1 |
commit: 9e48855fcf4528e77c4c86b9bd1b12fa3176b23a |
2 |
Author: Alexandre Rostovtsev <tetromino <AT> gentoo <DOT> org> |
3 |
AuthorDate: Fri Aug 21 04:49:52 2015 +0000 |
4 |
Commit: Alexandre Rostovtsev <tetromino <AT> gentoo <DOT> org> |
5 |
CommitDate: Tue Sep 1 04:25:03 2015 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/gnome.git/commit/?id=9e48855f |
7 |
|
8 |
x11-libs/gdk-pixbuf: 2.31.5 → 2.31.6 and more fixes for CVE-2015-4491 |
9 |
|
10 |
Really fix the overflow. |
11 |
|
12 |
Gentoo-Bug: 556314 |
13 |
Upstream-Bug-url: https://bugzilla.gnome.org/show_bug.cgi?id=752297 |
14 |
Package-Manager: portage-2.2.20.1 |
15 |
Manifest-Sign-Key: 0x18E5B6F2D8D5EC8D |
16 |
|
17 |
.../files/gdk-pixbuf-2.31.6-alpha-overflow.patch | 70 +++++++++ |
18 |
.../files/gdk-pixbuf-2.31.6-jpeg-overflow.patch | 35 +++++ |
19 |
.../gdk-pixbuf-2.31.6-pixops-gcc-optimizer.patch | 46 ++++++ |
20 |
.../files/gdk-pixbuf-2.31.6-pixops-overflow.patch | 173 +++++++++++++++++++++ |
21 |
.../gdk-pixbuf-2.31.6-pixops-variable-type.patch | 37 +++++ |
22 |
.../files/gdk-pixbuf-2.31.6-png-overflow.patch | 72 +++++++++ |
23 |
.../files/gdk-pixbuf-2.31.6-rotate-overflow.patch | 27 ++++ |
24 |
...xbuf-2.31.5.ebuild => gdk-pixbuf-2.31.6.ebuild} | 15 +- |
25 |
8 files changed, 474 insertions(+), 1 deletion(-) |
26 |
|
27 |
diff --git a/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-alpha-overflow.patch b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-alpha-overflow.patch |
28 |
new file mode 100644 |
29 |
index 0000000..bd4abfa |
30 |
--- /dev/null |
31 |
+++ b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-alpha-overflow.patch |
32 |
@@ -0,0 +1,70 @@ |
33 |
+From ca3c56421c075e729750cf80c3438b283232cce8 Mon Sep 17 00:00:00 2001 |
34 |
+From: Matthias Clasen <mclasen@××××××.com> |
35 |
+Date: Mon, 24 Aug 2015 15:20:08 -0400 |
36 |
+Subject: [PATCH] Avoid integer overflow in gdk_pixbuf_add_alpha |
37 |
+ |
38 |
+Same as before: don't do ptr = base + y * rowstride if y and |
39 |
+rowstride are integers. |
40 |
+ |
41 |
+This should fix http://bugzilla.gnome/org/753569 |
42 |
+--- |
43 |
+ gdk-pixbuf/gdk-pixbuf-util.c | 18 +++++++++--------- |
44 |
+ 1 file changed, 9 insertions(+), 9 deletions(-) |
45 |
+ |
46 |
+diff --git a/gdk-pixbuf/gdk-pixbuf-util.c b/gdk-pixbuf/gdk-pixbuf-util.c |
47 |
+index 6abe9b9..3600450 100644 |
48 |
+--- a/gdk-pixbuf/gdk-pixbuf-util.c |
49 |
++++ b/gdk-pixbuf/gdk-pixbuf-util.c |
50 |
+@@ -67,6 +67,8 @@ gdk_pixbuf_add_alpha (const GdkPixbuf *pixbuf, |
51 |
+ int x, y; |
52 |
+ const guint8 *src_pixels; |
53 |
+ guint8 *ret_pixels; |
54 |
++ const guchar *src; |
55 |
++ guchar *dest; |
56 |
+ |
57 |
+ g_return_val_if_fail (GDK_IS_PIXBUF (pixbuf), NULL); |
58 |
+ g_return_val_if_fail (pixbuf->colorspace == GDK_COLORSPACE_RGB, NULL); |
59 |
+@@ -85,20 +87,18 @@ gdk_pixbuf_add_alpha (const GdkPixbuf *pixbuf, |
60 |
+ } else { |
61 |
+ new_pixbuf = gdk_pixbuf_new (GDK_COLORSPACE_RGB, TRUE, 8, pixbuf->width, pixbuf->height); |
