Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Alexandre Rostovtsev <tetromino@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] repo/gentoo:master commit in: x11-libs/gdk-pixbuf/, x11-libs/gdk-pixbuf/files/
Date: Tue, 01 Sep 2015 05:16:02
Message-Id: 1441084538.084b0771c60902525706033d8d1ef2ac489954e1.tetromino@gentoo
1 commit: 084b0771c60902525706033d8d1ef2ac489954e1
2 Author: Alexandre Rostovtsev <tetromino <AT> gentoo <DOT> org>
3 AuthorDate: Tue Sep 1 04:28:13 2015 +0000
4 Commit: Alexandre Rostovtsev <tetromino <AT> gentoo <DOT> org>
5 CommitDate: Tue Sep 1 05:15:38 2015 +0000
6 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=084b0771
7
8 x11-libs/gdk-pixbuf: more DoS fixes (CVE-2015-4491)
9
10 Really fix the overflows this time.
11
12 Gentoo-Bug: 556314
13 Upstream-Bug-url: https://bugzilla.gnome.org/show_bug.cgi?id=752297
14 Upstream-Bug-url: https://bugzilla.gnome.org/show_bug.cgi?id=753908
15 Upstream-Bug-url: https://bugzilla.gnome.org/show_bug.cgi?id=734556
16 Upstream-Bug-url: https://bugzilla.gnome.org/show_bug.cgi?id=753569
17 Package-Manager: portage-2.2.20.1
18
19 .../gdk-pixbuf-2.31.1-pixops-no-scaling.patch | 129 ++++++++++++++++
20 .../files/gdk-pixbuf-2.31.5-pixops-overflow.patch | 38 +++++
21 .../gdk-pixbuf-2.31.6-alpha-overflow-rebased.patch | 79 ++++++++++
22 .../files/gdk-pixbuf-2.31.6-jpeg-overflow.patch | 35 +++++
23 .../gdk-pixbuf-2.31.6-pixops-gcc-optimizer.patch | 46 ++++++
24 ...gdk-pixbuf-2.31.6-pixops-overflow-rebased.patch | 162 +++++++++++++++++++++
25 .../gdk-pixbuf-2.31.6-pixops-variable-type.patch | 37 +++++
26 .../files/gdk-pixbuf-2.31.6-png-overflow.patch | 72 +++++++++
27 .../files/gdk-pixbuf-2.31.6-rotate-overflow.patch | 27 ++++
28 x11-libs/gdk-pixbuf/gdk-pixbuf-2.30.8-r2.ebuild | 134 +++++++++++++++++
29 10 files changed, 759 insertions(+)
30
31 diff --git a/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.1-pixops-no-scaling.patch b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.1-pixops-no-scaling.patch
32 new file mode 100644
33 index 0000000..a8587fc
34 --- /dev/null
35 +++ b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.1-pixops-no-scaling.patch
36 @@ -0,0 +1,129 @@
37 +From cc5fce6315dcc1127a3e2106223305ff763be815 Mon Sep 17 00:00:00 2001
38 +From: Hans Petter Jansson <hpj@××××××××.no>
39 +Date: Thu, 10 Nov 2005 19:13:00 +0000
40 +Subject: [PATCH] pixops: Special-case compositing/copying with no scaling
41 +
42 +When there is no scaling involved, make gdk_pixbuf_composite_color()
43 +faster by avoiding the scaling code path.
44 +
45 +https://bugzilla.gnome.org/show_bug.cgi?id=80927
46 +---
47 + gdk-pixbuf/pixops/pixops.c | 95 +++++++++++++++++++++++++++++++++++++++++++---
48 + 1 file changed, 90 insertions(+), 5 deletions(-)
49 +
50 +diff --git a/gdk-pixbuf/pixops/pixops.c b/gdk-pixbuf/pixops/pixops.c
51 +index 993223e..29a1c14 100644
52 +--- a/gdk-pixbuf/pixops/pixops.c
53 ++++ b/gdk-pixbuf/pixops/pixops.c
54 +@@ -421,6 +421,86 @@ pixops_composite_nearest (guchar *dest_buf,
55 + }
56 +
57 + static void
58 ++pixops_composite_nearest_noscale (guchar *dest_buf,
59 ++ int render_x0,
60 ++ int render_y0,
61 ++ int render_x1,
62 ++ int render_y1,
63 ++ int dest_rowstride,
64 ++ int dest_channels,
65 ++ gboolean dest_has_alpha,
66 ++ const guchar *src_buf,
67 ++ int src_width,
68 ++ int src_height,
69 ++ int src_rowstride,
70 ++ int src_channels,
71 ++ gboolean src_has_alpha,
72 ++ int overall_alpha)
73 ++{
74 ++ int i, j;
75 ++ int x;
76 ++
77 ++ for (i = 0; i < (render_y1 - render_y0); i++)
78 ++ {
79 ++ const guchar *src = src_buf + (i + render_y0) * src_rowstride;
80 ++ guchar *dest = dest_buf + i * dest_rowstride;
81 ++
82 ++ x = render_x0 * src_channels;
83 ++
84 ++ for (j=0; j < (render_x1 - render_x0); j++)
85 ++ {
86 ++ const guchar *p = src + x;
87 ++ unsigned int a0;
88 ++
89 ++ if (src_has_alpha)
90 ++ a0 = (p[3] * overall_alpha) / 0xff;
91 ++ else
92 ++ a0 = overall_alpha;
93 ++
94 ++ switch (a0)
95 ++ {
96 ++ case 0:
97 ++ break;
98 ++ case 255:
99 ++ dest[0] = p[0];
100 ++ dest[1] = p[1];
101 ++ dest[2] = p[2];
102 ++ if (dest_has_alpha)
103 ++ dest[3] = 0xff;
104 ++ break;
105 ++ default:
106 ++ if (dest_has_alpha)
107 ++ {
108 ++ unsigned int w0 = 0xff * a0;
109 ++ unsigned int w1 = (0xff - a0) * dest[3];
110 ++ unsigned int w = w0 + w1;
