Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 21 Jan 2005 09:34:51 -0600
From:      "Jacques A. Vidrine" <nectar@FreeBSD.org>
To:        gnome@FreeBSD.org
Subject:   imlib vulnerability
Message-ID:  <20050121153450.GA60840@hellblazer.celabo.org>

next in thread | raw e-mail | index | archive | help

--ZPt4rx8FFjLCG7dd
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Hi Guys,

Heads-up, I'm about to commit the attached, obtained from Pavel
Kankovsky and also found in many Linux packages of imlib.  I will bump
PORTREVISION.  See
http://www.vuxml.org/freebsd/2001103a-6bbd-11d9-851d-000a95bc6fae.html .

I consider this an `emergency commit' because the bug was missed earlier
and has been public since December.  Of course please make any follow-up
commits that you feel are necessary.

Cheers,
-- 
Jacques Vidrine / nectar@celabo.org / jvidrine@verio.net / nectar@freebsd.org


--ZPt4rx8FFjLCG7dd
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename=patch-security-1

diff -urN imlib-1.9.13.orig/Imlib/load.c imlib-1.9.13/Imlib/load.c
--- imlib-1.9.13.orig/Imlib/load.c	Wed Mar 13 19:06:29 2002
+++ Imlib/load.c	Thu Sep 16 17:21:01 2004
@@ -4,6 +4,8 @@
 #include "Imlib_private.h"
 #include <setjmp.h>
 
+#define G_MAXINT ((int) 0x7fffffff)
+
 /*      Split the ID - damages input    */
 
 static char        *
@@ -41,13 +43,17 @@
 
 /*
  *     Make sure we don't wrap on our memory allocations
+ *     we check G_MAXINT/4 because rend.c malloc's w * h * bpp
+ *     + 3 is safety margin
  */
 
 void * _imlib_malloc_image(unsigned int w, unsigned int h)
 {
-       if( w > 32767 || h > 32767)
-               return NULL;
-       return malloc(w * h * 3);
+       if (w <= 0 || w > 32767 ||
+           h <= 0 || h > 32767 ||
+           h >= (G_MAXINT/4 - 1) / w)
+                return NULL;
+       return malloc(w * h * 3 + 3);
 }
 
 #ifdef HAVE_LIBJPEG
@@ -360,7 +366,9 @@
   npix = ww * hh;
   *w = (int)ww;
   *h = (int)hh;
-  if(ww > 32767 || hh > 32767)
+  if (ww <= 0 || ww > 32767 ||
+      hh <= 0 || hh > 32767 ||
+      hh >= (G_MAXINT/sizeof(uint32)) / ww)
     {
        TIFFClose(tif);
        return NULL;
@@ -463,7 +471,7 @@
 	    }
 	  *w = gif->Image.Width;
 	  *h = gif->Image.Height;
-	  if (*h > 32767 || *w > 32767)
+	  if (*h <= 0 || *h > 32767 || *w <= 0 || *w > 32767)
 	    {
 	       return NULL;
 	    }
@@ -965,7 +973,12 @@
   comment = 0;
   quote = 0;
   context = 0;
+  memset(lookup, 0, sizeof(lookup));
+
   line = malloc(lsz);
+  if (!line)
+    return NULL;
+
   while (!done)
     {
       pc = c;
@@ -994,25 +1007,25 @@
 		{
 		  /* Header */
 		  sscanf(line, "%i %i %i %i", w, h, &ncolors, &cpp);
-                  if (ncolors > 32766)
+                  if (ncolors <= 0 || ncolors > 32766)
 		    {
 		      fprintf(stderr, "IMLIB ERROR: XPM files wth colors > 32766 not supported\n");
 		      free(line);
 		      return NULL;
 		    }
-		  if (cpp > 5)
+		  if (cpp <= 0 || cpp > 5)
 		    {
 		      fprintf(stderr, "IMLIB ERROR: XPM files with characters per pixel > 5 not supported\n");
 		      free(line);
 		      return NULL;
 		    }
-		  if (*w > 32767)
+		  if (*w <= 0 || *w > 32767)
 		    {
 		      fprintf(stderr, "IMLIB ERROR: Image width > 32767 pixels for file\n");
 		      free(line);
 		      return NULL;
 		    }
-		  if (*h > 32767)
+		  if (*h <= 0 || *h > 32767)
 		    {
 		      fprintf(stderr, "IMLIB ERROR: Image height > 32767 pixels for file\n");
 		      free(line);
@@ -1045,11 +1058,13 @@
 		    {
 		      int                 slen;
 		      int                 hascolor, iscolor;
+		      int                 space;
 
