Date: Fri, 21 Jan 2005 09:34:51 -0600 From: "Jacques A. Vidrine" <nectar@FreeBSD.org> To: gnome@FreeBSD.org Subject: imlib vulnerability Message-ID: <20050121153450.GA60840@hellblazer.celabo.org>
next in thread | raw e-mail | index | archive | help
--ZPt4rx8FFjLCG7dd Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hi Guys, Heads-up, I'm about to commit the attached, obtained from Pavel Kankovsky and also found in many Linux packages of imlib. I will bump PORTREVISION. See http://www.vuxml.org/freebsd/2001103a-6bbd-11d9-851d-000a95bc6fae.html . I consider this an `emergency commit' because the bug was missed earlier and has been public since December. Of course please make any follow-up commits that you feel are necessary. Cheers, -- Jacques Vidrine / nectar@celabo.org / jvidrine@verio.net / nectar@freebsd.org --ZPt4rx8FFjLCG7dd Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=patch-security-1 diff -urN imlib-1.9.13.orig/Imlib/load.c imlib-1.9.13/Imlib/load.c --- imlib-1.9.13.orig/Imlib/load.c Wed Mar 13 19:06:29 2002 +++ Imlib/load.c Thu Sep 16 17:21:01 2004 @@ -4,6 +4,8 @@ #include "Imlib_private.h" #include <setjmp.h> +#define G_MAXINT ((int) 0x7fffffff) + /* Split the ID - damages input */ static char * @@ -41,13 +43,17 @@ /* * Make sure we don't wrap on our memory allocations + * we check G_MAXINT/4 because rend.c malloc's w * h * bpp + * + 3 is safety margin */ void * _imlib_malloc_image(unsigned int w, unsigned int h) { - if( w > 32767 || h > 32767) - return NULL; - return malloc(w * h * 3); + if (w <= 0 || w > 32767 || + h <= 0 || h > 32767 || + h >= (G_MAXINT/4 - 1) / w) + return NULL; + return malloc(w * h * 3 + 3); } #ifdef HAVE_LIBJPEG @@ -360,7 +366,9 @@ npix = ww * hh; *w = (int)ww; *h = (int)hh; - if(ww > 32767 || hh > 32767) + if (ww <= 0 || ww > 32767 || + hh <= 0 || hh > 32767 || + hh >= (G_MAXINT/sizeof(uint32)) / ww) { TIFFClose(tif); return NULL; @@ -463,7 +471,7 @@ } *w = gif->Image.Width; *h = gif->Image.Height; - if (*h > 32767 || *w > 32767) + if (*h <= 0 || *h > 32767 || *w <= 0 || *w > 32767) { return NULL; } @@ -965,7 +973,12 @@ comment = 0; quote = 0; context = 0; + memset(lookup, 0, sizeof(lookup)); + line = malloc(lsz); + if (!line) + return NULL; + while (!done) { pc = c; @@ -994,25 +1007,25 @@ { /* Header */ sscanf(line, "%i %i %i %i", w, h, &ncolors, &cpp); - if (ncolors > 32766) + if (ncolors <= 0 || ncolors > 32766) { fprintf(stderr, "IMLIB ERROR: XPM files wth colors > 32766 not supported\n"); free(line); return NULL; } - if (cpp > 5) + if (cpp <= 0 || cpp > 5) { fprintf(stderr, "IMLIB ERROR: XPM files with characters per pixel > 5 not supported\n"); free(line); return NULL; } - if (*w > 32767) + if (*w <= 0 || *w > 32767) { fprintf(stderr, "IMLIB ERROR: Image width > 32767 pixels for file\n"); free(line); return NULL; } - if (*h > 32767) + if (*h <= 0 || *h > 32767) { fprintf(stderr, "IMLIB ERROR: Image height > 32767 pixels for file\n"); free(line); @@ -1045,11 +1058,13 @@ { int slen; int hascolor, iscolor; + int space; iscolor = 0; hascolor = 0; tok[0] = 0; col[0] = 0; + space = sizeof(col) - 1; s[0] = 0; len = strlen(line); strncpy(cmap[j].str, line, cpp); @@ -1072,10 +1087,10 @@ { if (k >= len) { - if (col[0]) - strcat(col, " "); - if (strlen(col) + strlen(s) < sizeof(col)) - strcat(col, s); + if (col[0] && space > 0) + strcat(col, " "), space -= 1; + if (slen <= space) + strcat(col, s), space -= slen; } if (col[0]) { @@ -1105,14 +1120,17 @@ } } } - strcpy(tok, s); + if (slen < sizeof(tok)); + strcpy(tok, s); col[0] = 0; + space = sizeof(col) - 1; } else { - if (col[0]) - strcat(col, " "); - strcat(col, s); + if (col[0] && space > 0) + strcat(col, " "), space -=1; + if (slen <= space) + strcat(col, s), space -= slen; } } } @@ -1341,12 +1359,12 @@ sscanf(s, "%i %i", w, h); a = *w; b = *h; - if (a > 32767) + if (a <= 0 || a > 32767) { fprintf(stderr, "IMLIB ERROR: Image width > 32767 pixels for file\n"); return NULL; } - if (b > 32767) + if (b <= 0 || b > 32767) { fprintf(stderr, "IMLIB ERROR: Image height > 32767 pixels for file\n"); return NULL; diff -urN imlib-1.9.13.orig/Imlib/utils.c imlib-1.9.13/Imlib/utils.c --- imlib-1.9.13.orig/Imlib/utils.c Mon Mar 4 17:45:28 2002 +++ Imlib/utils.c Thu Sep 16 17:21:15 2004 @@ -1496,36 +1496,56 @@ context = 0; ptr = NULL; end = NULL; + memset(lookup, 0, sizeof(lookup)); while (!done) { line = data[count++]; + if (!line) + break; + line = strdup(line); + if (!line) + break; + len = strlen(line); + for (i = 0; i < len; ++i) + { + c = line[i]; + if (c < 32) + line[i] = 32; + else if (c > 127) + line[i] = 127; + } + if (context == 0) { /* Header */ sscanf(line, "%i %i %i %i", &w, &h, &ncolors, &cpp); - if (ncolors > 32766) + if (ncolors <= 0 || ncolors > 32766) { fprintf(stderr, "IMLIB ERROR: XPM data wth colors > 32766 not supported\n"); free(im); + free(line); return NULL; } - if (cpp > 5) + if (cpp <= 0 || cpp > 5) { fprintf(stderr, "IMLIB ERROR: XPM data with characters per pixel > 5 not supported\n"); free(im); + free(line); return NULL; } - if (w > 32767) + if (w <= 0 || w > 32767) { fprintf(stderr, "IMLIB ERROR: Image width > 32767 pixels for data\n"); free(im); + free(line); return NULL; } - if (h > 32767) + if (h <= 0 || h > 32767) { fprintf(stderr, "IMLIB ERROR: Image height > 32767 pixels for data\n"); free(im); + free(line); return NULL; } cmap = malloc(sizeof(struct _cmap) * ncolors); @@ -1533,6 +1553,7 @@ if (!cmap) { free(im); + free(line); return NULL; } im->rgb_width = w; @@ -1542,6 +1563,7 @@ { free(cmap); free(im); + free(line); return NULL; } im->alpha_data = NULL; @@ -1817,6 +1839,7 @@ } if ((ptr) && ((ptr - im->rgb_data) >= w * h * 3)) done = 1; + free(line); } if (!transp) { diff -urN imlib-1.9.13.orig/gdk_imlib/io-gif.c imlib-1.9.13/gdk_imlib/io-gif.c --- imlib-1.9.13.orig/gdk_imlib/io-gif.c Mon Mar 4 17:26:51 2002 +++ gdk_imlib/io-gif.c Thu Sep 16 16:11:31 2004 @@ -55,7 +55,7 @@ } *w = gif->Image.Width; *h = gif->Image.Height; - if(*h > 32767 || *w > 32767) + if(*h <= 0 || *h > 32767 || *w <= 0 || *w > 32767) { return NULL; } diff -urN imlib-1.9.13.orig/gdk_imlib/io-ppm.c imlib-1.9.13/gdk_imlib/io-ppm.c --- imlib-1.9.13.orig/gdk_imlib/io-ppm.c Mon Mar 4 17:26:51 2002 +++ gdk_imlib/io-ppm.c Thu Sep 16 16:13:13 2004 @@ -53,12 +53,12 @@ sscanf(s, "%i %i", w, h); a = *w; b = *h; - if (a > 32767) + if (a <= 0 || a > 32767) { fprintf(stderr, "gdk_imlib ERROR: Image width > 32767 pixels for file\n"); return NULL; } - if (b > 32767) + if (b <= 0 || b > 32767) { fprintf(stderr, "gdk_imlib ERROR: Image height > 32767 pixels for file\n"); return NULL; diff -urN imlib-1.9.13.orig/gdk_imlib/io-tiff.c imlib-1.9.13/gdk_imlib/io-tiff.c --- imlib-1.9.13.orig/gdk_imlib/io-tiff.c Mon Mar 4 17:26:51 2002 +++ gdk_imlib/io-tiff.c Thu Sep 16 16:13:57 2004 @@ -36,7 +36,9 @@ npix = ww * hh; *w = (int)ww; *h = (int)hh; - if(ww > 32767 || hh > 32767) + if (ww <= 0 || ww > 32767 || + hh <= 0 || hh > 32767 || + hh >= (G_MAXINT/sizeof(uint32)) / ww) { TIFFClose(tif); return NULL; diff -urN imlib-1.9.13.orig/gdk_imlib/io-xpm.c imlib-1.9.13/gdk_imlib/io-xpm.c --- imlib-1.9.13.orig/gdk_imlib/io-xpm.c Mon Mar 4 17:26:51 2002 +++ gdk_imlib/io-xpm.c Thu Sep 16 17:08:24 2004 @@ -40,8 +40,12 @@ context = 0; i = j = 0; cmap = NULL; + memset(lookup, 0, sizeof(lookup)); line = malloc(lsz); + if (!line) + return NULL; + while (!done) { pc = c; @@ -70,25 +74,25 @@ { /* Header */ sscanf(line, "%i %i %i %i", w, h, &ncolors, &cpp); - if (ncolors > 32766) + if (ncolors <= 0 || ncolors > 32766) { fprintf(stderr, "gdk_imlib ERROR: XPM files wth colors > 32766 not supported\n"); free(line); return NULL; } - if (cpp > 5) + if (cpp <= 0 || cpp > 5) { fprintf(stderr, "gdk_imlib ERROR: XPM files with characters per pixel > 5 not supported\n"); free(line); return NULL; } - if (*w > 32767) + if (*w <= 0 || *w > 32767) { fprintf(stderr, "gdk_imlib ERROR: Image width > 32767 pixels for file\n"); free(line); return NULL; } - if (*h > 32767) + if (*h <= 0 || *h > 32767) { fprintf(stderr, "gdk_imlib ERROR: Image height > 32767 pixels for file\n"); free(line); @@ -120,11 +124,13 @@ { int slen; int hascolor, iscolor; + int space; hascolor = 0; iscolor = 0; tok[0] = 0; col[0] = 0; + space = sizeof(col) - 1; s[0] = 0; len = strlen(line); strncpy(cmap[j].str, line, cpp); @@ -147,10 +153,10 @@ { if (k >= len) { - if (col[0]) - strcat(col, " "); - if (strlen(col) + strlen(s) < sizeof(col)) - strcat(col, s); + if (col[0] && space > 0) + strncat(col, " ", space), space -= 1; + if (slen <= space) + strcat(col, s), space -= slen; } if (col[0]) { @@ -180,14 +186,17 @@ } } } - strcpy(tok, s); + if (slen < sizeof(tok)) + strcpy(tok, s); col[0] = 0; + space = sizeof(col) - 1; } else { - if (col[0]) - strcat(col, " "); - strcat(col, s); + if (col[0] && space > 0) + strcat(col, " "), space -= 1; + if (slen <= space) + strcat(col, s), space -= slen; } } } diff -urN imlib-1.9.13.orig/gdk_imlib/misc.c imlib-1.9.13/gdk_imlib/misc.c --- imlib-1.9.13.orig/gdk_imlib/misc.c Mon Mar 4 17:26:51 2002 +++ gdk_imlib/misc.c Thu Sep 16 16:35:32 2004 @@ -1355,11 +1355,16 @@ /* * Make sure we don't wrap on our memory allocations + * we check G_MAX_INT/4 because rend.c malloc's w * h * bpp + * + 3 is safety margin */ void *_gdk_malloc_image(unsigned int w, unsigned int h) { - if( w > 32767 || h > 32767) + if (w <= 0 || w > 32767 || + h <= 0 || h > 32767 || + h >= (G_MAXINT/4 - 1) / w) return NULL; - return malloc(w * h * 3); + return malloc(w * h * 3 + 3); } + diff -urN imlib-1.9.13.orig/gdk_imlib/utils.c imlib-1.9.13/gdk_imlib/utils.c --- imlib-1.9.13.orig/gdk_imlib/utils.c Mon Mar 4 17:26:51 2002 +++ gdk_imlib/utils.c Thu Sep 16 17:28:35 2004 @@ -1236,36 +1236,56 @@ context = 0; ptr = NULL; end = NULL; + memset(lookup, 0, sizeof(lookup)); while (!done) { line = data[count++]; + if (!line) + break; + line = strdup(line); + if (!line) + break; + len = strlen(line); + for (i = 0; i < len; ++i) + { + c = line[i]; + if (c < 32) + line[i] = 32; + else if (c > 127) + line[i] = 127; + } + if (context == 0) { /* Header */ sscanf(line, "%i %i %i %i", &w, &h, &ncolors, &cpp); - if (ncolors > 32766) + if (ncolors <= 0 || ncolors > 32766) { fprintf(stderr, "gdk_imlib ERROR: XPM data wth colors > 32766 not supported\n"); free(im); + free(line); return NULL; } - if (cpp > 5) + if (cpp <= 0 || cpp > 5) { fprintf(stderr, "gdk_imlib ERROR: XPM data with characters per pixel > 5 not supported\n"); free(im); + free(line); return NULL; } - if (w > 32767) + if (w <= 0 || w > 32767) { fprintf(stderr, "gdk_imlib ERROR: Image width > 32767 pixels for data\n"); free(im); + free(line); return NULL; } - if (h > 32767) + if (h <= 0 || h > 32767) { fprintf(stderr, "gdk_imlib ERROR: Image height > 32767 pixels for data\n"); free(im); + free(line); return NULL; } cmap = malloc(sizeof(struct _cmap) * ncolors); @@ -1273,6 +1293,7 @@ if (!cmap) { free(im); + free(line); return NULL; } im->rgb_width = w; @@ -1282,6 +1303,7 @@ { free(cmap); free(im); + free(line); return NULL; } im->alpha_data = NULL; @@ -1355,7 +1377,7 @@ strcpy(col + colptr, " "); colptr++; } - if (colptr + ls <= sizeof(col)) + if (colptr + ls < sizeof(col)) { strcpy(col + colptr, s); colptr += ls; @@ -1558,6 +1580,7 @@ } if ((ptr) && ((ptr - im->rgb_data) >= w * h * 3)) done = 1; + free(line); } if (!transp) { --ZPt4rx8FFjLCG7dd--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050121153450.GA60840>