111 ++
112 ++ dest[0] = (w0 * p[0] + w1 * dest[0]) / w;
113 ++ dest[1] = (w0 * p[1] + w1 * dest[1]) / w;
114 ++ dest[2] = (w0 * p[2] + w1 * dest[2]) / w;
115 ++ dest[3] = w / 0xff;
116 ++ }
117 ++ else
118 ++ {
119 ++ unsigned int a1 = 0xff - a0;
120 ++ unsigned int tmp;
121 ++
122 ++ tmp = a0 * p[0] + a1 * dest[0] + 0x80;
123 ++ dest[0] = (tmp + (tmp >> 8)) >> 8;
124 ++ tmp = a0 * p[1] + a1 * dest[1] + 0x80;
125 ++ dest[1] = (tmp + (tmp >> 8)) >> 8;
126 ++ tmp = a0 * p[2] + a1 * dest[2] + 0x80;
127 ++ dest[2] = (tmp + (tmp >> 8)) >> 8;
128 ++ }
129 ++ break;
130 ++ }
131 ++ dest += dest_channels;
132 ++ x += src_channels;
133 ++ }
134 ++ }
135 ++}
136 ++
137 ++static void
138 + pixops_composite_color_nearest (guchar *dest_buf,
139 + int render_x0,
140 + int render_y0,
141 +@@ -1781,11 +1861,16 @@ _pixops_composite_real (guchar *dest_buf,
142 +
143 + if (interp_type == PIXOPS_INTERP_NEAREST)
144 + {
145 +- pixops_composite_nearest (dest_buf, render_x0, render_y0, render_x1,
146 +- render_y1, dest_rowstride, dest_channels,
147 +- dest_has_alpha, src_buf, src_width, src_height,
148 +- src_rowstride, src_channels, src_has_alpha,
149 +- scale_x, scale_y, overall_alpha);
150 ++ if (scale_x == 1.0 && scale_y == 1.0)
151 ++ pixops_composite_nearest_noscale (dest_buf, render_x0, render_y0, render_x1, render_y1,
152 ++ dest_rowstride, dest_channels, dest_has_alpha,
153 ++ src_buf, src_width, src_height, src_rowstride, src_channels,
154 ++ src_has_alpha, overall_alpha);
155 ++ else
156 ++ pixops_composite_nearest (dest_buf, render_x0, render_y0, render_x1, render_y1,
157 ++ dest_rowstride, dest_channels, dest_has_alpha,
158 ++ src_buf, src_width, src_height, src_rowstride, src_channels,
159 ++ src_has_alpha, scale_x, scale_y, overall_alpha);
160 + return;
161 + }
162 +
163 +--
164 +2.5.1
165 +
166
167 diff --git a/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.5-pixops-overflow.patch b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.5-pixops-overflow.patch
168 new file mode 100644
169 index 0000000..6f28dfd
170 --- /dev/null
171 +++ b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.5-pixops-overflow.patch
172 @@ -0,0 +1,38 @@
173 +From 8dba67cb4f38d62a47757741ad41e3f245b4a32a Mon Sep 17 00:00:00 2001
174 +From: Benjamin Otte <otte@××××××.com>
175 +Date: Mon, 17 Aug 2015 18:52:47 +0200
176 +Subject: [PATCH] pixops: Fix oversight for CVE-2015-4491
177 +
178 +The n_x variable could be made large enough to overflow, too.
179 +
180 +Also included are various testcases for this vulnerability:
181 +- The original exploit (adapted for the testsuite)
182 +- Causing overflow by making both X and Y variables large
183 +- Causing overflow using only the X variable
184 +- Causing overflow using only the Y variable
185 +
186 +https://bugzilla.gnome.org/show_bug.cgi?id=752297
187 +---
188 + gdk-pixbuf/pixops/pixops.c | 6 ++-
189 + 1 files changed, 5 insertions(+), 1 deletion(-)
190 +
191 +diff --git a/gdk-pixbuf/pixops/pixops.c b/gdk-pixbuf/pixops/pixops.c
192 +index ce51745..7f2cbff 100644
193 +--- a/gdk-pixbuf/pixops/pixops.c
194 ++++ b/gdk-pixbuf/pixops/pixops.c
195 +@@ -1275,7 +1275,11 @@ make_filter_table (PixopsFilter *filter)
196 + gsize n_weights;
197 + int *weights;
198 +
199 +- n_weights = SUBSAMPLE * SUBSAMPLE * n_x * n_y;
200 ++ n_weights = SUBSAMPLE * SUBSAMPLE * n_x;
201 ++ if (n_weights / (SUBSAMPLE * SUBSAMPLE) != n_x)
202 ++ return NULL; /* overflow, bail */
203 ++
204 ++ n_weights *= n_y;
205 + if (n_weights / (SUBSAMPLE * SUBSAMPLE * n_x) != n_y)
206 + return NULL; /* overflow, bail */
207 +
208 +--
209 +2.5.1
210 +
211
212 diff --git a/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-alpha-overflow-rebased.patch b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-alpha-overflow-rebased.patch
213 new file mode 100644
214 index 0000000..647dd59
215 --- /dev/null
216 +++ b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-alpha-overflow-rebased.patch
217 @@ -0,0 +1,79 @@
218 +From 2937faff06629e224f113a9af73eba59f65c3845 Mon Sep 17 00:00:00 2001
219 +From: Matthias Clasen <mclasen@××××××.com>
220 +Date: Mon, 24 Aug 2015 15:20:08 -0400
221 +Subject: [PATCH] Avoid integer overflow in gdk_pixbuf_add_alpha
222 +
223 +Same as before: don't do ptr = base + y * rowstride if y and
224 +rowstride are integers.
