Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: "Markus Meier (maekke)" <maekke@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] gentoo-x86 commit in media-gfx/gif2png/files: gif2png-2.5.1-overflow.patch
Date: Fri, 03 Dec 2010 09:41:23
Message-Id: 20101203094107.0D8DE20054@flycatcher.gentoo.org
1 maekke 10/12/03 09:41:07
2
3 Added: gif2png-2.5.1-overflow.patch
4 Log:
5 fix overflow bug #346501
6
7 (Portage version: 2.1.9.25/cvs/Linux i686)
8
9 Revision Changes Path
10 1.1 media-gfx/gif2png/files/gif2png-2.5.1-overflow.patch
11
12 file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/media-gfx/gif2png/files/gif2png-2.5.1-overflow.patch?rev=1.1&view=markup
13 plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/media-gfx/gif2png/files/gif2png-2.5.1-overflow.patch?rev=1.1&content-type=text/plain
14
15 Index: gif2png-2.5.1-overflow.patch
16 ===================================================================
17 Fixes cmdline buffer overflow described in
18
19 http://lists.grok.org.uk/pipermail/full-disclosure/2009-December/072002.html
20 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=550978
21
22 Index: gif2png-2.5.3/gif2png.c
23 ===================================================================
24 --- gif2png-2.5.3.orig/gif2png.c
25 +++ gif2png-2.5.3/gif2png.c
26 @@ -675,7 +675,10 @@ int processfile(char *fname, FILE *fp)
27
28 strcpy(outname, fname);
29
30 - file_ext = outname+strlen(outname)-4;
31 + file_ext = outname+strlen(outname);
32 + if (file_ext >= outname + 4)
33 + file_ext -= 4;
34 +
35 if (strcmp(file_ext, ".gif") != 0 && strcmp(file_ext, ".GIF") != 0 &&
36 strcmp(file_ext, "_gif") != 0 && strcmp(file_ext, "_GIF") != 0) {
37 /* try to derive basename */
38 @@ -863,6 +866,14 @@ int main(int argc, char *argv[])
39 }
40 } else {
41 for (i = ac;i<argc; i++) {
42 + /* make sure that there is enough space for a '.p<NUM>' suffix;
43 + this check catches also the '.gif' case below. */
44 + if (strlen(argv[i]) >= sizeof name - sizeof ".p" - 3 * sizeof(int)) {
45 + fprintf(stderr, "%s: name too long\n", argv[i]);
46 + errors = 1;
47 + continue;
48 + }
49 +
50 strcpy(name, argv[i]);
51 if ((fp = fopen(name, "rb")) == NULL) {
52 /* retry with .gif appended */
Report Message
Find on MARC Find on Google Groups