Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Alexandre Rostovtsev <tetromino@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/gnome:master commit in: x11-libs/gdk-pixbuf/, x11-libs/gdk-pixbuf/files/
Date: Tue, 01 Sep 2015 05:17:48
Message-Id: 1441081503.9e48855fcf4528e77c4c86b9bd1b12fa3176b23a.tetromino@gentoo
1 commit: 9e48855fcf4528e77c4c86b9bd1b12fa3176b23a
2 Author: Alexandre Rostovtsev <tetromino <AT> gentoo <DOT> org>
3 AuthorDate: Fri Aug 21 04:49:52 2015 +0000
4 Commit: Alexandre Rostovtsev <tetromino <AT> gentoo <DOT> org>
5 CommitDate: Tue Sep 1 04:25:03 2015 +0000
6 URL: https://gitweb.gentoo.org/proj/gnome.git/commit/?id=9e48855f
7
8 x11-libs/gdk-pixbuf: 2.31.5 → 2.31.6 and more fixes for CVE-2015-4491
9
10 Really fix the overflow.
11
12 Gentoo-Bug: 556314
13 Upstream-Bug-url: https://bugzilla.gnome.org/show_bug.cgi?id=752297
14 Package-Manager: portage-2.2.20.1
15 Manifest-Sign-Key: 0x18E5B6F2D8D5EC8D
16
17 .../files/gdk-pixbuf-2.31.6-alpha-overflow.patch | 70 +++++++++
18 .../files/gdk-pixbuf-2.31.6-jpeg-overflow.patch | 35 +++++
19 .../gdk-pixbuf-2.31.6-pixops-gcc-optimizer.patch | 46 ++++++
20 .../files/gdk-pixbuf-2.31.6-pixops-overflow.patch | 173 +++++++++++++++++++++
21 .../gdk-pixbuf-2.31.6-pixops-variable-type.patch | 37 +++++
22 .../files/gdk-pixbuf-2.31.6-png-overflow.patch | 72 +++++++++
23 .../files/gdk-pixbuf-2.31.6-rotate-overflow.patch | 27 ++++
24 ...xbuf-2.31.5.ebuild => gdk-pixbuf-2.31.6.ebuild} | 15 +-
25 8 files changed, 474 insertions(+), 1 deletion(-)
26
27 diff --git a/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-alpha-overflow.patch b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-alpha-overflow.patch
28 new file mode 100644
29 index 0000000..bd4abfa
30 --- /dev/null
31 +++ b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-alpha-overflow.patch
32 @@ -0,0 +1,70 @@
33 +From ca3c56421c075e729750cf80c3438b283232cce8 Mon Sep 17 00:00:00 2001
34 +From: Matthias Clasen <mclasen@××××××.com>
35 +Date: Mon, 24 Aug 2015 15:20:08 -0400
36 +Subject: [PATCH] Avoid integer overflow in gdk_pixbuf_add_alpha
37 +
38 +Same as before: don't do ptr = base + y * rowstride if y and
39 +rowstride are integers.
