl_image/files/patch-IMG_gif.c sdl_image.new/files/patch-IMG_gif= =2Ec --- sdl_image/files/patch-IMG_gif.c 1970-01-01 01:00:00.000000000 +0100 +++ sdl_image.new/files/patch-IMG_gif.c 2008-04-02 09:33:35.000000000 +0200 @@ -0,0 +1,13 @@ +--- IMG_gif.c 2007/02/13 10:09:17 2970 ++++ IMG_gif.c 2007/12/28 16:43:56 3462 +@@ -418,6 +418,10 @@ + static int stack[(1 << (MAX_LWZ_BITS)) * 2], *sp; + register int i; +=20 ++ /* Fixed buffer overflow found by Michael Skladnikiewicz */ ++ if (input_code_size > MAX_LWZ_BITS) ++ return -1; ++ + if (flag) { + set_code_size =3D input_code_size; + code_size =3D set_code_size + 1; diff -Nur sdl_image/files/patch-IMG_lbm.c sdl_image.new/files/patch-IMG_lbm= =2Ec --- sdl_image/files/patch-IMG_lbm.c 1970-01-01 01:00:00.000000000 +0100 +++ sdl_image.new/files/patch-IMG_lbm.c 2008-04-02 09:33:25.000000000 +0200 @@ -0,0 +1,28 @@ +--- IMG_lbm.c 2007/07/20 04:37:11 3341 ++++ IMG_lbm.c 2008/01/03 20:05:34 3521 +@@ -28,6 +28,7 @@ + EHB and HAM (specific Amiga graphic chip modes) support added by Marc = Le Douarain + (http://www.multimania.com/mavati) in December 2003. + Stencil and colorkey fixes by David Raulo (david.raulo AT free DOT fr)= in February 2004. ++ Buffer overflow fix in RLE decompression by David Raulo in January 200= 8. + */ +=20 + #include <stdio.h> +@@ -328,7 +329,7 @@ + count ^=3D 0xFF; + count +=3D 2; /* now it */ +=20 +- if ( !SDL_RWread( src, &color, 1, 1 ) ) ++ if ( ( count > remainingbytes ) || !SDL_RWread( src, &color, 1, 1 )= ) + { + error=3D"error reading BODY chunk"; + goto done; +@@ -339,7 +340,7 @@ + { + ++count; +=20 +- if ( !SDL_RWread( src, ptr, count, 1 ) ) ++ if ( ( count > remainingbytes ) || !SDL_RWread( src, ptr, count, 1 = ) ) + { + error=3D"error reading BODY chunk"; + goto done; --Kj7319i9nmIyA2yE-- --ADZbWkCsHQ7r3kzd Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (FreeBSD) iEYEARECAAYFAkfzOIcACgkQo/JpszXavhxOtACeNGKUEG6gE9q0+gV2NbPrSDmF r4cAoI0d+eSCU5Hy6XWN174v6UIw8NXl =KHDq -----END PGP SIGNATURE----- --ADZbWkCsHQ7r3kzd--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200804020800.m32808da027601>