62 |
+ } |
63 |
+- |
64 |
++ |
65 |
+ if (!new_pixbuf) |
66 |
+ return NULL; |
67 |
+ |
68 |
+ ret_pixels = gdk_pixbuf_get_pixels (new_pixbuf); |
69 |
+ |
70 |
+- for (y = 0; y < pixbuf->height; y++) { |
71 |
+- const guchar *src; |
72 |
+- guchar *dest; |
73 |
++ for (y = 0; y < pixbuf->height; y++, src_pixels += pixbuf->rowstride, ret_pixels += new_pixbuf->rowstride) { |
74 |
+ guchar tr, tg, tb; |
75 |
+ |
76 |
+- src = src_pixels + y * pixbuf->rowstride; |
77 |
+- dest = ret_pixels + y * new_pixbuf->rowstride; |
78 |
+- |
79 |
++ src = src_pixels; |
80 |
++ dest = ret_pixels; |
81 |
++ |
82 |
+ if (pixbuf->has_alpha) { |
83 |
+ /* Just subst color, we already copied everything else */ |
84 |
+ for (x = 0; x < pixbuf->width; x++) { |
85 |
+@@ -107,12 +107,12 @@ gdk_pixbuf_add_alpha (const GdkPixbuf *pixbuf, |
86 |
+ src += 4; |
87 |
+ dest += 4; |
88 |
+ } |
89 |
+- } else { |
90 |
++ } else { |
91 |
+ for (x = 0; x < pixbuf->width; x++) { |
92 |
+ tr = *dest++ = *src++; |
93 |
+ tg = *dest++ = *src++; |
94 |
+ tb = *dest++ = *src++; |
95 |
+- |
96 |
++ |
97 |
+ if (substitute_color && tr == r && tg == g && tb == b) |
98 |
+ *dest++ = 0; |
99 |
+ else |
100 |
+-- |
101 |
+2.5.1 |
102 |
+ |
103 |
|
104 |
diff --git a/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-jpeg-overflow.patch b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-jpeg-overflow.patch |
105 |
new file mode 100644 |
106 |
index 0000000..ebec196 |
107 |
--- /dev/null |
108 |
+++ b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-jpeg-overflow.patch |
109 |
@@ -0,0 +1,35 @@ |
110 |
+From fde8d1d12a32740770253e97ddc9602654e16865 Mon Sep 17 00:00:00 2001 |
111 |
+From: Matthias Clasen <mclasen@××××××.com> |
112 |
+Date: Mon, 24 Aug 2015 15:48:51 -0400 |
113 |
+Subject: [PATCH] jpeg: Fix some integer overflows |
114 |
+ |
115 |
+Similar to the previous commit. |
116 |
+--- |
117 |
+ gdk-pixbuf/io-jpeg.c | 4 ++-- |
118 |
+ 1 file changed, 2 insertions(+), 2 deletions(-) |
119 |
+ |
120 |
+diff --git a/gdk-pixbuf/io-jpeg.c b/gdk-pixbuf/io-jpeg.c |
121 |
+index fa6bec1..eb48aed 100644 |
122 |
+--- a/gdk-pixbuf/io-jpeg.c |
123 |
++++ b/gdk-pixbuf/io-jpeg.c |
124 |
+@@ -886,7 +886,7 @@ gdk_pixbuf__jpeg_image_load_lines (JpegProgContext *context, |
125 |
+ return FALSE; |
126 |
+ } |
127 |
+ |
128 |
+- context->dptr += nlines * context->pixbuf->rowstride; |
129 |
++ context->dptr += (gsize)nlines * context->pixbuf->rowstride; |
130 |
+ |
131 |
+ /* send updated signal */ |
132 |
+ if (context->updated_func) |
133 |
+@@ -1494,7 +1494,7 @@ real_save_jpeg (GdkPixbuf *pixbuf, |
134 |
+ while (cinfo.next_scanline < cinfo.image_height) { |
135 |
+ /* convert scanline from ARGB to RGB packed */ |
136 |
+ for (j = 0; j < w; j++) |
137 |
+- memcpy (&(buf[j*3]), &(ptr[i*rowstride + j*n_channels]), 3); |
138 |
++ memcpy (&(buf[j*3]), &(ptr[(gsize)i*rowstride + j*n_channels]), 3); |
139 |
+ |
140 |
+ /* write scanline */ |
141 |
+ jbuf = (JSAMPROW *)(&buf); |