40 +
41 +This should fix http://bugzilla.gnome/org/753569
42 +---
43 + gdk-pixbuf/gdk-pixbuf-util.c | 18 +++++++++---------
44 + 1 file changed, 9 insertions(+), 9 deletions(-)
45 +
46 +diff --git a/gdk-pixbuf/gdk-pixbuf-util.c b/gdk-pixbuf/gdk-pixbuf-util.c
47 +index 6abe9b9..3600450 100644
48 +--- a/gdk-pixbuf/gdk-pixbuf-util.c
49 ++++ b/gdk-pixbuf/gdk-pixbuf-util.c
50 +@@ -67,6 +67,8 @@ gdk_pixbuf_add_alpha (const GdkPixbuf *pixbuf,
51 + int x, y;
52 + const guint8 *src_pixels;
53 + guint8 *ret_pixels;
54 ++ const guchar *src;
55 ++ guchar *dest;
56 +
57 + g_return_val_if_fail (GDK_IS_PIXBUF (pixbuf), NULL);
58 + g_return_val_if_fail (pixbuf->colorspace == GDK_COLORSPACE_RGB, NULL);
59 +@@ -85,20 +87,18 @@ gdk_pixbuf_add_alpha (const GdkPixbuf *pixbuf,
60 + } else {
61 + new_pixbuf = gdk_pixbuf_new (GDK_COLORSPACE_RGB, TRUE, 8, pixbuf->width, pixbuf->height);
62 + }
63 +-
64 ++
65 + if (!new_pixbuf)
66 + return NULL;
67 +
68 + ret_pixels = gdk_pixbuf_get_pixels (new_pixbuf);
69 +
70 +- for (y = 0; y < pixbuf->height; y++) {
71 +- const guchar *src;
72 +- guchar *dest;
73 ++ for (y = 0; y < pixbuf->height; y++, src_pixels += pixbuf->rowstride, ret_pixels += new_pixbuf->rowstride) {
74 + guchar tr, tg, tb;
75 +
76 +- src = src_pixels + y * pixbuf->rowstride;
77 +- dest = ret_pixels + y * new_pixbuf->rowstride;
78 +-
79 ++ src = src_pixels;
80 ++ dest = ret_pixels;
81 ++
82 + if (pixbuf->has_alpha) {
83 + /* Just subst color, we already copied everything else */
84 + for (x = 0; x < pixbuf->width; x++) {
85 +@@ -107,12 +107,12 @@ gdk_pixbuf_add_alpha (const GdkPixbuf *pixbuf,
86 + src += 4;
87 + dest += 4;
88 + }
89 +- } else {
90 ++ } else {
91 + for (x = 0; x < pixbuf->width; x++) {
92 + tr = *dest++ = *src++;
93 + tg = *dest++ = *src++;
94 + tb = *dest++ = *src++;
95 +-
96 ++
97 + if (substitute_color && tr == r && tg == g && tb == b)
98 + *dest++ = 0;
99 + else
100 +--
101 +2.5.1
102 +
103
104 diff --git a/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-jpeg-overflow.patch b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-jpeg-overflow.patch
105 new file mode 100644
106 index 0000000..ebec196
107 --- /dev/null
108 +++ b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-jpeg-overflow.patch
109 @@ -0,0 +1,35 @@
110 +From fde8d1d12a32740770253e97ddc9602654e16865 Mon Sep 17 00:00:00 2001
111 +From: Matthias Clasen <mclasen@××××××.com>
112 +Date: Mon, 24 Aug 2015 15:48:51 -0400
113 +Subject: [PATCH] jpeg: Fix some integer overflows
114 +
115 +Similar to the previous commit.
116 +---
117 + gdk-pixbuf/io-jpeg.c | 4 ++--
118 + 1 file changed, 2 insertions(+), 2 deletions(-)
119 +
120 +diff --git a/gdk-pixbuf/io-jpeg.c b/gdk-pixbuf/io-jpeg.c
121 +index fa6bec1..eb48aed 100644
122 +--- a/gdk-pixbuf/io-jpeg.c
123 ++++ b/gdk-pixbuf/io-jpeg.c
124 +@@ -886,7 +886,7 @@ gdk_pixbuf__jpeg_image_load_lines (JpegProgContext *context,
125 + return FALSE;
126 + }
127 +
128 +- context->dptr += nlines * context->pixbuf->rowstride;
129 ++ context->dptr += (gsize)nlines * context->pixbuf->rowstride;
130 +
131 + /* send updated signal */
132 + if (context->updated_func)
133 +@@ -1494,7 +1494,7 @@ real_save_jpeg (GdkPixbuf *pixbuf,
134 + while (cinfo.next_scanline < cinfo.image_height) {
135 + /* convert scanline from ARGB to RGB packed */
136 + for (j = 0; j < w; j++)
137 +- memcpy (&(buf[j*3]), &(ptr[i*rowstride + j*n_channels]), 3);
138 ++ memcpy (&(buf[j*3]), &(ptr[(gsize)i*rowstride + j*n_channels]), 3);
139 +
140 + /* write scanline */
141 + jbuf = (JSAMPROW *)(&buf);
142 +--
143 +2.5.1
144 +
145
146 diff --git a/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-pixops-gcc-optimizer.patch b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-pixops-gcc-optimizer.patch
147 new file mode 100644
148 index 0000000..bd957b7
149 --- /dev/null
150 +++ b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-pixops-gcc-optimizer.patch
151 @@ -0,0 +1,46 @@
152 +From dd4b061c27dc0865c8f8987d294de6e04b321c18 Mon Sep 17 00:00:00 2001
153 +From: Benjamin Otte <otte@××××××.com>
154 +Date: Sat, 22 Aug 2015 23:06:23 +0200
155 +Subject: [PATCH] pixops: Be smarter than gcc's optimizer
156 +
157 +gcc realizes that the overflow checks aren't necessary. Why not?
