Date: Wed, 22 Jul 2015 12:03:23 +0000 (UTC) From: Koop Mast <kwm@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r392677 - in head/graphics/gdk-pixbuf2: . files Message-ID: <201507221203.t6MC3NoS020177@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: kwm Date: Wed Jul 22 12:03:22 2015 New Revision: 392677 URL: https://svnweb.freebsd.org/changeset/ports/392677 Log: Fix heap overflow vulnability. Be more careful about integer overflow. While here: fix possible divide-by-zero. Notified by: feld@ MFH: 2015Q3 Added: head/graphics/gdk-pixbuf2/files/patch-gdk-pixbuf_gdk-pixbuf-loader.c (contents, props changed) head/graphics/gdk-pixbuf2/files/patch-gdk-pixbuf_pixops_pixops.c (contents, props changed) Modified: head/graphics/gdk-pixbuf2/Makefile Modified: head/graphics/gdk-pixbuf2/Makefile ============================================================================== --- head/graphics/gdk-pixbuf2/Makefile Wed Jul 22 12:01:46 2015 (r392676) +++ head/graphics/gdk-pixbuf2/Makefile Wed Jul 22 12:03:22 2015 (r392677) @@ -1,10 +1,9 @@ # Created by: Ade Lovett <ade@lovett.com> # $FreeBSD$ -# $MCom: ports/trunk/graphics/gdk-pixbuf2/Makefile 20031 2014-11-02 21:47:55Z kwm $ PORTNAME= gdk-pixbuf PORTVERSION= 2.31.2 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= graphics MASTER_SITES= GNOME PKGNAMESUFFIX= 2 Added: head/graphics/gdk-pixbuf2/files/patch-gdk-pixbuf_gdk-pixbuf-loader.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/graphics/gdk-pixbuf2/files/patch-gdk-pixbuf_gdk-pixbuf-loader.c Wed Jul 22 12:03:22 2015 (r392677) @@ -0,0 +1,25 @@ +From 74c418ba2e41ab9e2287420378a6192788b1fab6 Mon Sep 17 00:00:00 2001 +From: Sarita Rawat <sarita.rawat@samsung.com> +Date: Fri, 5 Jun 2015 06:56:00 +0000 +Subject: Avoid a possible divide-by-zero + +Pointed out in + +https://bugzilla.gnome.org/show_bug.cgi?id=750440 + +diff --git a/gdk-pixbuf/gdk-pixbuf-loader.c b/gdk-pixbuf/gdk-pixbuf-loader.c +index 65845ed..668b703 100644 +--- gdk-pixbuf/gdk-pixbuf-loader.c ++++ gdk-pixbuf/gdk-pixbuf-loader.c +@@ -330,7 +330,7 @@ gdk_pixbuf_loader_prepare (GdkPixbuf *pixbuf, + else + anim = gdk_pixbuf_non_anim_new (pixbuf); + +- if (priv->needs_scale) { ++ if (priv->needs_scale && width != 0 && height != 0) { + priv->animation = GDK_PIXBUF_ANIMATION (_gdk_pixbuf_scaled_anim_new (anim, + (double) priv->width / width, + (double) priv->height / height, +-- +cgit v0.10.2 + Added: head/graphics/gdk-pixbuf2/files/patch-gdk-pixbuf_pixops_pixops.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/graphics/gdk-pixbuf2/files/patch-gdk-pixbuf_pixops_pixops.c Wed Jul 22 12:03:22 2015 (r392677) @@ -0,0 +1,82 @@ +From ffec86ed5010c5a2be14f47b33bcf4ed3169a199 Mon Sep 17 00:00:00 2001 +From: Matthias Clasen <mclasen@redhat.com> +Date: Mon, 13 Jul 2015 00:33:40 -0400 +Subject: pixops: Be more careful about integer overflow + +Our loader code is supposed to handle out-of-memory and overflow +situations gracefully, reporting errors instead of aborting. But +if you load an image at a specific size, we also execute our +scaling code, which was not careful enough about overflow in some +places. + +This commit makes the scaling code silently return if it fails to +allocate filter tables. This is the best we can do, since +gdk_pixbuf_scale() is not taking a GError. + +https://bugzilla.gnome.org/show_bug.cgi?id=752297 + +diff --git a/gdk-pixbuf/pixops/pixops.c b/gdk-pixbuf/pixops/pixops.c +index 29a1c14..ce51745 100644 +--- gdk-pixbuf/pixops/pixops.c ++++ gdk-pixbuf/pixops/pixops.c +@@ -1272,7 +1272,16 @@ make_filter_table (PixopsFilter *filter) + int i_offset, j_offset; + int n_x = filter->x.n; + int n_y = filter->y.n; +- int *weights = g_new (int, SUBSAMPLE * SUBSAMPLE * n_x * n_y); ++ gsize n_weights; ++ int *weights; ++ ++ n_weights = SUBSAMPLE * SUBSAMPLE * n_x * n_y; ++ if (n_weights / (SUBSAMPLE * SUBSAMPLE * n_x) != n_y) ++ return NULL; /* overflow, bail */ ++ ++ weights = g_try_new (int, n_weights); ++ if (!weights) ++ return NULL; /* overflow, bail */ + + for (i_offset=0; i_offset < SUBSAMPLE; i_offset++) + for (j_offset=0; j_offset < SUBSAMPLE; j_offset++) +@@ -1347,8 +1356,11 @@ pixops_process (guchar *dest_buf, + if (x_step == 0 || y_step == 0) + return; /* overflow, bail out */ + +- line_bufs = g_new (guchar *, filter->y.n); + filter_weights = make_filter_table (filter); ++ if (!filter_weights) ++ return; /* overflow, bail out */ ++ ++ line_bufs = g_new (guchar *, filter->y.n); + + check_shift = check_size ? get_check_shift (check_size) : 0; + +@@ -1468,7 +1480,7 @@ tile_make_weights (PixopsFilterDimension *dim, + double scale) + { + int n = ceil (1 / scale + 1); +- double *pixel_weights = g_new (double, SUBSAMPLE * n); ++ double *pixel_weights = g_malloc_n (sizeof (double) * SUBSAMPLE, n); + int offset; + int i; + +@@ -1526,7 +1538,7 @@ bilinear_magnify_make_weights (PixopsFilterDimension *dim, + } + + dim->n = n; +- dim->weights = g_new (double, SUBSAMPLE * n); ++ dim->weights = g_malloc_n (sizeof (double) * SUBSAMPLE, n); + + pixel_weights = dim->weights; + +@@ -1617,7 +1629,7 @@ bilinear_box_make_weights (PixopsFilterDimension *dim, + double scale) + { + int n = ceil (1/scale + 3.0); +- double *pixel_weights = g_new (double, SUBSAMPLE * n); ++ double *pixel_weights = g_malloc_n (sizeof (double) * SUBSAMPLE, n); + double w; + int offset, i; + +-- +cgit v0.10.2 +
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201507221203.t6MC3NoS020177>