142 |
+-- |
143 |
+2.5.1 |
144 |
+ |
145 |
|
146 |
diff --git a/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-pixops-gcc-optimizer.patch b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-pixops-gcc-optimizer.patch |
147 |
new file mode 100644 |
148 |
index 0000000..bd957b7 |
149 |
--- /dev/null |
150 |
+++ b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-pixops-gcc-optimizer.patch |
151 |
@@ -0,0 +1,46 @@ |
152 |
+From dd4b061c27dc0865c8f8987d294de6e04b321c18 Mon Sep 17 00:00:00 2001 |
153 |
+From: Benjamin Otte <otte@××××××.com> |
154 |
+Date: Sat, 22 Aug 2015 23:06:23 +0200 |
155 |
+Subject: [PATCH] pixops: Be smarter than gcc's optimizer |
156 |
+ |
157 |
+gcc realizes that the overflow checks aren't necessary. Why not? |
158 |
+ |
159 |
+Well, if an int overflows, the behavior is undefined. And turning on |
160 |
+-fomit-instructions is valid behavior in an undefined situation. |
161 |
+--- |
162 |
+ gdk-pixbuf/pixops/pixops.c | 15 +++++++-------- |
163 |
+ 1 file changed, 7 insertions(+), 8 deletions(-) |
164 |
+ |
165 |
+diff --git a/gdk-pixbuf/pixops/pixops.c b/gdk-pixbuf/pixops/pixops.c |
166 |
+index b7951c7..5564a40 100644 |
167 |
+--- a/gdk-pixbuf/pixops/pixops.c |
168 |
++++ b/gdk-pixbuf/pixops/pixops.c |
169 |
+@@ -1272,18 +1272,17 @@ make_filter_table (PixopsFilter *filter) |
170 |
+ int i_offset, j_offset; |
171 |
+ int n_x = filter->x.n; |
172 |
+ int n_y = filter->y.n; |
173 |
+- int n_weights; |
174 |
+ int *weights; |
175 |
+ |
176 |
+- n_weights = SUBSAMPLE * SUBSAMPLE * n_x; |
177 |
+- if (n_weights / (SUBSAMPLE * SUBSAMPLE) != n_x) |
178 |
+- return NULL; /* overflow, bail */ |
179 |
++ /* check n_x doesn't overflow */ |
180 |
++ if (G_MAXINT / (SUBSAMPLE * SUBSAMPLE) < n_x) |
181 |
++ return NULL; |
182 |
+ |
183 |
+- n_weights *= n_y; |
184 |
+- if (n_weights / (SUBSAMPLE * SUBSAMPLE * n_x) != n_y) |
185 |
+- return NULL; /* overflow, bail */ |
186 |
++ /* check n_y doesn't overflow */ |
187 |
++ if (G_MAXINT / (SUBSAMPLE * SUBSAMPLE * n_x) < n_y) |
188 |
++ return NULL; |
189 |
+ |
190 |
+- weights = g_try_new (int, n_weights); |
191 |
++ weights = g_try_new (int, SUBSAMPLE * SUBSAMPLE * n_x * n_y); |
192 |
+ if (!weights) |
193 |
+ return NULL; /* overflow, bail */ |
194 |
+ |
195 |
+-- |
196 |
+2.5.1 |
197 |
+ |
198 |
|
199 |
diff --git a/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-pixops-overflow.patch b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-pixops-overflow.patch |
200 |
new file mode 100644 |
201 |
index 0000000..00789ba |
202 |
--- /dev/null |
203 |
+++ b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-pixops-overflow.patch |
204 |
@@ -0,0 +1,173 @@ |
205 |
+From 7012b9a0b6263310fc7d57f0b06583c8404599af Mon Sep 17 00:00:00 2001 |
206 |
+From: Matthias Clasen <mclasen@××××××.com> |
207 |
+Date: Mon, 24 Aug 2015 14:44:50 -0400 |
208 |
+Subject: [PATCH] Fix some more integer overflows |
209 |
+ |
210 |
+The scaling code had a similar problem to the one fixed in the |