158 +
159 +Well, if an int overflows, the behavior is undefined. And turning on
160 +-fomit-instructions is valid behavior in an undefined situation.
161 +---
162 + gdk-pixbuf/pixops/pixops.c | 15 +++++++--------
163 + 1 file changed, 7 insertions(+), 8 deletions(-)
164 +
165 +diff --git a/gdk-pixbuf/pixops/pixops.c b/gdk-pixbuf/pixops/pixops.c
166 +index b7951c7..5564a40 100644
167 +--- a/gdk-pixbuf/pixops/pixops.c
168 ++++ b/gdk-pixbuf/pixops/pixops.c
169 +@@ -1272,18 +1272,17 @@ make_filter_table (PixopsFilter *filter)
170 + int i_offset, j_offset;
171 + int n_x = filter->x.n;
172 + int n_y = filter->y.n;
173 +- int n_weights;
174 + int *weights;
175 +
176 +- n_weights = SUBSAMPLE * SUBSAMPLE * n_x;
177 +- if (n_weights / (SUBSAMPLE * SUBSAMPLE) != n_x)
178 +- return NULL; /* overflow, bail */
179 ++ /* check n_x doesn't overflow */
180 ++ if (G_MAXINT / (SUBSAMPLE * SUBSAMPLE) < n_x)
181 ++ return NULL;
182 +
183 +- n_weights *= n_y;
184 +- if (n_weights / (SUBSAMPLE * SUBSAMPLE * n_x) != n_y)
185 +- return NULL; /* overflow, bail */
186 ++ /* check n_y doesn't overflow */
187 ++ if (G_MAXINT / (SUBSAMPLE * SUBSAMPLE * n_x) < n_y)
188 ++ return NULL;
189 +
190 +- weights = g_try_new (int, n_weights);
191 ++ weights = g_try_new (int, SUBSAMPLE * SUBSAMPLE * n_x * n_y);
192 + if (!weights)
193 + return NULL; /* overflow, bail */
194 +
195 +--
196 +2.5.1
197 +
198
199 diff --git a/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-pixops-overflow.patch b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-pixops-overflow.patch
200 new file mode 100644
201 index 0000000..00789ba
202 --- /dev/null
203 +++ b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-pixops-overflow.patch
204 @@ -0,0 +1,173 @@
205 +From 7012b9a0b6263310fc7d57f0b06583c8404599af Mon Sep 17 00:00:00 2001
206 +From: Matthias Clasen <mclasen@××××××.com>
207 +Date: Mon, 24 Aug 2015 14:44:50 -0400
208 +Subject: [PATCH] Fix some more integer overflows
209 +
210 +The scaling code had a similar problem to the one fixed in the
211 +previous commit: Expressions like ptr = base + y * rowstride are
212 +prone to overflow if y and rowstride are (possibly large) integers.