225 +
226 +This should fix http://bugzilla.gnome/org/753569
227 +---
228 + gdk-pixbuf/gdk-pixbuf-util.c | 23 +++++++++++++++--------
229 + 1 file changed, 15 insertions(+), 8 deletions(-)
230 +
231 +diff --git a/gdk-pixbuf/gdk-pixbuf-util.c b/gdk-pixbuf/gdk-pixbuf-util.c
232 +index 6fbaa8e..6eea4c3 100644
233 +--- a/gdk-pixbuf/gdk-pixbuf-util.c
234 ++++ b/gdk-pixbuf/gdk-pixbuf-util.c
235 +@@ -65,12 +65,18 @@ gdk_pixbuf_add_alpha (const GdkPixbuf *pixbuf,
236 + {
237 + GdkPixbuf *new_pixbuf;
238 + int x, y;
239 ++ const guint8 *src_pixels;
240 ++ guint8 *ret_pixels;
241 ++ const guchar *src;
242 ++ guchar *dest;
243 +
244 + g_return_val_if_fail (GDK_IS_PIXBUF (pixbuf), NULL);
245 + g_return_val_if_fail (pixbuf->colorspace == GDK_COLORSPACE_RGB, NULL);
246 + g_return_val_if_fail (pixbuf->n_channels == 3 || pixbuf->n_channels == 4, NULL);
247 + g_return_val_if_fail (pixbuf->bits_per_sample == 8, NULL);
248 +
249 ++ src_pixels = pixbuf->pixels;
250 ++
251 + if (pixbuf->has_alpha) {
252 + new_pixbuf = gdk_pixbuf_copy (pixbuf);
253 + if (!new_pixbuf)
254 +@@ -81,17 +87,18 @@ gdk_pixbuf_add_alpha (const GdkPixbuf *pixbuf,
255 + } else {
256 + new_pixbuf = gdk_pixbuf_new (GDK_COLORSPACE_RGB, TRUE, 8, pixbuf->width, pixbuf->height);
257 + }
258 +-
259 ++
260 + if (!new_pixbuf)
261 + return NULL;
262 +
263 +- for (y = 0; y < pixbuf->height; y++) {
264 +- guchar *src, *dest;
265 ++ ret_pixels = new_pixbuf->pixels;
266 ++
267 ++ for (y = 0; y < pixbuf->height; y++, src_pixels += pixbuf->rowstride, ret_pixels += new_pixbuf->rowstride) {
268 + guchar tr, tg, tb;
269 +
270 +- src = pixbuf->pixels + y * pixbuf->rowstride;
271 +- dest = new_pixbuf->pixels + y * new_pixbuf->rowstride;
272 +-
273 ++ src = src_pixels;
274 ++ dest = ret_pixels;
275 ++
276 + if (pixbuf->has_alpha) {
277 + /* Just subst color, we already copied everything else */
278 + for (x = 0; x < pixbuf->width; x++) {
279 +@@ -100,12 +107,12 @@ gdk_pixbuf_add_alpha (const GdkPixbuf *pixbuf,
280 + src += 4;
281 + dest += 4;
282 + }
283 +- } else {
284 ++ } else {
285 + for (x = 0; x < pixbuf->width; x++) {
286 + tr = *dest++ = *src++;
287 + tg = *dest++ = *src++;
288 + tb = *dest++ = *src++;
289 +-
290 ++
291 + if (substitute_color && tr == r && tg == g && tb == b)
292 + *dest++ = 0;
293 + else
294 +--
295 +2.5.1
296 +
297
298 diff --git a/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-jpeg-overflow.patch b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-jpeg-overflow.patch
299 new file mode 100644
300 index 0000000..ebec196
301 --- /dev/null
302 +++ b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-jpeg-overflow.patch
303 @@ -0,0 +1,35 @@
304 +From fde8d1d12a32740770253e97ddc9602654e16865 Mon Sep 17 00:00:00 2001
305 +From: Matthias Clasen <mclasen@××××××.com>
306 +Date: Mon, 24 Aug 2015 15:48:51 -0400
307 +Subject: [PATCH] jpeg: Fix some integer overflows
308 +
309 +Similar to the previous commit.