 		      iscolor = 0;
 		      hascolor = 0;
 		      tok[0] = 0;
 		      col[0] = 0;
+		      space = sizeof(col) - 1;
 		      s[0] = 0;
 		      len = strlen(line);
 		      strncpy(cmap[j].str, line, cpp);
@@ -1072,10 +1087,10 @@
 				{
 				  if (k >= len)
 				    {
-				      if (col[0])
-					strcat(col, " ");
-                                      if (strlen(col) + strlen(s) < sizeof(col))
-					strcat(col, s);
+				      if (col[0] && space > 0)
+					strcat(col, " "), space -= 1;
+                                      if (slen <= space)
+					strcat(col, s), space -= slen;
 				    }
 				  if (col[0])
 				    {
@@ -1105,14 +1120,17 @@
 					    }
 					}
 				    }
-				  strcpy(tok, s);
+				  if (slen < sizeof(tok));
+				    strcpy(tok, s);
 				  col[0] = 0;
+				  space = sizeof(col) - 1;
 				}
 			      else
 				{
-				  if (col[0])
-				    strcat(col, " ");
-				  strcat(col, s);
+				  if (col[0] && space > 0)
+				    strcat(col, " "), space -=1;
+				  if (slen <= space)
+				    strcat(col, s), space -= slen;
 				}
 			    }
 			}
@@ -1341,12 +1359,12 @@
 	  sscanf(s, "%i %i", w, h);
 	  a = *w;
 	  b = *h;
-	  if (a > 32767)
+	  if (a <= 0 || a > 32767)
 	    {
 	      fprintf(stderr, "IMLIB ERROR: Image width > 32767 pixels for file\n");
 	      return NULL;
 	    }
-	  if (b > 32767)
+	  if (b <= 0 || b > 32767)
 	    {
 	      fprintf(stderr, "IMLIB ERROR: Image height > 32767 pixels for file\n");
 	      return NULL;
diff -urN imlib-1.9.13.orig/Imlib/utils.c imlib-1.9.13/Imlib/utils.c
--- imlib-1.9.13.orig/Imlib/utils.c	Mon Mar  4 17:45:28 2002
+++ Imlib/utils.c	Thu Sep 16 17:21:15 2004
@@ -1496,36 +1496,56 @@
   context = 0;
   ptr = NULL;
   end = NULL;
+  memset(lookup, 0, sizeof(lookup));
 
   while (!done)
     {
       line = data[count++];
+      if (!line)
+	break;
+      line = strdup(line);
+      if (!line)
+	break;
+      len = strlen(line);
+      for (i = 0; i < len; ++i)
+	{
+	  c = line[i];
+	  if (c < 32)
+	    line[i] = 32;
+	  else if (c > 127)
+	    line[i] = 127;
+	}
+
       if (context == 0)
 	{
 	  /* Header */
 	  sscanf(line, "%i %i %i %i", &w, &h, &ncolors, &cpp);
-	  if (ncolors > 32766)
+	  if (ncolors <= 0 || ncolors > 32766)
 	    {
 	      fprintf(stderr, "IMLIB ERROR: XPM data wth colors > 32766 not supported\n");
 	      free(im);
+	      free(line);
 	      return NULL;
 	    }
-	  if (cpp > 5)
+	  if (cpp <= 0 || cpp > 5)
 	    {
 	      fprintf(stderr, "IMLIB ERROR: XPM data with characters per pixel > 5 not supported\n");
 	      free(im);
+	      free(line);
 	      return NULL;
 	    }
-	  if (w > 32767)
+	  if (w <= 0 || w > 32767)
 	    {
 	      fprintf(stderr, "IMLIB ERROR: Image width > 32767 pixels for data\n");
 	      free(im);
+	      free(line);
 	      return NULL;
 	    }
-	  if (h > 32767)
+	  if (h <= 0 || h > 32767)
 	    {
 	      fprintf(stderr, "IMLIB ERROR: Image height > 32767 pixels for data\n");
 	      free(im);
+	      free(line);
 	      return NULL;
 	    }
 	  cmap = malloc(sizeof(struct _cmap) * ncolors);
@@ -1533,6 +1553,7 @@
 	  if (!cmap)
 	    {
 	      free(im);
+	      free(line);
 	      return NULL;
 	    }
 	  im->rgb_width = w;
@@ -1542,6 +1563,7 @@
 	    {
 	      free(cmap);
 	      free(im);
+	      free(line);
 	      return NULL;
 	    }
 	  im->alpha_data = NULL;
@@ -1817,6 +1839,7 @@
 	}
       if ((ptr) && ((ptr - im->rgb_data) >= w * h * 3))
 	done = 1;
+      free(line);
     }
   if (!transp)
     {
diff -urN imlib-1.9.13.orig/gdk_imlib/io-gif.c imlib-1.9.13/gdk_imlib/io-gif.c
--- imlib-1.9.13.orig/gdk_imlib/io-gif.c	Mon Mar  4 17:26:51 2002
+++ gdk_imlib/io-gif.c	Thu Sep 16 16:11:31 2004
@@ -55,7 +55,7 @@
 	    }
 	  *w = gif->Image.Width;
 	  *h = gif->Image.Height;
-	  if(*h > 32767 || *w > 32767)
+	  if(*h <= 0 || *h > 32767 || *w <= 0 || *w > 32767)
 	    {
 	      return NULL;
 	    }
diff -urN imlib-1.9.13.orig/gdk_imlib/io-ppm.c imlib-1.9.13/gdk_imlib/io-ppm.c
--- imlib-1.9.13.orig/gdk_imlib/io-ppm.c	Mon Mar  4 17:26:51 2002
+++ gdk_imlib/io-ppm.c	Thu Sep 16 16:13:13 2004
@@ -53,12 +53,12 @@
 	  sscanf(s, "%i %i", w, h);
 	  a = *w;
 	  b = *h;
-	  if (a > 32767)
+	  if (a <= 0 || a > 32767)
 	    {
 	      fprintf(stderr, "gdk_imlib ERROR: Image width > 32767 pixels for file\n");
 	      return NULL;
 	    }
-	  if (b > 32767)
+	  if (b <= 0 || b > 32767)
 	    {
 	      fprintf(stderr, "gdk_imlib ERROR: Image height > 32767 pixels for file\n");
 	      return NULL;
diff -urN imlib-1.9.13.orig/gdk_imlib/io-tiff.c imlib-1.9.13/gdk_imlib/io-tiff.c
--- imlib-1.9.13.orig/gdk_imlib/io-tiff.c	Mon Mar  4 17:26:51 2002
+++ gdk_imlib/io-tiff.c	Thu Sep 16 16:13:57 2004
@@ -36,7 +36,9 @@
   npix = ww * hh;
   *w = (int)ww;
   *h = (int)hh;
-  if(ww > 32767 || hh > 32767)
+  if (ww <= 0 || ww > 32767 ||
+      hh <= 0 || hh > 32767 ||
+      hh >= (G_MAXINT/sizeof(uint32)) / ww)
     {
       TIFFClose(tif);
       return NULL;
diff -urN imlib-1.9.13.orig/gdk_imlib/io-xpm.c imlib-1.9.13/gdk_imlib/io-xpm.c
--- imlib-1.9.13.orig/gdk_imlib/io-xpm.c	Mon Mar  4 17:26:51 2002
+++ gdk_imlib/io-xpm.c	Thu Sep 16 17:08:24 2004
@@ -40,8 +40,12 @@
   context = 0;
   i = j = 0;
   cmap = NULL;
+  memset(lookup, 0, sizeof(lookup));
 
