Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 22 Jul 2015 12:03:23 +0000 (UTC)
From:      Koop Mast <kwm@FreeBSD.org>
To:        ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org
Subject:   svn commit: r392677 - in head/graphics/gdk-pixbuf2: . files
Message-ID:  <201507221203.t6MC3NoS020177@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: kwm
Date: Wed Jul 22 12:03:22 2015
New Revision: 392677
URL: https://svnweb.freebsd.org/changeset/ports/392677

Log:
  Fix heap overflow vulnability.
  Be more careful about integer overflow.
  
  While here: fix possible divide-by-zero.
  
  Notified by:	feld@
  MFH:		2015Q3

Added:
  head/graphics/gdk-pixbuf2/files/patch-gdk-pixbuf_gdk-pixbuf-loader.c   (contents, props changed)
  head/graphics/gdk-pixbuf2/files/patch-gdk-pixbuf_pixops_pixops.c   (contents, props changed)
Modified:
  head/graphics/gdk-pixbuf2/Makefile

Modified: head/graphics/gdk-pixbuf2/Makefile
==============================================================================
--- head/graphics/gdk-pixbuf2/Makefile	Wed Jul 22 12:01:46 2015	(r392676)
+++ head/graphics/gdk-pixbuf2/Makefile	Wed Jul 22 12:03:22 2015	(r392677)
@@ -1,10 +1,9 @@
 # Created by: Ade Lovett <ade@lovett.com>
 # $FreeBSD$
-#    $MCom: ports/trunk/graphics/gdk-pixbuf2/Makefile 20031 2014-11-02 21:47:55Z kwm $
 
 PORTNAME=	gdk-pixbuf
 PORTVERSION=	2.31.2
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	graphics
 MASTER_SITES=	GNOME
 PKGNAMESUFFIX=	2

Added: head/graphics/gdk-pixbuf2/files/patch-gdk-pixbuf_gdk-pixbuf-loader.c
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/graphics/gdk-pixbuf2/files/patch-gdk-pixbuf_gdk-pixbuf-loader.c	Wed Jul 22 12:03:22 2015	(r392677)
@@ -0,0 +1,25 @@
+From 74c418ba2e41ab9e2287420378a6192788b1fab6 Mon Sep 17 00:00:00 2001
+From: Sarita Rawat <sarita.rawat@samsung.com>
+Date: Fri, 5 Jun 2015 06:56:00 +0000
+Subject: Avoid a possible divide-by-zero
+
+Pointed out in
+
+https://bugzilla.gnome.org/show_bug.cgi?id=750440
+
+diff --git a/gdk-pixbuf/gdk-pixbuf-loader.c b/gdk-pixbuf/gdk-pixbuf-loader.c
+index 65845ed..668b703 100644
+--- gdk-pixbuf/gdk-pixbuf-loader.c
++++ gdk-pixbuf/gdk-pixbuf-loader.c
+@@ -330,7 +330,7 @@ gdk_pixbuf_loader_prepare (GdkPixbuf          *pixbuf,
+         else
+                 anim = gdk_pixbuf_non_anim_new (pixbuf);
+   
+-	if (priv->needs_scale) {
++	if (priv->needs_scale && width != 0 && height != 0) {
+ 		priv->animation  = GDK_PIXBUF_ANIMATION (_gdk_pixbuf_scaled_anim_new (anim,
+                                          (double) priv->width / width,
+                                          (double) priv->height / height,
+-- 
+cgit v0.10.2
+

Added: head/graphics/gdk-pixbuf2/files/patch-gdk-pixbuf_pixops_pixops.c
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ head/graphics/gdk-pixbuf2/files/patch-gdk-pixbuf_pixops_pixops.c	Wed Jul 22 12:03:22 2015	(r392677)
@@ -0,0 +1,82 @@
+From ffec86ed5010c5a2be14f47b33bcf4ed3169a199 Mon Sep 17 00:00:00 2001
+From: Matthias Clasen <mclasen@redhat.com>
+Date: Mon, 13 Jul 2015 00:33:40 -0400
+Subject: pixops: Be more careful about integer overflow
+
+Our loader code is supposed to handle out-of-memory and overflow
+situations gracefully, reporting errors instead of aborting. But
+if you load an image at a specific size, we also execute our
+scaling code, which was not careful enough about overflow in some
+places.
+
+This commit makes the scaling code silently return if it fails to
+allocate filter tables. This is the best we can do, since
+gdk_pixbuf_scale() is not taking a GError.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=752297
+
+diff --git a/gdk-pixbuf/pixops/pixops.c b/gdk-pixbuf/pixops/pixops.c
+index 29a1c14..ce51745 100644
+--- gdk-pixbuf/pixops/pixops.c
++++ gdk-pixbuf/pixops/pixops.c
+@@ -1272,7 +1272,16 @@ make_filter_table (PixopsFilter *filter)
+   int i_offset, j_offset;
+   int n_x = filter->x.n;
+   int n_y = filter->y.n;
+-  int *weights = g_new (int, SUBSAMPLE * SUBSAMPLE * n_x * n_y);
++  gsize n_weights;
++  int *weights;
++
++  n_weights = SUBSAMPLE * SUBSAMPLE * n_x * n_y;
++  if (n_weights / (SUBSAMPLE * SUBSAMPLE * n_x) != n_y)
++    return NULL; /* overflow, bail */
++
++  weights = g_try_new (int, n_weights);
++  if (!weights)
++    return NULL; /* overflow, bail */
+ 
+   for (i_offset=0; i_offset < SUBSAMPLE; i_offset++)
+     for (j_offset=0; j_offset < SUBSAMPLE; j_offset++)
+@@ -1347,8 +1356,11 @@ pixops_process (guchar         *dest_buf,
+   if (x_step == 0 || y_step == 0)
+     return; /* overflow, bail out */
+ 
+-  line_bufs = g_new (guchar *, filter->y.n);
+   filter_weights = make_filter_table (filter);
++  if (!filter_weights)
++    return; /* overflow, bail out */
++
++  line_bufs = g_new (guchar *, filter->y.n);
+ 
+   check_shift = check_size ? get_check_shift (check_size) : 0;
+ 
+@@ -1468,7 +1480,7 @@ tile_make_weights (PixopsFilterDimension *dim,
+ 		   double                 scale)
+ {
+   int n = ceil (1 / scale + 1);
+-  double *pixel_weights = g_new (double, SUBSAMPLE * n);
++  double *pixel_weights = g_malloc_n (sizeof (double) * SUBSAMPLE, n);
+   int offset;
+   int i;
+ 
+@@ -1526,7 +1538,7 @@ bilinear_magnify_make_weights (PixopsFilterDimension *dim,
+     }
+ 
+   dim->n = n;
+-  dim->weights = g_new (double, SUBSAMPLE * n);
++  dim->weights = g_malloc_n (sizeof (double) * SUBSAMPLE, n);
+ 
+   pixel_weights = dim->weights;
+ 
+@@ -1617,7 +1629,7 @@ bilinear_box_make_weights (PixopsFilterDimension *dim,
+ 			   double                 scale)
+ {
+   int n = ceil (1/scale + 3.0);
+-  double *pixel_weights = g_new (double, SUBSAMPLE * n);
++  double *pixel_weights = g_malloc_n (sizeof (double) * SUBSAMPLE, n);
+   double w;
+   int offset, i;
+ 
+-- 
+cgit v0.10.2
+



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201507221203.t6MC3NoS020177>