211 |
+previous commit: Expressions like ptr = base + y * rowstride are |
212 |
+prone to overflow if y and rowstride are (possibly large) integers. |
213 |
+--- |
214 |
+ gdk-pixbuf/pixops/pixops.c | 48 +++++++++++++++++++++++----------------------- |
215 |
+ 1 file changed, 24 insertions(+), 24 deletions(-) |
216 |
+ |
217 |
+diff --git a/gdk-pixbuf/pixops/pixops.c b/gdk-pixbuf/pixops/pixops.c |
218 |
+index 5564a40..e41b286 100644 |
219 |
+--- a/gdk-pixbuf/pixops/pixops.c |
220 |
++++ b/gdk-pixbuf/pixops/pixops.c |
221 |
+@@ -304,8 +304,8 @@ pixops_scale_nearest (guchar *dest_buf, |
222 |
+ guchar *dest; |
223 |
+ y_pos = ((i + render_y0) * y_step + y_step / 2) >> SCALE_SHIFT; |
224 |
+ y_pos = CLAMP (y_pos, 0, src_height - 1); |
225 |
+- src = src_buf + y_pos * src_rowstride; |
226 |
+- dest = dest_buf + i * dest_rowstride; |
227 |
++ src = src_buf + (gsize)y_pos * src_rowstride; |
228 |
++ dest = dest_buf + (gsize)i * dest_rowstride; |
229 |
+ |
230 |
+ x = render_x0 * x_step + x_step / 2; |
231 |
+ |
232 |
+@@ -368,8 +368,8 @@ pixops_composite_nearest (guchar *dest_buf, |
233 |
+ guchar *dest; |
234 |
+ y_pos = ((i + render_y0) * y_step + y_step / 2) >> SCALE_SHIFT; |
235 |
+ y_pos = CLAMP (y_pos, 0, src_height - 1); |
236 |
+- src = src_buf + y_pos * src_rowstride; |
237 |
+- dest = dest_buf + i * dest_rowstride; |
238 |
++ src = src_buf + (gsize)y_pos * src_rowstride; |
239 |
++ dest = dest_buf + (gsize)i * dest_rowstride; |
240 |
+ |
241 |
+ x = render_x0 * x_step + x_step / 2; |
242 |
+ |
243 |
+@@ -442,8 +442,8 @@ pixops_composite_nearest_noscale (guchar *dest_buf, |
244 |
+ |
245 |
+ for (i = 0; i < (render_y1 - render_y0); i++) |
246 |
+ { |
247 |
+- const guchar *src = src_buf + (i + render_y0) * src_rowstride; |
248 |
+- guchar *dest = dest_buf + i * dest_rowstride; |
249 |
++ const guchar *src = src_buf + (gsize)(i + render_y0) * src_rowstride; |
250 |
++ guchar *dest = dest_buf + (gsize)i * dest_rowstride; |
251 |
+ |
252 |
+ x = render_x0 * src_channels; |
253 |
+ |
254 |
+@@ -540,8 +540,8 @@ pixops_composite_color_nearest (guchar *dest_buf, |
255 |
+ guchar *dest; |
256 |
+ y_pos = ((i + render_y0) * y_step + y_step / 2) >> SCALE_SHIFT; |
257 |
+ y_pos = CLAMP (y_pos, 0, src_height - 1); |
258 |
+- src = src_buf + y_pos * src_rowstride; |
259 |
+- dest = dest_buf + i * dest_rowstride; |
260 |
++ src = src_buf + (gsize)y_pos * src_rowstride; |
261 |
++ dest = dest_buf + (gsize)i * dest_rowstride; |
262 |
+ |
263 |
+ x = render_x0 * x_step + x_step / 2; |
264 |
+ |
265 |
+@@ -1398,7 +1398,7 @@ pixops_process (guchar *dest_buf, |
266 |
+ guchar *new_outbuf; |
267 |
+ guint32 tcolor1, tcolor2; |
268 |
+ |
269 |
+- guchar *outbuf = dest_buf + dest_rowstride * i; |
270 |
++ guchar *outbuf = dest_buf + (gsize)dest_rowstride * i; |
271 |
+ guchar *outbuf_end = outbuf + dest_channels * (render_x1 - render_x0); |
272 |
+ |
273 |
+ if (((i + check_y) >> check_shift) & 1) |
274 |