213 +---
214 + gdk-pixbuf/pixops/pixops.c | 48 +++++++++++++++++++++++-----------------------
215 + 1 file changed, 24 insertions(+), 24 deletions(-)
216 +
217 +diff --git a/gdk-pixbuf/pixops/pixops.c b/gdk-pixbuf/pixops/pixops.c
218 +index 5564a40..e41b286 100644
219 +--- a/gdk-pixbuf/pixops/pixops.c
220 ++++ b/gdk-pixbuf/pixops/pixops.c
221 +@@ -304,8 +304,8 @@ pixops_scale_nearest (guchar *dest_buf,
222 + guchar *dest;
223 + y_pos = ((i + render_y0) * y_step + y_step / 2) >> SCALE_SHIFT;
224 + y_pos = CLAMP (y_pos, 0, src_height - 1);
225 +- src = src_buf + y_pos * src_rowstride;
226 +- dest = dest_buf + i * dest_rowstride;
227 ++ src = src_buf + (gsize)y_pos * src_rowstride;
228 ++ dest = dest_buf + (gsize)i * dest_rowstride;
229 +
230 + x = render_x0 * x_step + x_step / 2;
231 +
232 +@@ -368,8 +368,8 @@ pixops_composite_nearest (guchar *dest_buf,
233 + guchar *dest;
234 + y_pos = ((i + render_y0) * y_step + y_step / 2) >> SCALE_SHIFT;
235 + y_pos = CLAMP (y_pos, 0, src_height - 1);
236 +- src = src_buf + y_pos * src_rowstride;
237 +- dest = dest_buf + i * dest_rowstride;
238 ++ src = src_buf + (gsize)y_pos * src_rowstride;
239 ++ dest = dest_buf + (gsize)i * dest_rowstride;
240 +
241 + x = render_x0 * x_step + x_step / 2;
242 +
243 +@@ -442,8 +442,8 @@ pixops_composite_nearest_noscale (guchar *dest_buf,
244 +
245 + for (i = 0; i < (render_y1 - render_y0); i++)
246 + {
247 +- const guchar *src = src_buf + (i + render_y0) * src_rowstride;
248 +- guchar *dest = dest_buf + i * dest_rowstride;
249 ++ const guchar *src = src_buf + (gsize)(i + render_y0) * src_rowstride;
250 ++ guchar *dest = dest_buf + (gsize)i * dest_rowstride;
251 +
252 + x = render_x0 * src_channels;
253 +
254 +@@ -540,8 +540,8 @@ pixops_composite_color_nearest (guchar *dest_buf,
255 + guchar *dest;
256 + y_pos = ((i + render_y0) * y_step + y_step / 2) >> SCALE_SHIFT;
257 + y_pos = CLAMP (y_pos, 0, src_height - 1);
258 +- src = src_buf + y_pos * src_rowstride;
259 +- dest = dest_buf + i * dest_rowstride;
260 ++ src = src_buf + (gsize)y_pos * src_rowstride;
261 ++ dest = dest_buf + (gsize)i * dest_rowstride;
262 +
263 + x = render_x0 * x_step + x_step / 2;
264 +
265 +@@ -1398,7 +1398,7 @@ pixops_process (guchar *dest_buf,
266 + guchar *new_outbuf;
267 + guint32 tcolor1, tcolor2;
268 +
269 +- guchar *outbuf = dest_buf + dest_rowstride * i;
270 ++ guchar *outbuf = dest_buf + (gsize)dest_rowstride * i;
271 + guchar *outbuf_end = outbuf + dest_channels * (render_x1 - render_x0);
272 +
273 + if (((i + check_y) >> check_shift) & 1)
274 +@@ -1417,9 +1417,9 @@ pixops_process (guchar *dest_buf,
275 + if (y_start < 0)
276 + line_bufs[j] = (guchar *)src_buf;
277 + else if (y_start < src_height)
278 +- line_bufs[j] = (guchar *)src_buf + src_rowstride * y_start;
279 ++ line_bufs[j] = (guchar *)src_buf + (gsize)src_rowstride * y_start;
280 + else
281 +- line_bufs[j] = (guchar *)src_buf + src_rowstride * (src_height - 1);
282 ++ line_bufs[j] = (guchar *)src_buf + (gsize)src_rowstride * (src_height - 1);
283 +
284 + y_start++;
285 + }
286 +@@ -1443,7 +1443,7 @@ pixops_process (guchar *dest_buf,
287 + }
288 +