   line = malloc(lsz);
+  if (!line)
+    return NULL;
+
   while (!done)
     {
       pc = c;
@@ -70,25 +74,25 @@
 		{
 		  /* Header */
 		  sscanf(line, "%i %i %i %i", w, h, &ncolors, &cpp);
-		  if (ncolors > 32766)
+		  if (ncolors <= 0 || ncolors > 32766)
 		    {
 		      fprintf(stderr, "gdk_imlib ERROR: XPM files wth colors > 32766 not supported\n");
 		      free(line);
 		      return NULL;
 		    }
-		  if (cpp > 5)
+		  if (cpp <= 0 || cpp > 5)
 		    {
 		      fprintf(stderr, "gdk_imlib ERROR: XPM files with characters per pixel > 5 not supported\n");
 		      free(line);
 		      return NULL;
 		    }
-		  if (*w > 32767)
+		  if (*w <= 0 || *w > 32767)
 		    {
 		      fprintf(stderr, "gdk_imlib ERROR: Image width > 32767 pixels for file\n");
 		      free(line);
 		      return NULL;
 		    }
-		  if (*h > 32767)
+		  if (*h <= 0 || *h > 32767)
 		    {
 		      fprintf(stderr, "gdk_imlib ERROR: Image height > 32767 pixels for file\n");
 		      free(line);
@@ -120,11 +124,13 @@
 		    {
 		      int                 slen;
 		      int                 hascolor, iscolor;
+		      int                 space;
 
