From owner-svn-ports-branches@freebsd.org Thu Jul 23 15:05:53 2015 Return-Path: Delivered-To: svn-ports-branches@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6043B9A9BDF; Thu, 23 Jul 2015 15:05:53 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4FAA91A0E; Thu, 23 Jul 2015 15:05:53 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.70]) by repo.freebsd.org (8.14.9/8.14.9) with ESMTP id t6NF5rAR004999; Thu, 23 Jul 2015 15:05:53 GMT (envelope-from feld@FreeBSD.org) Received: (from feld@localhost) by repo.freebsd.org (8.14.9/8.14.9/Submit) id t6NF5qKV004996; Thu, 23 Jul 2015 15:05:52 GMT (envelope-from feld@FreeBSD.org) Message-Id: <201507231505.t6NF5qKV004996@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: feld set sender to feld@FreeBSD.org using -f From: Mark Felder Date: Thu, 23 Jul 2015 15:05:52 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org Subject: svn commit: r392723 - in branches/2015Q3/graphics/gdk-pixbuf2: . files X-SVN-Group: ports-branches MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-branches@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: SVN commit messages for all the branches of the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Jul 2015 15:05:53 -0000 Author: feld Date: Thu Jul 23 15:05:51 2015 New Revision: 392723 URL: https://svnweb.freebsd.org/changeset/ports/392723 Log: MFH: r392677 Fix heap overflow vulnability. Be more careful about integer overflow. While here: fix possible divide-by-zero. Notified by: feld@ Approved by: ports-secteam (with hat) Added: branches/2015Q3/graphics/gdk-pixbuf2/files/patch-gdk-pixbuf_gdk-pixbuf-loader.c - copied unchanged from r392677, head/graphics/gdk-pixbuf2/files/patch-gdk-pixbuf_gdk-pixbuf-loader.c branches/2015Q3/graphics/gdk-pixbuf2/files/patch-gdk-pixbuf_pixops_pixops.c - copied unchanged from r392677, head/graphics/gdk-pixbuf2/files/patch-gdk-pixbuf_pixops_pixops.c Modified: branches/2015Q3/graphics/gdk-pixbuf2/Makefile Directory Properties: branches/2015Q3/ (props changed) Modified: branches/2015Q3/graphics/gdk-pixbuf2/Makefile ============================================================================== --- branches/2015Q3/graphics/gdk-pixbuf2/Makefile Thu Jul 23 13:56:32 2015 (r392722) +++ branches/2015Q3/graphics/gdk-pixbuf2/Makefile Thu Jul 23 15:05:51 2015 (r392723) @@ -1,10 +1,9 @@ # Created by: Ade Lovett # $FreeBSD$ -# $MCom: ports/trunk/graphics/gdk-pixbuf2/Makefile 20031 2014-11-02 21:47:55Z kwm $ PORTNAME= gdk-pixbuf PORTVERSION= 2.31.2 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= graphics MASTER_SITES= GNOME PKGNAMESUFFIX= 2 Copied: branches/2015Q3/graphics/gdk-pixbuf2/files/patch-gdk-pixbuf_gdk-pixbuf-loader.c (from r392677, head/graphics/gdk-pixbuf2/files/patch-gdk-pixbuf_gdk-pixbuf-loader.c) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2015Q3/graphics/gdk-pixbuf2/files/patch-gdk-pixbuf_gdk-pixbuf-loader.c Thu Jul 23 15:05:51 2015 (r392723, copy of r392677, head/graphics/gdk-pixbuf2/files/patch-gdk-pixbuf_gdk-pixbuf-loader.c) @@ -0,0 +1,25 @@ +From 74c418ba2e41ab9e2287420378a6192788b1fab6 Mon Sep 17 00:00:00 2001 +From: Sarita Rawat +Date: Fri, 5 Jun 2015 06:56:00 +0000 +Subject: Avoid a possible divide-by-zero + +Pointed out in + +https://bugzilla.gnome.org/show_bug.cgi?id=750440 + +diff --git a/gdk-pixbuf/gdk-pixbuf-loader.c b/gdk-pixbuf/gdk-pixbuf-loader.c +index 65845ed..668b703 100644 +--- gdk-pixbuf/gdk-pixbuf-loader.c ++++ gdk-pixbuf/gdk-pixbuf-loader.c +@@ -330,7 +330,7 @@ gdk_pixbuf_loader_prepare (GdkPixbuf *pixbuf, + else + anim = gdk_pixbuf_non_anim_new (pixbuf); + +- if (priv->needs_scale) { ++ if (priv->needs_scale && width != 0 && height != 0) { + priv->animation = GDK_PIXBUF_ANIMATION (_gdk_pixbuf_scaled_anim_new (anim, + (double) priv->width / width, + (double) priv->height / height, +-- +cgit v0.10.2 + Copied: branches/2015Q3/graphics/gdk-pixbuf2/files/patch-gdk-pixbuf_pixops_pixops.c (from r392677, head/graphics/gdk-pixbuf2/files/patch-gdk-pixbuf_pixops_pixops.c) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2015Q3/graphics/gdk-pixbuf2/files/patch-gdk-pixbuf_pixops_pixops.c Thu Jul 23 15:05:51 2015 (r392723, copy of r392677, head/graphics/gdk-pixbuf2/files/patch-gdk-pixbuf_pixops_pixops.c) @@ -0,0 +1,82 @@ +From ffec86ed5010c5a2be14f47b33bcf4ed3169a199 Mon Sep 17 00:00:00 2001 +From: Matthias Clasen +Date: Mon, 13 Jul 2015 00:33:40 -0400 +Subject: pixops: Be more careful about integer overflow + +Our loader code is supposed to handle out-of-memory and overflow +situations gracefully, reporting errors instead of aborting. But +if you load an image at a specific size, we also execute our +scaling code, which was not careful enough about overflow in some +places. + +This commit makes the scaling code silently return if it fails to +allocate filter tables. This is the best we can do, since +gdk_pixbuf_scale() is not taking a GError. + +https://bugzilla.gnome.org/show_bug.cgi?id=752297 + +diff --git a/gdk-pixbuf/pixops/pixops.c b/gdk-pixbuf/pixops/pixops.c +index 29a1c14..ce51745 100644 +--- gdk-pixbuf/pixops/pixops.c ++++ gdk-pixbuf/pixops/pixops.c +@@ -1272,7 +1272,16 @@ make_filter_table (PixopsFilter *filter) + int i_offset, j_offset; + int n_x = filter->x.n; + int n_y = filter->y.n; +- int *weights = g_new (int, SUBSAMPLE * SUBSAMPLE * n_x * n_y); ++ gsize n_weights; ++ int *weights; ++ ++ n_weights = SUBSAMPLE * SUBSAMPLE * n_x * n_y; ++ if (n_weights / (SUBSAMPLE * SUBSAMPLE * n_x) != n_y) ++ return NULL; /* overflow, bail */ ++ ++ weights = g_try_new (int, n_weights); ++ if (!weights) ++ return NULL; /* overflow, bail */ + + for (i_offset=0; i_offset < SUBSAMPLE; i_offset++) + for (j_offset=0; j_offset < SUBSAMPLE; j_offset++) +@@ -1347,8 +1356,11 @@ pixops_process (guchar *dest_buf, + if (x_step == 0 || y_step == 0) + return; /* overflow, bail out */ + +- line_bufs = g_new (guchar *, filter->y.n); + filter_weights = make_filter_table (filter); ++ if (!filter_weights) ++ return; /* overflow, bail out */ ++ ++ line_bufs = g_new (guchar *, filter->y.n); + + check_shift = check_size ? get_check_shift (check_size) : 0; + +@@ -1468,7 +1480,7 @@ tile_make_weights (PixopsFilterDimension *dim, + double scale) + { + int n = ceil (1 / scale + 1); +- double *pixel_weights = g_new (double, SUBSAMPLE * n); ++ double *pixel_weights = g_malloc_n (sizeof (double) * SUBSAMPLE, n); + int offset; + int i; + +@@ -1526,7 +1538,7 @@ bilinear_magnify_make_weights (PixopsFilterDimension *dim, + } + + dim->n = n; +- dim->weights = g_new (double, SUBSAMPLE * n); ++ dim->weights = g_malloc_n (sizeof (double) * SUBSAMPLE, n); + + pixel_weights = dim->weights; + +@@ -1617,7 +1629,7 @@ bilinear_box_make_weights (PixopsFilterDimension *dim, + double scale) + { + int n = ceil (1/scale + 3.0); +- double *pixel_weights = g_new (double, SUBSAMPLE * n); ++ double *pixel_weights = g_malloc_n (sizeof (double) * SUBSAMPLE, n); + double w; + int offset, i; + +-- +cgit v0.10.2 +