310 +---
311 + gdk-pixbuf/io-jpeg.c | 4 ++--
312 + 1 file changed, 2 insertions(+), 2 deletions(-)
313 +
314 +diff --git a/gdk-pixbuf/io-jpeg.c b/gdk-pixbuf/io-jpeg.c
315 +index fa6bec1..eb48aed 100644
316 +--- a/gdk-pixbuf/io-jpeg.c
317 ++++ b/gdk-pixbuf/io-jpeg.c
318 +@@ -886,7 +886,7 @@ gdk_pixbuf__jpeg_image_load_lines (JpegProgContext *context,
319 + return FALSE;
320 + }
321 +
322 +- context->dptr += nlines * context->pixbuf->rowstride;
323 ++ context->dptr += (gsize)nlines * context->pixbuf->rowstride;
324 +
325 + /* send updated signal */
326 + if (context->updated_func)
327 +@@ -1494,7 +1494,7 @@ real_save_jpeg (GdkPixbuf *pixbuf,
328 + while (cinfo.next_scanline < cinfo.image_height) {
329 + /* convert scanline from ARGB to RGB packed */
330 + for (j = 0; j < w; j++)
331 +- memcpy (&(buf[j*3]), &(ptr[i*rowstride + j*n_channels]), 3);
332 ++ memcpy (&(buf[j*3]), &(ptr[(gsize)i*rowstride + j*n_channels]), 3);
333 +
334 + /* write scanline */
335 + jbuf = (JSAMPROW *)(&buf);
336 +--
337 +2.5.1
338 +
339
340 diff --git a/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-pixops-gcc-optimizer.patch b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-pixops-gcc-optimizer.patch
341 new file mode 100644
342 index 0000000..bd957b7
343 --- /dev/null
344 +++ b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-pixops-gcc-optimizer.patch
345 @@ -0,0 +1,46 @@
346 +From dd4b061c27dc0865c8f8987d294de6e04b321c18 Mon Sep 17 00:00:00 2001
347 +From: Benjamin Otte <otte@××××××.com>
348 +Date: Sat, 22 Aug 2015 23:06:23 +0200
349 +Subject: [PATCH] pixops: Be smarter than gcc's optimizer
350 +
351 +gcc realizes that the overflow checks aren't necessary. Why not?
352 +
353 +Well, if an int overflows, the behavior is undefined. And turning on
354 +-fomit-instructions is valid behavior in an undefined situation.
355 +---
356 + gdk-pixbuf/pixops/pixops.c | 15 +++++++--------
357 + 1 file changed, 7 insertions(+), 8 deletions(-)
358 +
359 +diff --git a/gdk-pixbuf/pixops/pixops.c b/gdk-pixbuf/pixops/pixops.c
360 +index b7951c7..5564a40 100644
361 +--- a/gdk-pixbuf/pixops/pixops.c
362 ++++ b/gdk-pixbuf/pixops/pixops.c
363 +@@ -1272,18 +1272,17 @@ make_filter_table (PixopsFilter *filter)
364 + int i_offset, j_offset;
365 + int n_x = filter->x.n;
366 + int n_y = filter->y.n;
367 +- int n_weights;
368 + int *weights;
369 +
370 +- n_weights = SUBSAMPLE * SUBSAMPLE * n_x;
371 +- if (n_weights / (SUBSAMPLE * SUBSAMPLE) != n_x)
372 +- return NULL; /* overflow, bail */
373 ++ /* check n_x doesn't overflow */
374 ++ if (G_MAXINT / (SUBSAMPLE * SUBSAMPLE) < n_x)
375 ++ return NULL;
376 +
377 +- n_weights *= n_y;
378 +- if (n_weights / (SUBSAMPLE * SUBSAMPLE * n_x) != n_y)
379 +- return NULL; /* overflow, bail */
380 ++ /* check n_y doesn't overflow */
381 ++ if (G_MAXINT / (SUBSAMPLE * SUBSAMPLE * n_x) < n_y)
382 ++ return NULL;
383 +
384 +- weights = g_try_new (int, n_weights);
385 ++ weights = g_try_new (int, SUBSAMPLE * SUBSAMPLE * n_x * n_y);
386 + if (!weights)
387 + return NULL; /* overflow, bail */
388 +
389 +--
390 +2.5.1
391 +
392
393 diff --git a/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-pixops-overflow-rebased.patch b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-pixops-overflow-rebased.patch
394 new file mode 100644
395 index 0000000..cb94784
396 --- /dev/null
397 +++ b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-pixops-overflow-rebased.patch
398 @@ -0,0 +1,162 @@
399 +From 6df428ba24d8f244d08c4a205053e26b28cee0a9 Mon Sep 17 00:00:00 2001
400 +From: Matthias Clasen <mclasen@××××××.com>
401 +Date: Mon, 24 Aug 2015 14:44:50 -0400
402 +Subject: [PATCH] Fix some more integer overflows
403 +
404 +The scaling code had a similar problem to the one fixed in the
405 +previous commit: Expressions like ptr = base + y * rowstride are
406 +prone to overflow if y and rowstride are (possibly large) integers.