289 + new_outbuf = (*line_func) (run_weights, filter->x.n, filter->y.n,
290 +- outbuf, dest_x, dest_buf + dest_rowstride *
291 ++ outbuf, dest_x, dest_buf + (gsize)dest_rowstride *
292 + i + run_end_index * dest_channels,
293 + dest_channels, dest_has_alpha,
294 + line_bufs, src_channels, src_has_alpha,
295 +@@ -1966,7 +1966,7 @@ _pixops_composite (guchar *dest_buf,
296 + return;
297 + #endif
298 +
299 +- new_dest_buf = dest_buf + dest_y * dest_rowstride + dest_x * dest_channels;
300 ++ new_dest_buf = dest_buf + (gsize)dest_y * dest_rowstride + (gsize)dest_x * dest_channels;
301 + render_x0 = dest_x - offset_x;
302 + render_y0 = dest_y - offset_y;
303 + render_x1 = dest_x + dest_region_width - offset_x;
304 +@@ -2126,7 +2126,7 @@ pixops_medialib_composite (guchar *dest_buf,
305 + if (!use_medialib)
306 + {
307 + /* Use non-mediaLib version */
308 +- _pixops_composite_real (dest_buf + dest_y * dest_rowstride + dest_x *
309 ++ _pixops_composite_real (dest_buf + (gsize)dest_y * dest_rowstride + (gsize)dest_x *
310 + dest_channels, dest_x - offset_x, dest_y -
311 + offset_y, dest_x + dest_region_width - offset_x,
312 + dest_y + dest_region_height - offset_y,
313 +@@ -2168,8 +2168,8 @@ pixops_medialib_composite (guchar *dest_buf,
314 + }
315 + else
316 + {
317 +- mlib_u8 *data = dest_buf + (dest_y * dest_rowstride) +
318 +- (dest_x * dest_channels);
319 ++ mlib_u8 *data = dest_buf + (gsize)dest_y * dest_rowstride +
320 ++ (gsize)dest_x * dest_channels;
321 +
322 + mlib_ImageSetStruct (&img_dest, MLIB_BYTE, dest_channels,
323 + dest_region_width, dest_region_height,
324 +@@ -2236,8 +2236,8 @@ pixops_medialib_composite (guchar *dest_buf,
325 + else
326 + {
327 + /* Should not happen - Use non-mediaLib version */
328 +- _pixops_composite_real (dest_buf + dest_y * dest_rowstride +
329 +- dest_x * dest_channels,
330 ++ _pixops_composite_real (dest_buf + (gsize)dest_y * dest_rowstride +
331 ++ (gsize)dest_x * dest_channels,
332 + dest_x - offset_x, dest_y - offset_y,
333 + dest_x + dest_region_width - offset_x,
334 + dest_y + dest_region_height - offset_y,
335 +@@ -2360,7 +2360,7 @@ _pixops_scale (guchar *dest_buf,
336 + return;
337 + #endif
338 +
339 +- new_dest_buf = dest_buf + dest_y * dest_rowstride + dest_x * dest_channels;
340 ++ new_dest_buf = dest_buf + (gsize)dest_y * dest_rowstride + (gsize)dest_x * dest_channels;
341 + render_x0 = dest_x - offset_x;
342 + render_y0 = dest_y - offset_y;
343 + render_x1 = dest_x + dest_region_width - offset_x;
344 +@@ -2414,8 +2414,8 @@ pixops_medialib_scale (guchar *dest_buf,
345 + */
346 + if (!use_medialib)
347 + {
348 +- _pixops_scale_real (dest_buf + dest_y * dest_rowstride + dest_x *
349 +- dest_channels, dest_x - offset_x, dest_y - offset_y,
350 ++ _pixops_scale_real (dest_buf + (gsize)dest_y * dest_rowstride + (gsize)dest_x *
351 ++ dest_channels, dest_x - offset_x, dest_y - offset_y,
352 + dest_x + dest_region_width - offset_x,
353 + dest_y + dest_region_height - offset_y,
354 + dest_rowstride, dest_channels, dest_has_alpha,
355 +@@ -2443,8 +2443,8 @@ pixops_medialib_scale (guchar *dest_buf,
356 + }
357 + else
358 + {