 		      hascolor = 0;
 		      iscolor = 0;
 		      tok[0] = 0;
 		      col[0] = 0;
+		      space = sizeof(col) - 1;
 		      s[0] = 0;
 		      len = strlen(line);
 		      strncpy(cmap[j].str, line, cpp);
@@ -147,10 +153,10 @@
 				{
 				  if (k >= len)
 				    {
-				      if (col[0])
-					strcat(col, " ");
-				      if (strlen(col) + strlen(s) < sizeof(col))
-					strcat(col, s);
+				      if (col[0] && space > 0)
+					strncat(col, " ", space), space -= 1;
+				      if (slen <= space)
+					strcat(col, s), space -= slen;
 				    }
 				  if (col[0])
 				    {
@@ -180,14 +186,17 @@
 					    }
 					}
 				    }
-				  strcpy(tok, s);
+				  if (slen < sizeof(tok))
+				    strcpy(tok, s);
 				  col[0] = 0;
+				  space = sizeof(col) - 1;
 				}
 			      else
 				{
-				  if (col[0])
-				    strcat(col, " ");
-				  strcat(col, s);
+				  if (col[0] && space > 0)
+				    strcat(col, " "), space -= 1;
+				  if (slen <= space)
+				    strcat(col, s), space -= slen;
 				}
 			    }
 			}
diff -urN imlib-1.9.13.orig/gdk_imlib/misc.c imlib-1.9.13/gdk_imlib/misc.c
--- imlib-1.9.13.orig/gdk_imlib/misc.c	Mon Mar  4 17:26:51 2002
+++ gdk_imlib/misc.c	Thu Sep 16 16:35:32 2004
@@ -1355,11 +1355,16 @@
 
 /*
  *	Make sure we don't wrap on our memory allocations
+ *	we check G_MAX_INT/4 because rend.c malloc's w * h * bpp
+ *	+ 3 is safety margin
  */
 
 void *_gdk_malloc_image(unsigned int w, unsigned int h)
 {
-	if( w > 32767 || h > 32767)
+	if (w <= 0 || w > 32767 ||
+	    h <= 0 || h > 32767 ||
+	    h >= (G_MAXINT/4 - 1) / w)
 		return NULL;
-	return malloc(w * h * 3);
+	return malloc(w * h * 3 + 3);
 }
+
diff -urN imlib-1.9.13.orig/gdk_imlib/utils.c imlib-1.9.13/gdk_imlib/utils.c
--- imlib-1.9.13.orig/gdk_imlib/utils.c	Mon Mar  4 17:26:51 2002
+++ gdk_imlib/utils.c	Thu Sep 16 17:28:35 2004
@@ -1236,36 +1236,56 @@
   context = 0;
   ptr = NULL;
   end = NULL;
+  memset(lookup, 0, sizeof(lookup));
 
   while (!done)
     {
       line = data[count++];
+      if (!line)
+	break;
+      line = strdup(line);
+      if (!line)
+	break;
+      len = strlen(line);
+      for (i = 0; i < len; ++i)
+        {
+	  c = line[i];
+	  if (c < 32)
+	    line[i] = 32;
+	  else if (c > 127)
+	    line[i] = 127;
+	}
+
       if (context == 0)
 	{
 	  /* Header */
 	  sscanf(line, "%i %i %i %i", &w, &h, &ncolors, &cpp);
-	  if (ncolors > 32766)
+	  if (ncolors <= 0 || ncolors > 32766)
 	    {
 	      fprintf(stderr, "gdk_imlib ERROR: XPM data wth colors > 32766 not supported\n");
 	      free(im);
+	      free(line);
 	      return NULL;
 	    }
-	  if (cpp > 5)
+	  if (cpp <= 0 || cpp > 5)
 	    {
 	      fprintf(stderr, "gdk_imlib ERROR: XPM data with characters per pixel > 5 not supported\n");
 	      free(im);
+	      free(line);
 	      return NULL;
 	    }
-	  if (w > 32767)
+	  if (w <= 0 || w > 32767)
 	    {
 	      fprintf(stderr, "gdk_imlib ERROR: Image width > 32767 pixels for data\n");
 	      free(im);
+	      free(line);
 	      return NULL;
 	    }
-	  if (h > 32767)
+	  if (h <= 0 || h > 32767)
 	    {
 	      fprintf(stderr, "gdk_imlib ERROR: Image height > 32767 pixels for data\n");
 	      free(im);
+	      free(line);
 	      return NULL;
 	    }
 	  cmap = malloc(sizeof(struct _cmap) * ncolors);
@@ -1273,6 +1293,7 @@
 	  if (!cmap)
 	    {
 	      free(im);
+	      free(line);
 	      return NULL;
 	    }
 	  im->rgb_width = w;
@@ -1282,6 +1303,7 @@
 	    {
 	      free(cmap);
 	      free(im);
+	      free(line);
 	      return NULL;
 	    }
 	  im->alpha_data = NULL;
@@ -1355,7 +1377,7 @@
 				  strcpy(col + colptr, " ");
 				  colptr++;
 				}
-			      if (colptr + ls <= sizeof(col))
+			      if (colptr + ls < sizeof(col))
 				{
 				  strcpy(col + colptr, s);
 				  colptr += ls;
@@ -1558,6 +1580,7 @@
 	}
       if ((ptr) && ((ptr - im->rgb_data) >= w * h * 3))
 	done = 1;
+      free(line);
     }
   if (!transp)
     {

--ZPt4rx8FFjLCG7dd--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050121153450.GA60840>