407 +---
408 + gdk-pixbuf/pixops/pixops.c | 44 ++++++++++++++++++++++----------------------
409 + 1 file changed, 22 insertions(+), 22 deletions(-)
410 +
411 +diff --git a/gdk-pixbuf/pixops/pixops.c b/gdk-pixbuf/pixops/pixops.c
412 +index 993223e..33aa32e 100644
413 +--- a/gdk-pixbuf/pixops/pixops.c
414 ++++ b/gdk-pixbuf/pixops/pixops.c
415 +@@ -304,8 +304,8 @@ pixops_scale_nearest (guchar *dest_buf,
416 + guchar *dest;
417 + y_pos = ((i + render_y0) * y_step + y_step / 2) >> SCALE_SHIFT;
418 + y_pos = CLAMP (y_pos, 0, src_height - 1);
419 +- src = src_buf + y_pos * src_rowstride;
420 +- dest = dest_buf + i * dest_rowstride;
421 ++ src = src_buf + (gsize)y_pos * src_rowstride;
422 ++ dest = dest_buf + (gsize)i * dest_rowstride;
423 +
424 + x = render_x0 * x_step + x_step / 2;
425 +
426 +@@ -368,8 +368,8 @@ pixops_composite_nearest (guchar *dest_buf,
427 + guchar *dest;
428 + y_pos = ((i + render_y0) * y_step + y_step / 2) >> SCALE_SHIFT;
429 + y_pos = CLAMP (y_pos, 0, src_height - 1);
430 +- src = src_buf + y_pos * src_rowstride;
431 +- dest = dest_buf + i * dest_rowstride;
432 ++ src = src_buf + (gsize)y_pos * src_rowstride;
433 ++ dest = dest_buf + (gsize)i * dest_rowstride;
434 +
435 + x = render_x0 * x_step + x_step / 2;
436 +
437 +@@ -460,8 +460,8 @@ pixops_composite_color_nearest (guchar *dest_buf,
438 + guchar *dest;
439 + y_pos = ((i + render_y0) * y_step + y_step / 2) >> SCALE_SHIFT;
440 + y_pos = CLAMP (y_pos, 0, src_height - 1);
441 +- src = src_buf + y_pos * src_rowstride;
442 +- dest = dest_buf + i * dest_rowstride;
443 ++ src = src_buf + (gsize)y_pos * src_rowstride;
444 ++ dest = dest_buf + (gsize)i * dest_rowstride;
445 +
446 + x = render_x0 * x_step + x_step / 2;
447 +
448 +@@ -1303,7 +1303,7 @@ pixops_process (guchar *dest_buf,
449 + guchar *new_outbuf;
450 + guint32 tcolor1, tcolor2;
451 +
452 +- guchar *outbuf = dest_buf + dest_rowstride * i;
453 ++ guchar *outbuf = dest_buf + (gsize)dest_rowstride * i;
454 + guchar *outbuf_end = outbuf + dest_channels * (render_x1 - render_x0);
455 +
456 + if (((i + check_y) >> check_shift) & 1)
457 +@@ -1322,9 +1322,9 @@ pixops_process (guchar *dest_buf,
458 + if (y_start < 0)
459 + line_bufs[j] = (guchar *)src_buf;
460 + else if (y_start < src_height)
461 +- line_bufs[j] = (guchar *)src_buf + src_rowstride * y_start;
462 ++ line_bufs[j] = (guchar *)src_buf + (gsize)src_rowstride * y_start;
463 + else
464 +- line_bufs[j] = (guchar *)src_buf + src_rowstride * (src_height - 1);
465 ++ line_bufs[j] = (guchar *)src_buf + (gsize)src_rowstride * (src_height - 1);
466 +
467 + y_start++;
468 + }
469 +@@ -1348,7 +1348,7 @@ pixops_process (guchar *dest_buf,
470 + }
471 +
472 + new_outbuf = (*line_func) (run_weights, filter->x.n, filter->y.n,
473 +- outbuf, dest_x, dest_buf + dest_rowstride *
474 ++ outbuf, dest_x, dest_buf + (gsize)dest_rowstride *
475 + i + run_end_index * dest_channels,
476 + dest_channels, dest_has_alpha,
477 + line_bufs, src_channels, src_has_alpha,
478 +@@ -1866,7 +1866,7 @@ _pixops_composite (guchar *dest_buf,
479 + return;
480 + #endif
481 +
482 +- new_dest_buf = dest_buf + dest_y * dest_rowstride + dest_x * dest_channels;
483 ++ new_dest_buf = dest_buf + (gsize)dest_y * dest_rowstride + (gsize)dest_x * dest_channels;
484 + render_x0 = dest_x - offset_x;
485 + render_y0 = dest_y - offset_y;
486 + render_x1 = dest_x + dest_region_width - offset_x;
487 +@@ -2026,7 +2026,7 @@ pixops_medialib_composite (guchar *dest_buf,
488 + if (!use_medialib)
489 + {
490 + /* Use non-mediaLib version */
491 +- _pixops_composite_real (dest_buf + dest_y * dest_rowstride + dest_x *
492 ++ _pixops_composite_real (dest_buf + (gsize)dest_y * dest_rowstride + (gsize)dest_x *
493 + dest_channels, dest_x - offset_x, dest_y -
494 + offset_y, dest_x + dest_region_width - offset_x,
495 + dest_y + dest_region_height - offset_y,
496 +@@ -2068,8 +2068,8 @@ pixops_medialib_composite (guchar *dest_buf,
497 + }
498 + else
499 + {
500 +- mlib_u8 *data = dest_buf + (dest_y * dest_rowstride) +
501 +- (dest_x * dest_channels);
502 ++ mlib_u8 *data = dest_buf + (gsize)dest_y * dest_rowstride +
503 ++ (gsize)dest_x * dest_channels;
504 +
505 + mlib_ImageSetStruct (&img_dest, MLIB_BYTE, dest_channels,
506 + dest_region_width, dest_region_height,
507 +@@ -2136,8 +2136,8 @@ pixops_medialib_composite (guchar *dest_buf,
508 + else
509 + {
510 + /* Should not happen - Use non-mediaLib version */
511 +- _pixops_composite_real (dest_buf + dest_y * dest_rowstride +
512 +- dest_x * dest_channels,