359 +- mlib_u8 *data = dest_buf + (dest_y * dest_rowstride) +
360 +- (dest_x * dest_channels);
361 ++ mlib_u8 *data = dest_buf + (gsize)dest_y * dest_rowstride +
362 ++ (gsize)dest_x * dest_channels;
363 +
364 + mlib_ImageSetStruct (&img_dest, MLIB_BYTE, dest_channels,
365 + dest_region_width, dest_region_height,
366 +@@ -2479,7 +2479,7 @@ pixops_medialib_scale (guchar *dest_buf,
367 + int channels = 3;
368 + int rowstride = (channels * src_width + 3) & ~3;
369 +
370 +- tmp_buf = g_malloc (src_rowstride * src_height);
371 ++ tmp_buf = g_malloc_n (src_rowstride, src_height);
372 +
373 + if (src_buf != NULL)
374 + {
375 +--
376 +2.5.1
377 +
378
379 diff --git a/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-pixops-variable-type.patch b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-pixops-variable-type.patch
380 new file mode 100644
381 index 0000000..a83535f
382 --- /dev/null
383 +++ b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-pixops-variable-type.patch
384 @@ -0,0 +1,37 @@
385 +From 3df91dc6c6f8d1421e9c8756959280de792af77a Mon Sep 17 00:00:00 2001
386 +From: Benjamin Otte <otte@××××××.com>
387 +Date: Sat, 22 Aug 2015 17:57:23 +0200
388 +Subject: [PATCH] pixops: Chane variable type
389 +
390 +n_weights is used to do overflow checks. So by reducing the size to 32
391 +bits signed we overflow earlier. This is necessary because further down
392 +the code lots of code uses int variables to iterate over this variable
393 +and we don't want those to overflow.
394 +
395 +The correct fix would be to make all those variables gsize too, but
396 +that's way more invasive and requires different checks in different
397 +places so I'm not gonna do that now.
398 +And as long as scale factors are not expected to reach G_MAXINT it's not
399 +really necessary to do this change anyway.
400 +
401 +https://bugzilla.gnome.org/show_bug.cgi?id=753908
402 +---
403 + gdk-pixbuf/pixops/pixops.c | 2 +-
404 + 1 file changed, 1 insertion(+), 1 deletion(-)
405 +
406 +diff --git a/gdk-pixbuf/pixops/pixops.c b/gdk-pixbuf/pixops/pixops.c
407 +index 7f2cbff..b7951c7 100644
408 +--- a/gdk-pixbuf/pixops/pixops.c
409 ++++ b/gdk-pixbuf/pixops/pixops.c
410 +@@ -1272,7 +1272,7 @@ make_filter_table (PixopsFilter *filter)
411 + int i_offset, j_offset;
412 + int n_x = filter->x.n;
413 + int n_y = filter->y.n;
414 +- gsize n_weights;
415 ++ int n_weights;
416 + int *weights;
417 +
418 + n_weights = SUBSAMPLE * SUBSAMPLE * n_x;
419 +--
420 +2.5.1
421 +
422
423 diff --git a/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-png-overflow.patch b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-png-overflow.patch
424 new file mode 100644
425 index 0000000..83c67b5
426 --- /dev/null
427 +++ b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-png-overflow.patch
428 @@ -0,0 +1,72 @@
429 +From 8714ab407c54d5989d15a78eb15550c2d52d95b8 Mon Sep 17 00:00:00 2001
430 +From: Matthias Clasen <mclasen@××××××.com>
431 +Date: Mon, 24 Aug 2015 14:13:37 -0400
432 +Subject: [PATCH] png: Fix some integer overflows
433 +
434 +The png loader was not careful enough in some places. Width * height
435 +can overflow an integer.
