From owner-freebsd-ports-bugs@FreeBSD.ORG  Wed Apr  2 08:00:09 2008
Return-Path: <owner-freebsd-ports-bugs@FreeBSD.ORG>
Delivered-To: freebsd-ports-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id E52A41065671
	for <freebsd-ports-bugs@hub.freebsd.org>;
	Wed,  2 Apr 2008 08:00:08 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id D461A8FC21
	for <freebsd-ports-bugs@hub.freebsd.org>;
	Wed,  2 Apr 2008 08:00:08 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m3280849027602
	for <freebsd-ports-bugs@freefall.freebsd.org>;
	Wed, 2 Apr 2008 08:00:08 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m32808da027601;
	Wed, 2 Apr 2008 08:00:08 GMT (envelope-from gnats)
Date: Wed, 2 Apr 2008 08:00:08 GMT
Message-Id: <200804020800.m32808da027601@freefall.freebsd.org>
To: freebsd-ports-bugs@FreeBSD.org
From: Marcus von Appen <mva@sysfault.org>
Cc: 
Subject: Re: ports/122366: vulnerability on graphics/sdl_image
X-BeenThere: freebsd-ports-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Marcus von Appen <mva@sysfault.org>
List-Id: Ports bug reports <freebsd-ports-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>, 
	<mailto:freebsd-ports-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports-bugs>
List-Post: <mailto:freebsd-ports-bugs@freebsd.org>
List-Help: <mailto:freebsd-ports-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>, 
	<mailto:freebsd-ports-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Apr 2008 08:00:09 -0000

The following reply was made to PR ports/122366; it has been noted by GNATS.

From: Marcus von Appen <mva@sysfault.org>
To: bug-followup@FreeBSD.org
Cc: turutani@scphys.kyoto-u.ac.jp
Subject: Re: ports/122366: vulnerability on graphics/sdl_image
Date: Wed, 2 Apr 2008 09:40:55 +0200

 --ADZbWkCsHQ7r3kzd
 Content-Type: multipart/mixed; boundary="Kj7319i9nmIyA2yE"
 Content-Disposition: inline
 
 
 --Kj7319i9nmIyA2yE
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 
 Thanks for the report.
 
 A fix for both, the GIF and LBM buffer overflows, is attached.
 
 --Kj7319i9nmIyA2yE
 Content-Type: text/x-diff; charset=us-ascii
 Content-Disposition: attachment; filename="sdl_image.diff"
 Content-Transfer-Encoding: quoted-printable
 
 diff -Nur sdl_image/Makefile sdl_image.new/Makefile
 --- sdl_image/Makefile	2008-03-13 15:05:28.000000000 +0100
 +++ sdl_image.new/Makefile	2008-04-02 09:33:06.000000000 +0200
 @@ -7,6 +7,7 @@
 =20
  PORTNAME=3D	sdl_image
  PORTVERSION=3D	1.2.6
 +PORTREVISION=3D	1
  CATEGORIES=3D	graphics
  MASTER_SITES=3D	http://www.libsdl.org/projects/SDL_image/release/
  DISTNAME=3D	SDL_image-${PORTVERSION}
 diff -Nur sdl_image/files/patch-IMG_gif.c sdl_image.new/files/patch-IMG_gif=
 =2Ec
 --- sdl_image/files/patch-IMG_gif.c	1970-01-01 01:00:00.000000000 +0100
 +++ sdl_image.new/files/patch-IMG_gif.c	2008-04-02 09:33:35.000000000 +0200
 @@ -0,0 +1,13 @@
 +--- IMG_gif.c	2007/02/13 10:09:17	2970
 ++++ IMG_gif.c	2007/12/28 16:43:56	3462
 +@@ -418,6 +418,10 @@
 +     static int stack[(1 << (MAX_LWZ_BITS)) * 2], *sp;
 +     register int i;
 +=20
 ++    /* Fixed buffer overflow found by Michael Skladnikiewicz */
 ++    if (input_code_size > MAX_LWZ_BITS)
 ++        return -1;
 ++
 +     if (flag) {
 + 	set_code_size =3D input_code_size;
 + 	code_size =3D set_code_size + 1;
 diff -Nur sdl_image/files/patch-IMG_lbm.c sdl_image.new/files/patch-IMG_lbm=
 =2Ec
 --- sdl_image/files/patch-IMG_lbm.c	1970-01-01 01:00:00.000000000 +0100
 +++ sdl_image.new/files/patch-IMG_lbm.c	2008-04-02 09:33:25.000000000 +0200
 @@ -0,0 +1,28 @@
 +--- IMG_lbm.c	2007/07/20 04:37:11	3341
 ++++ IMG_lbm.c	2008/01/03 20:05:34	3521
 +@@ -28,6 +28,7 @@
 +    EHB and HAM (specific Amiga graphic chip modes) support added by Marc =
 Le Douarain
 +    (http://www.multimania.com/mavati) in December 2003.
 +    Stencil and colorkey fixes by David Raulo (david.raulo AT free DOT fr)=
  in February 2004.
 ++   Buffer overflow fix in RLE decompression by David Raulo in January 200=
 8.
 + */
 +=20
 + #include <stdio.h>
 +@@ -328,7 +329,7 @@
 + 						count ^=3D 0xFF;
 + 						count +=3D 2; /* now it */
 +=20
 +-						if ( !SDL_RWread( src, &color, 1, 1 ) )
 ++						if ( ( count > remainingbytes ) || !SDL_RWread( src, &color, 1, 1 )=
  )
 + 						{
 + 						   error=3D"error reading BODY chunk";
 + 							goto done;
 +@@ -339,7 +340,7 @@
 + 					{
 + 						++count;
 +=20
 +-						if ( !SDL_RWread( src, ptr, count, 1 ) )
 ++						if ( ( count > remainingbytes ) || !SDL_RWread( src, ptr, count, 1 =
 ) )
 + 						{
 + 						   error=3D"error reading BODY chunk";
 + 							goto done;
 
 
 --Kj7319i9nmIyA2yE--
 
 --ADZbWkCsHQ7r3kzd
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.8 (FreeBSD)
 
 iEYEARECAAYFAkfzOIcACgkQo/JpszXavhxOtACeNGKUEG6gE9q0+gV2NbPrSDmF
 r4cAoI0d+eSCU5Hy6XWN174v6UIw8NXl
 =KHDq
 -----END PGP SIGNATURE-----
 
 --ADZbWkCsHQ7r3kzd--