513 ++ _pixops_composite_real (dest_buf + (gsize)dest_y * dest_rowstride +
514 ++ (gsize)dest_x * dest_channels,
515 + dest_x - offset_x, dest_y - offset_y,
516 + dest_x + dest_region_width - offset_x,
517 + dest_y + dest_region_height - offset_y,
518 +@@ -2260,7 +2260,7 @@ _pixops_scale (guchar *dest_buf,
519 + return;
520 + #endif
521 +
522 +- new_dest_buf = dest_buf + dest_y * dest_rowstride + dest_x * dest_channels;
523 ++ new_dest_buf = dest_buf + (gsize)dest_y * dest_rowstride + (gsize)dest_x * dest_channels;
524 + render_x0 = dest_x - offset_x;
525 + render_y0 = dest_y - offset_y;
526 + render_x1 = dest_x + dest_region_width - offset_x;
527 +@@ -2314,8 +2314,8 @@ pixops_medialib_scale (guchar *dest_buf,
528 + */
529 + if (!use_medialib)
530 + {
531 +- _pixops_scale_real (dest_buf + dest_y * dest_rowstride + dest_x *
532 +- dest_channels, dest_x - offset_x, dest_y - offset_y,
533 ++ _pixops_scale_real (dest_buf + (gsize)dest_y * dest_rowstride + (gsize)dest_x *
534 ++ dest_channels, dest_x - offset_x, dest_y - offset_y,
535 + dest_x + dest_region_width - offset_x,
536 + dest_y + dest_region_height - offset_y,
537 + dest_rowstride, dest_channels, dest_has_alpha,
538 +@@ -2343,8 +2343,8 @@ pixops_medialib_scale (guchar *dest_buf,
539 + }
540 + else
541 + {
542 +- mlib_u8 *data = dest_buf + (dest_y * dest_rowstride) +
543 +- (dest_x * dest_channels);
544 ++ mlib_u8 *data = dest_buf + (gsize)dest_y * dest_rowstride +
545 ++ (gsize)dest_x * dest_channels;
546 +
547 + mlib_ImageSetStruct (&img_dest, MLIB_BYTE, dest_channels,
548 + dest_region_width, dest_region_height,
549 +@@ -2379,7 +2379,7 @@ pixops_medialib_scale (guchar *dest_buf,
550 + int channels = 3;
551 + int rowstride = (channels * src_width + 3) & ~3;
552 +
553 +- tmp_buf = g_malloc (src_rowstride * src_height);
554 ++ tmp_buf = g_malloc_n (src_rowstride, src_height);
555 +
556 + if (src_buf != NULL)
557 + {
558 +--
559 +2.5.1
560 +
561
562 diff --git a/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-pixops-variable-type.patch b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-pixops-variable-type.patch
563 new file mode 100644
564 index 0000000..a83535f
565 --- /dev/null
566 +++ b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-pixops-variable-type.patch
567 @@ -0,0 +1,37 @@
568 +From 3df91dc6c6f8d1421e9c8756959280de792af77a Mon Sep 17 00:00:00 2001
569 +From: Benjamin Otte <otte@××××××.com>
570 +Date: Sat, 22 Aug 2015 17:57:23 +0200
571 +Subject: [PATCH] pixops: Chane variable type
572 +
573 +n_weights is used to do overflow checks. So by reducing the size to 32
574 +bits signed we overflow earlier. This is necessary because further down
575 +the code lots of code uses int variables to iterate over this variable
576 +and we don't want those to overflow.
577 +
578 +The correct fix would be to make all those variables gsize too, but
579 +that's way more invasive and requires different checks in different
580 +places so I'm not gonna do that now.
581 +And as long as scale factors are not expected to reach G_MAXINT it's not
582 +really necessary to do this change anyway.
583 +
584 +https://bugzilla.gnome.org/show_bug.cgi?id=753908
585 +---
586 + gdk-pixbuf/pixops/pixops.c | 2 +-
587 + 1 file changed, 1 insertion(+), 1 deletion(-)
588 +
589 +diff --git a/gdk-pixbuf/pixops/pixops.c b/gdk-pixbuf/pixops/pixops.c
590 +index 7f2cbff..b7951c7 100644
591 +--- a/gdk-pixbuf/pixops/pixops.c
592 ++++ b/gdk-pixbuf/pixops/pixops.c
593 +@@ -1272,7 +1272,7 @@ make_filter_table (PixopsFilter *filter)
594 + int i_offset, j_offset;
595 + int n_x = filter->x.n;
596 + int n_y = filter->y.n;
597 +- gsize n_weights;
598 ++ int n_weights;
599 + int *weights;
600 +
601 + n_weights = SUBSAMPLE * SUBSAMPLE * n_x;
602 +--
603 +2.5.1
604 +
605
606 diff --git a/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-png-overflow.patch b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-png-overflow.patch
607 new file mode 100644
608 index 0000000..83c67b5
609 --- /dev/null
610 +++ b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-png-overflow.patch
611 @@ -0,0 +1,72 @@
612 +From 8714ab407c54d5989d15a78eb15550c2d52d95b8 Mon Sep 17 00:00:00 2001
613 +From: Matthias Clasen <mclasen@××××××.com>
614 +Date: Mon, 24 Aug 2015 14:13:37 -0400
615 +Subject: [PATCH] png: Fix some integer overflows
616 +
617 +The png loader was not careful enough in some places. Width * height
618 +can overflow an integer.
619 +
620 +This should fix http://bugzilla.gnome.org/734556.