436 +
437 +This should fix http://bugzilla.gnome.org/734556.
438 +---
439 + gdk-pixbuf/io-png.c | 15 ++++++++-------
440 + 1 file changed, 8 insertions(+), 7 deletions(-)
441 +
442 +diff --git a/gdk-pixbuf/io-png.c b/gdk-pixbuf/io-png.c
443 +index 3336b1e..5690875 100644
444 +--- a/gdk-pixbuf/io-png.c
445 ++++ b/gdk-pixbuf/io-png.c
446 +@@ -267,6 +267,7 @@ gdk_pixbuf__png_image_load (FILE *f, GError **error)
447 + gchar *density_str;
448 + guint32 retval;
449 + gint compression_type;
450 ++ gpointer ptr;
451 +
452 + #ifdef PNG_USER_MEM_SUPPORTED
453 + png_ptr = png_create_read_struct_2 (PNG_LIBPNG_VER_STRING,
454 +@@ -326,8 +327,8 @@ gdk_pixbuf__png_image_load (FILE *f, GError **error)
455 +
456 + rows = g_new (png_bytep, h);
457 +
458 +- for (i = 0; i < h; i++)
459 +- rows[i] = pixbuf->pixels + i * pixbuf->rowstride;
460 ++ for (i = 0, ptr = pixbuf->pixels; i < h; i++, ptr += pixbuf->rowstride)
461 ++ rows[i] = ptr;
462 +
463 + png_read_image (png_ptr, rows);
464 + png_read_end (png_ptr, info_ptr);
465 +@@ -745,6 +746,7 @@ png_row_callback (png_structp png_read_ptr,
466 + {
467 + LoadContext* lc;
468 + guchar* old_row = NULL;
469 ++ gsize rowstride;
470 +
471 + lc = png_get_progressive_ptr(png_read_ptr);
472 +
473 +@@ -770,8 +772,9 @@ png_row_callback (png_structp png_read_ptr,
474 + lc->max_row_seen_in_chunk = MAX(lc->max_row_seen_in_chunk, ((gint)row_num));
475 + lc->last_row_seen_in_chunk = row_num;
476 + lc->last_pass_seen_in_chunk = pass_num;
477 +-
478 +- old_row = lc->pixbuf->pixels + (row_num * lc->pixbuf->rowstride);
479 ++
480 ++ rowstride = lc->pixbuf->rowstride;
481 ++ old_row = lc->pixbuf->pixels + (row_num * rowstride);
482 +
483 + png_progressive_combine_row(lc->png_read_ptr, old_row, new_row);
484 + }
485 +@@ -1123,11 +1126,9 @@ static gboolean real_save_png (GdkPixbuf *pixbuf,
486 + png_set_shift (png_ptr, &sig_bit);
487 + png_set_packing (png_ptr);
488 +
489 +- ptr = pixels;
490 +- for (y = 0; y < h; y++) {
491 ++ for (y = 0, ptr = pixels; y < h; y++, ptr += rowstride) {
492 + row_ptr = (png_bytep)ptr;
493 + png_write_rows (png_ptr, &row_ptr, 1);
494 +- ptr += rowstride;
495 + }
496 +
497 + png_write_end (png_ptr, info_ptr);
498 +--
499 +2.5.1
500 +
501
502 diff --git a/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-rotate-overflow.patch b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-rotate-overflow.patch
503 new file mode 100644
504 index 0000000..fa6b90c
505 --- /dev/null
506 +++ b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-rotate-overflow.patch
507 @@ -0,0 +1,27 @@
508 +From 4f68cb78a5277f169b9531e6998c00c7976594e4 Mon Sep 17 00:00:00 2001
509 +From: Matthias Clasen <mclasen@××××××.com>
510 +Date: Mon, 24 Aug 2015 15:29:36 -0400
511 +Subject: [PATCH] Avoid integer overflow in gdk_pixbuf_rotate_simple
512 +
513 +Same as before: don't do ptr = base + y * rowstride if y and
514 +rowstride are integers.