+@@ -1417,9 +1417,9 @@ pixops_process (guchar *dest_buf, |
275 |
+ if (y_start < 0) |
276 |
+ line_bufs[j] = (guchar *)src_buf; |
277 |
+ else if (y_start < src_height) |
278 |
+- line_bufs[j] = (guchar *)src_buf + src_rowstride * y_start; |
279 |
++ line_bufs[j] = (guchar *)src_buf + (gsize)src_rowstride * y_start; |
280 |
+ else |
281 |
+- line_bufs[j] = (guchar *)src_buf + src_rowstride * (src_height - 1); |
282 |
++ line_bufs[j] = (guchar *)src_buf + (gsize)src_rowstride * (src_height - 1); |
283 |
+ |
284 |
+ y_start++; |
285 |
+ } |
286 |
+@@ -1443,7 +1443,7 @@ pixops_process (guchar *dest_buf, |
287 |
+ } |
288 |
+ |
289 |
+ new_outbuf = (*line_func) (run_weights, filter->x.n, filter->y.n, |
290 |
+- outbuf, dest_x, dest_buf + dest_rowstride * |
291 |
++ outbuf, dest_x, dest_buf + (gsize)dest_rowstride * |
292 |
+ i + run_end_index * dest_channels, |
293 |
+ dest_channels, dest_has_alpha, |
294 |
+ line_bufs, src_channels, src_has_alpha, |
295 |
+@@ -1966,7 +1966,7 @@ _pixops_composite (guchar *dest_buf, |
296 |
+ return; |
297 |
+ #endif |
298 |
+ |
299 |
+- new_dest_buf = dest_buf + dest_y * dest_rowstride + dest_x * dest_channels; |
300 |
++ new_dest_buf = dest_buf + (gsize)dest_y * dest_rowstride + (gsize)dest_x * dest_channels; |
301 |
+ render_x0 = dest_x - offset_x; |
302 |
+ render_y0 = dest_y - offset_y; |
303 |
+ render_x1 = dest_x + dest_region_width - offset_x; |
304 |
+@@ -2126,7 +2126,7 @@ pixops_medialib_composite (guchar *dest_buf, |
305 |
+ if (!use_medialib) |
306 |
+ { |
307 |
+ /* Use non-mediaLib version */ |
308 |
+- _pixops_composite_real (dest_buf + dest_y * dest_rowstride + dest_x * |
309 |
++ _pixops_composite_real (dest_buf + (gsize)dest_y * dest_rowstride + (gsize)dest_x * |
310 |
+ dest_channels, dest_x - offset_x, dest_y - |
311 |
+ offset_y, dest_x + dest_region_width - offset_x, |
312 |
+ dest_y + dest_region_height - offset_y, |
313 |
+@@ -2168,8 +2168,8 @@ pixops_medialib_composite (guchar *dest_buf, |
314 |
+ } |
315 |
+ else |
316 |
+ { |
317 |
+- mlib_u8 *data = dest_buf + (dest_y * dest_rowstride) + |
318 |
+- (dest_x * dest_channels); |
319 |
++ mlib_u8 *data = dest_buf + (gsize)dest_y * dest_rowstride + |
320 |
++ (gsize)dest_x * dest_channels; |
321 |
+ |
322 |
+ mlib_ImageSetStruct (&img_dest, MLIB_BYTE, dest_channels, |
323 |
+ dest_region_width, dest_region_height, |
324 |
+@@ -2236,8 +2236,8 @@ pixops_medialib_composite (guchar *dest_buf, |
325 |
+ else |
326 |
+ { |
327 |
+ /* Should not happen - Use non-mediaLib version */ |
328 |
+- _pixops_composite_real (dest_buf + dest_y * dest_rowstride + |
329 |
+- dest_x * dest_channels, |
330 |
++ _pixops_composite_real (dest_buf + (gsize)dest_y * dest_rowstride + |
331 |
++ (gsize)dest_x * dest_channels, |
332 |
+ dest_x - offset_x, dest_y - offset_y, |
333 |
+ dest_x + dest_region_width - offset_x, |
334 |
+ dest_y + dest_region_height - offset_y, |
335 |
+@@ -2360,7 +2360,7 @@ _pixops_scale (guchar *dest_buf, |
336 |
+ return; |
337 |