621 +---
622 + gdk-pixbuf/io-png.c | 15 ++++++++-------
623 + 1 file changed, 8 insertions(+), 7 deletions(-)
624 +
625 +diff --git a/gdk-pixbuf/io-png.c b/gdk-pixbuf/io-png.c
626 +index 3336b1e..5690875 100644
627 +--- a/gdk-pixbuf/io-png.c
628 ++++ b/gdk-pixbuf/io-png.c
629 +@@ -267,6 +267,7 @@ gdk_pixbuf__png_image_load (FILE *f, GError **error)
630 + gchar *density_str;
631 + guint32 retval;
632 + gint compression_type;
633 ++ gpointer ptr;
634 +
635 + #ifdef PNG_USER_MEM_SUPPORTED
636 + png_ptr = png_create_read_struct_2 (PNG_LIBPNG_VER_STRING,
637 +@@ -326,8 +327,8 @@ gdk_pixbuf__png_image_load (FILE *f, GError **error)
638 +
639 + rows = g_new (png_bytep, h);
640 +
641 +- for (i = 0; i < h; i++)
642 +- rows[i] = pixbuf->pixels + i * pixbuf->rowstride;
643 ++ for (i = 0, ptr = pixbuf->pixels; i < h; i++, ptr += pixbuf->rowstride)
644 ++ rows[i] = ptr;
645 +
646 + png_read_image (png_ptr, rows);
647 + png_read_end (png_ptr, info_ptr);
648 +@@ -745,6 +746,7 @@ png_row_callback (png_structp png_read_ptr,
649 + {
650 + LoadContext* lc;
651 + guchar* old_row = NULL;
652 ++ gsize rowstride;
653 +
654 + lc = png_get_progressive_ptr(png_read_ptr);
655 +
656 +@@ -770,8 +772,9 @@ png_row_callback (png_structp png_read_ptr,
657 + lc->max_row_seen_in_chunk = MAX(lc->max_row_seen_in_chunk, ((gint)row_num));
658 + lc->last_row_seen_in_chunk = row_num;
659 + lc->last_pass_seen_in_chunk = pass_num;
660 +-
661 +- old_row = lc->pixbuf->pixels + (row_num * lc->pixbuf->rowstride);
662 ++
663 ++ rowstride = lc->pixbuf->rowstride;
664 ++ old_row = lc->pixbuf->pixels + (row_num * rowstride);
665 +
666 + png_progressive_combine_row(lc->png_read_ptr, old_row, new_row);
667 + }
668 +@@ -1123,11 +1126,9 @@ static gboolean real_save_png (GdkPixbuf *pixbuf,
669 + png_set_shift (png_ptr, &sig_bit);
670 + png_set_packing (png_ptr);
671 +
672 +- ptr = pixels;
673 +- for (y = 0; y < h; y++) {
674 ++ for (y = 0, ptr = pixels; y < h; y++, ptr += rowstride) {
675 + row_ptr = (png_bytep)ptr;
676 + png_write_rows (png_ptr, &row_ptr, 1);
677 +- ptr += rowstride;
678 + }
679 +
680 + png_write_end (png_ptr, info_ptr);
681 +--
682 +2.5.1
683 +
684
685 diff --git a/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-rotate-overflow.patch b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-rotate-overflow.patch
686 new file mode 100644
687 index 0000000..fa6b90c
688 --- /dev/null
689 +++ b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-rotate-overflow.patch
690 @@ -0,0 +1,27 @@
691 +From 4f68cb78a5277f169b9531e6998c00c7976594e4 Mon Sep 17 00:00:00 2001
692 +From: Matthias Clasen <mclasen@××××××.com>
693 +Date: Mon, 24 Aug 2015 15:29:36 -0400
694 +Subject: [PATCH] Avoid integer overflow in gdk_pixbuf_rotate_simple
695 +
696 +Same as before: don't do ptr = base + y * rowstride if y and
697 +rowstride are integers.
698 +---
699 + gdk-pixbuf/gdk-pixbuf-scale.c | 2 +-
700 + 1 file changed, 1 insertion(+), 1 deletion(-)
701 +
702 +diff --git a/gdk-pixbuf/gdk-pixbuf-scale.c b/gdk-pixbuf/gdk-pixbuf-scale.c
703 +index 4288c65..475126a 100644
704 +--- a/gdk-pixbuf/gdk-pixbuf-scale.c
705 ++++ b/gdk-pixbuf/gdk-pixbuf-scale.c
706 +@@ -396,7 +396,7 @@ gdk_pixbuf_composite_color_simple (const GdkPixbuf *src,
707 + return dest;
708 + }
709 +
710 +-#define OFFSET(pb, x, y) ((x) * (pb)->n_channels + (y) * (pb)->rowstride)
711 ++#define OFFSET(pb, x, y) ((x) * (pb)->n_channels + (gsize)(y) * (pb)->rowstride)
712 +
713 + /**
714 + * gdk_pixbuf_rotate_simple:
715 +--
716 +2.5.1
717 +
718
719 diff --git a/x11-libs/gdk-pixbuf/gdk-pixbuf-2.30.8-r2.ebuild b/x11-libs/gdk-pixbuf/gdk-pixbuf-2.30.8-r2.ebuild
720 new file mode 100644
721 index 0000000..eb578ac
722 --- /dev/null
723 +++ b/x11-libs/gdk-pixbuf/gdk-pixbuf-2.30.8-r2.ebuild
724 @@ -0,0 +1,134 @@
725 +# Copyright 1999-2015 Gentoo Foundation
726 +# Distributed under the terms of the GNU General Public License v2
727 +# $Id$
728 +
729 +EAPI="5"
730 +GCONF_DEBUG="no"
731 +GNOME2_LA_PUNT="yes"
732 +
733 +inherit eutils flag-o-matic gnome2 multilib libtool multilib-minimal
734 +
735 +DESCRIPTION="Image loading library for GTK+"
736 +HOMEPAGE="http://www.gtk.org/"
737 +
738 +LICENSE="LGPL-2+"
739 +SLOT="2"
740 +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~x86-freebsd ~x86-interix ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