515 +---
516 + gdk-pixbuf/gdk-pixbuf-scale.c | 2 +-
517 + 1 file changed, 1 insertion(+), 1 deletion(-)
518 +
519 +diff --git a/gdk-pixbuf/gdk-pixbuf-scale.c b/gdk-pixbuf/gdk-pixbuf-scale.c
520 +index 4288c65..475126a 100644
521 +--- a/gdk-pixbuf/gdk-pixbuf-scale.c
522 ++++ b/gdk-pixbuf/gdk-pixbuf-scale.c
523 +@@ -396,7 +396,7 @@ gdk_pixbuf_composite_color_simple (const GdkPixbuf *src,
524 + return dest;
525 + }
526 +
527 +-#define OFFSET(pb, x, y) ((x) * (pb)->n_channels + (y) * (pb)->rowstride)
528 ++#define OFFSET(pb, x, y) ((x) * (pb)->n_channels + (gsize)(y) * (pb)->rowstride)
529 +
530 + /**
531 + * gdk_pixbuf_rotate_simple:
532 +--
533 +2.5.1
534 +
535
536 diff --git a/x11-libs/gdk-pixbuf/gdk-pixbuf-2.31.5.ebuild b/x11-libs/gdk-pixbuf/gdk-pixbuf-2.31.6.ebuild
537 similarity index 86%
538 rename from x11-libs/gdk-pixbuf/gdk-pixbuf-2.31.5.ebuild
539 rename to x11-libs/gdk-pixbuf/gdk-pixbuf-2.31.6.ebuild
540 index e59d782..1ae90b6 100644
541 --- a/x11-libs/gdk-pixbuf/gdk-pixbuf-2.31.5.ebuild
542 +++ b/x11-libs/gdk-pixbuf/gdk-pixbuf-2.31.6.ebuild
543 @@ -1,6 +1,6 @@
544 # Copyright 1999-2015 Gentoo Foundation
545 # Distributed under the terms of the GNU General Public License v2
546 -# $Header: $
547 +# $Id$
548
549 EAPI="5"
550 GCONF_DEBUG="no"
551 @@ -47,6 +47,19 @@ MULTILIB_CHOST_TOOLS=(
552 )
553
554 src_prepare() {
555 + # Upstream patches from 2.31.x
556 + epatch "${FILESDIR}"/${PN}-2.31.6-pixops-variable-type.patch \
557 + "${FILESDIR}"/${PN}-2.31.6-pixops-gcc-optimizer.patch \
558 + "${FILESDIR}"/${PN}-2.31.6-png-overflow.patch \
559 + "${FILESDIR}"/${PN}-2.31.6-jpeg-overflow.patch \
560 + "${FILESDIR}"/${PN}-2.31.6-pixops-overflow.patch \
561 + "${FILESDIR}"/${PN}-2.31.6-alpha-overflow.patch \
562 + "${FILESDIR}"/${PN}-2.31.6-rotate-overflow.patch #556314
563 +
564 + # ERROR: cve-2015-4491 - missing test plan
565 + # FIXME - check if this works in 2.31.7
566 + sed -e 's/cve-2015-4491$(EXEEXT)//' -i tests/Makefile.in || die
567 +
568 # This will avoid polluting the pkg-config file with versioned libpng,
569 # which is causing problems with libpng14 -> libpng15 upgrade
570 # See upstream bug #667068
Report Message
Find on MARC Find on Google Groups