+ #endif |
338 |
+ |
339 |
+- new_dest_buf = dest_buf + dest_y * dest_rowstride + dest_x * dest_channels; |
340 |
++ new_dest_buf = dest_buf + (gsize)dest_y * dest_rowstride + (gsize)dest_x * dest_channels; |
341 |
+ render_x0 = dest_x - offset_x; |
342 |
+ render_y0 = dest_y - offset_y; |
343 |
+ render_x1 = dest_x + dest_region_width - offset_x; |
344 |
+@@ -2414,8 +2414,8 @@ pixops_medialib_scale (guchar *dest_buf, |
345 |
+ */ |
346 |
+ if (!use_medialib) |
347 |
+ { |
348 |
+- _pixops_scale_real (dest_buf + dest_y * dest_rowstride + dest_x * |
349 |
+- dest_channels, dest_x - offset_x, dest_y - offset_y, |
350 |
++ _pixops_scale_real (dest_buf + (gsize)dest_y * dest_rowstride + (gsize)dest_x * |
351 |
++ dest_channels, dest_x - offset_x, dest_y - offset_y, |
352 |
+ dest_x + dest_region_width - offset_x, |
353 |
+ dest_y + dest_region_height - offset_y, |
354 |
+ dest_rowstride, dest_channels, dest_has_alpha, |
355 |
+@@ -2443,8 +2443,8 @@ pixops_medialib_scale (guchar *dest_buf, |
356 |
+ } |
357 |
+ else |
358 |
+ { |
359 |
+- mlib_u8 *data = dest_buf + (dest_y * dest_rowstride) + |
360 |
+- (dest_x * dest_channels); |
361 |
++ mlib_u8 *data = dest_buf + (gsize)dest_y * dest_rowstride + |
362 |
++ (gsize)dest_x * dest_channels; |
363 |
+ |
364 |
+ mlib_ImageSetStruct (&img_dest, MLIB_BYTE, dest_channels, |
365 |
+ dest_region_width, dest_region_height, |
366 |
+@@ -2479,7 +2479,7 @@ pixops_medialib_scale (guchar *dest_buf, |
367 |
+ int channels = 3; |
368 |
+ int rowstride = (channels * src_width + 3) & ~3; |
369 |
+ |
370 |
+- tmp_buf = g_malloc (src_rowstride * src_height); |
371 |
++ tmp_buf = g_malloc_n (src_rowstride, src_height); |
372 |
+ |
373 |
+ if (src_buf != NULL) |
374 |
+ { |
375 |
+-- |
376 |
+2.5.1 |
377 |
+ |
378 |
|
379 |
diff --git a/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-pixops-variable-type.patch b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-pixops-variable-type.patch |
380 |
new file mode 100644 |
381 |
index 0000000..a83535f |
382 |
--- /dev/null |
383 |
+++ b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-pixops-variable-type.patch |
384 |
@@ -0,0 +1,37 @@ |
385 |
+From 3df91dc6c6f8d1421e9c8756959280de792af77a Mon Sep 17 00:00:00 2001 |
386 |
+From: Benjamin Otte <otte@××××××.com> |
387 |
+Date: Sat, 22 Aug 2015 17:57:23 +0200 |
388 |
+Subject: [PATCH] pixops: Chane variable type |
389 |
+ |
390 |
+n_weights is used to do overflow checks. So by reducing the size to 32 |
391 |
+bits signed we overflow earlier. This is necessary because further down |
392 |
+the code lots of code uses int variables to iterate over this variable |
393 |
+and we don't want those to overflow. |
394 |
+ |
395 |
+The correct fix would be to make all those variables gsize too, but |
396 |
+that's way more invasive and requires different checks in different |
397 |
+places so I'm not gonna do that now. |
398 |
+And as long as scale factors are not expected to reach G_MAXINT it's not |
399 |