741 +IUSE="+X debug +introspection jpeg jpeg2k tiff test"
742 +
743 +COMMON_DEPEND="
744 + >=dev-libs/glib-2.37.6:2[${MULTILIB_USEDEP}]
745 + >=media-libs/libpng-1.4:0=[${MULTILIB_USEDEP}]
746 + introspection? ( >=dev-libs/gobject-introspection-0.9.3 )
747 + jpeg? ( virtual/jpeg:0=[${MULTILIB_USEDEP}] )
748 + jpeg2k? ( media-libs/jasper:=[${MULTILIB_USEDEP}] )
749 + tiff? ( >=media-libs/tiff-3.9.2:0=[${MULTILIB_USEDEP}] )
750 + X? ( x11-libs/libX11[${MULTILIB_USEDEP}] )
751 +"
752 +DEPEND="${COMMON_DEPEND}
753 + >=dev-util/gtk-doc-am-1.20
754 + >=sys-devel/gettext-0.17
755 + virtual/pkgconfig
756 +"
757 +# librsvg blocker is for the new pixbuf loader API, you lose icons otherwise
758 +RDEPEND="${COMMON_DEPEND}
759 + !<gnome-base/gail-1000
760 + !<gnome-base/librsvg-2.31.0
761 + !<x11-libs/gtk+-2.21.3:2
762 + !<x11-libs/gtk+-2.90.4:3
763 + abi_x86_32? (
764 + !<=app-emulation/emul-linux-x86-gtklibs-20131008-r2
765 + !app-emulation/emul-linux-x86-gtklibs[-abi_x86_32(-)]
766 + )
767 +"
768 +
769 +MULTILIB_CHOST_TOOLS=(
770 + /usr/bin/gdk-pixbuf-query-loaders
771 +)
772 +
773 +src_prepare() {
774 + # Upstream patches from 2.31.x
775 + epatch "${FILESDIR}"/${PN}-2.30.8-divide-by-zero.patch \
776 + "${FILESDIR}"/${PN}-2.30.8-pixops-overflow.patch \
777 + "${FILESDIR}"/${PN}-2.31.5-pixops-overflow.patch \
778 + "${FILESDIR}"/${PN}-2.31.6-pixops-variable-type.patch \
779 + "${FILESDIR}"/${PN}-2.31.6-pixops-gcc-optimizer.patch \
780 + "${FILESDIR}"/${PN}-2.31.6-png-overflow.patch \
781 + "${FILESDIR}"/${PN}-2.31.6-jpeg-overflow.patch \
782 + "${FILESDIR}"/${PN}-2.31.6-pixops-overflow-rebased.patch \
783 + "${FILESDIR}"/${PN}-2.31.6-alpha-overflow-rebased.patch \
784 + "${FILESDIR}"/${PN}-2.31.6-rotate-overflow.patch #556314
785 +
786 + # This will avoid polluting the pkg-config file with versioned libpng,
787 + # which is causing problems with libpng14 -> libpng15 upgrade
788 + # See upstream bug #667068
789 + # First check that the pattern is present, to catch upstream changes on bumps,
790 + # because sed doesn't return failure code if it doesn't do any replacements
791 + grep -q 'l in libpng16' configure || die "libpng check order has changed upstream"
792 + sed -e 's:l in libpng16:l in libpng libpng16:' -i configure || die
793 + [[ ${CHOST} == *-solaris* ]] && append-libs intl
794 +
795 + gnome2_src_prepare
796 +}
797 +
798 +multilib_src_configure() {
799 + # png always on to display icons
800 + ECONF_SOURCE="${S}" \
801 + gnome2_src_configure \
802 + $(usex debug --enable-debug=yes "") \
803 + $(use_with jpeg libjpeg) \
804 + $(use_with jpeg2k libjasper) \
805 + $(use_with tiff libtiff) \
806 + $(multilib_native_use_enable introspection) \
807 + $(use_with X x11) \
808 + --with-libpng
809 +
810 + # work-around gtk-doc out-of-source brokedness
811 + if multilib_is_native_abi; then
812 + ln -s "${S}"/docs/reference/${PN}/html docs/reference/${PN}/html || die
813 + fi
814 +}
815 +
816 +multilib_src_install() {
817 + # Parallel install fails when no gdk-pixbuf is already installed, bug #481372
818 + MAKEOPTS="${MAKEOPTS} -j1" gnome2_src_install
819 +}
820 +
821 +pkg_preinst() {
822 + gnome2_pkg_preinst
823 +
824 + multilib_pkg_preinst() {
825 + # Make sure loaders.cache belongs to gdk-pixbuf alone
826 + local cache="usr/$(get_libdir)/${PN}-2.0/2.10.0/loaders.cache"
827 +
828 + if [[ -e ${EROOT}${cache} ]]; then
829 + cp "${EROOT}"${cache} "${ED}"/${cache} || die
830 + else
831 + touch "${ED}"/${cache} || die
832 + fi
833 + }
834 +
835 + multilib_foreach_abi multilib_pkg_preinst
836 +}
837 +
838 +pkg_postinst() {
839 + # causes segfault if set, see bug 375615
840 + unset __GL_NO_DSO_FINALIZER
841 +
842 + multilib_foreach_abi gnome2_pkg_postinst
843 +
844 + # Migration snippet for when this was handled by gtk+
845 + if [ -e "${EROOT}"usr/lib/gtk-2.0/2.*/loaders ]; then
846 + elog "You need to rebuild ebuilds that installed into" "${EROOT}"usr/lib/gtk-2.0/2.*/loaders
847 + elog "to do that you can use qfile from portage-utils:"
848 + elog "emerge -va1 \$(qfile -qC ${EPREFIX}/usr/lib/gtk-2.0/2.*/loaders)"
849 + fi
850 +}
851 +
852 +pkg_postrm() {
853 + gnome2_pkg_postrm
854 +
855 + if [[ -z ${REPLACED_BY_VERSIONS} ]]; then
856 + rm -f "${EROOT}"usr/lib*/${PN}-2.0/2.10.0/loaders.cache
857 + fi
858 +}
Report Message
Find on MARC Find on Google Groups