+really necessary to do this change anyway. |
400 |
+ |
401 |
+https://bugzilla.gnome.org/show_bug.cgi?id=753908 |
402 |
+--- |
403 |
+ gdk-pixbuf/pixops/pixops.c | 2 +- |
404 |
+ 1 file changed, 1 insertion(+), 1 deletion(-) |
405 |
+ |
406 |
+diff --git a/gdk-pixbuf/pixops/pixops.c b/gdk-pixbuf/pixops/pixops.c |
407 |
+index 7f2cbff..b7951c7 100644 |
408 |
+--- a/gdk-pixbuf/pixops/pixops.c |
409 |
++++ b/gdk-pixbuf/pixops/pixops.c |
410 |
+@@ -1272,7 +1272,7 @@ make_filter_table (PixopsFilter *filter) |
411 |
+ int i_offset, j_offset; |
412 |
+ int n_x = filter->x.n; |
413 |
+ int n_y = filter->y.n; |
414 |
+- gsize n_weights; |
415 |
++ int n_weights; |
416 |
+ int *weights; |
417 |
+ |
418 |
+ n_weights = SUBSAMPLE * SUBSAMPLE * n_x; |
419 |
+-- |
420 |
+2.5.1 |
421 |
+ |
422 |
|
423 |
diff --git a/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-png-overflow.patch b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-png-overflow.patch |
424 |
new file mode 100644 |
425 |
index 0000000..83c67b5 |
426 |
--- /dev/null |
427 |
+++ b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-png-overflow.patch |
428 |
@@ -0,0 +1,72 @@ |
429 |
+From 8714ab407c54d5989d15a78eb15550c2d52d95b8 Mon Sep 17 00:00:00 2001 |
430 |
+From: Matthias Clasen <mclasen@××××××.com> |
431 |
+Date: Mon, 24 Aug 2015 14:13:37 -0400 |
432 |
+Subject: [PATCH] png: Fix some integer overflows |
433 |
+ |
434 |
+The png loader was not careful enough in some places. Width * height |
435 |
+can overflow an integer. |
436 |
+ |
437 |
+This should fix http://bugzilla.gnome.org/734556. |
438 |
+--- |
439 |
+ gdk-pixbuf/io-png.c | 15 ++++++++------- |
440 |
+ 1 file changed, 8 insertions(+), 7 deletions(-) |
441 |
+ |
442 |
+diff --git a/gdk-pixbuf/io-png.c b/gdk-pixbuf/io-png.c |
443 |
+index 3336b1e..5690875 100644 |
444 |
+--- a/gdk-pixbuf/io-png.c |
445 |
++++ b/gdk-pixbuf/io-png.c |
446 |
+@@ -267,6 +267,7 @@ gdk_pixbuf__png_image_load (FILE *f, GError **error) |
447 |
+ gchar *density_str; |
448 |
+ guint32 retval; |
449 |
+ gint compression_type; |
450 |
++ gpointer ptr; |
451 |
+ |
452 |
+ #ifdef PNG_USER_MEM_SUPPORTED |
453 |
+ png_ptr = png_create_read_struct_2 (PNG_LIBPNG_VER_STRING, |
454 |
+@@ -326,8 +327,8 @@ gdk_pixbuf__png_image_load (FILE *f, GError **error) |
455 |
+ |
456 |
+ rows = g_new (png_bytep, h); |
457 |
+ |
458 |
+- for (i = 0; i < h; i++) |
459 |
+- rows[i] = pixbuf->pixels + i * pixbuf->rowstride; |
460 |
++ for (i = 0, ptr = pixbuf->pixels; i < h; i++, ptr += pixbuf->rowstride) |
461 |
++ rows[i] = ptr; |
462 |
+ |
463 |
+ png_read_image (png_ptr, rows); |
464 |
+ png_read_end (png_ptr, info_ptr); |
465 |
+@@ -745,6 +746,7 @@ png_row_callback (png_structp png_read_ptr, |
466 |
+ { |
467 |
+ LoadContext* lc; |
468 |
+ guchar* old_row = NULL; |
469 |
++ gsize rowstride; |
470 |
+ |
471 |
+ lc = png_get_progressive_ptr(png_read_ptr); |
472 |
+ |
473 |
+@@ -770,8 +772,9 @@ png_row_callback (png_structp png_read_ptr, |
474 |
+ lc->max_row_seen_in_chunk = MAX(lc->max_row_seen_in_chunk, ((gint)row_num)); |
475 |
+ lc->last_row_seen_in_chunk = row_num; |
476 |
+ lc->last_pass_seen_in_chunk = pass_num; |
477 |
+- |
478 |
+- old_row = lc->pixbuf->pixels + (row_num * lc->pixbuf->rowstride); |
479 |
++ |
480 |
++ rowstride = lc->pixbuf->rowstride; |
481 |
++ old_row = lc->pixbuf->pixels + (row_num * rowstride); |
482 |
+ |
483 |
+ png_progressive_combine_row(lc->png_read_ptr, old_row, new_row); |
484 |
+ } |
485 |
+@@ -1123,11 +1126,9 @@ static gboolean real_save_png (GdkPixbuf *pixbuf, |
486 |
+ png_set_shift (png_ptr, &sig_bit); |
487 |
+ png_set_packing (png_ptr); |
488 |
+ |
489 |
+- ptr = pixels; |
490 |
+- for (y = 0; y < h; y++) { |
491 |
++ for (y = 0, ptr = pixels; y < h; y++, ptr += rowstride) { |
492 |
+ row_ptr = (png_bytep)ptr; |
493 |
+ png_write_rows (png_ptr, &row_ptr, 1); |
494 |
+- ptr += rowstride; |
495 |
+ } |
496 |
+ |
497 |
+ png_write_end (png_ptr, info_ptr); |
498 |
+-- |
499 |
+2.5.1 |
500 |
+ |
501 |
|
502 |
diff --git a/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-rotate-overflow.patch b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-rotate-overflow.patch |
503 |
new file mode 100644 |
504 |
index 0000000..fa6b90c |
505 |
--- /dev/null |
506 |
+++ b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-rotate-overflow.patch |
507 |
@@ -0,0 +1,27 @@ |
508 |
+From 4f68cb78a5277f169b9531e6998c00c7976594e4 Mon Sep 17 00:00:00 2001 |
509 |
+From: Matthias Clasen <mclasen@××××××.com> |
510 |
+Date: Mon, 24 Aug 2015 15:29:36 -0400 |
511 |
+Subject: [PATCH] Avoid integer overflow in gdk_pixbuf_rotate_simple |
512 |
+ |
513 |
+Same as before: don't do ptr = base + y * rowstride if y and |
514 |
+rowstride are integers. |
515 |
+--- |
516 |
+ gdk-pixbuf/gdk-pixbuf-scale.c | 2 +- |
517 |
+ 1 file changed, 1 insertion(+), 1 deletion(-) |
518 |
+ |
519 |
+diff --git a/gdk-pixbuf/gdk-pixbuf-scale.c b/gdk-pixbuf/gdk-pixbuf-scale.c |
520 |
+index 4288c65..475126a 100644 |
521 |
+--- a/gdk-pixbuf/gdk-pixbuf-scale.c |
522 |
++++ b/gdk-pixbuf/gdk-pixbuf-scale.c |
523 |
+@@ -396,7 +396,7 @@ gdk_pixbuf_composite_color_simple (const GdkPixbuf *src, |
524 |
+ return dest; |
525 |
+ } |
526 |
+ |
527 |
+-#define OFFSET(pb, x, y) ((x) * (pb)->n_channels + (y) * (pb)->rowstride) |
528 |
++#define OFFSET(pb, x, y) ((x) * (pb)->n_channels + (gsize)(y) * (pb)->rowstride) |
529 |
+ |
530 |
+ /** |
531 |
+ * gdk_pixbuf_rotate_simple: |
532 |
+-- |
533 |
+2.5.1 |
534 |
+ |
535 |
|
536 |
diff --git a/x11-libs/gdk-pixbuf/gdk-pixbuf-2.31.5.ebuild b/x11-libs/gdk-pixbuf/gdk-pixbuf-2.31.6.ebuild |
537 |
similarity index 86% |
538 |
rename from x11-libs/gdk-pixbuf/gdk-pixbuf-2.31.5.ebuild |
539 |
rename to x11-libs/gdk-pixbuf/gdk-pixbuf-2.31.6.ebuild |
540 |
index e59d782..1ae90b6 100644 |
541 |
--- a/x11-libs/gdk-pixbuf/gdk-pixbuf-2.31.5.ebuild |
542 |
+++ b/x11-libs/gdk-pixbuf/gdk-pixbuf-2.31.6.ebuild |
543 |
@@ -1,6 +1,6 @@ |
544 |
# Copyright 1999-2015 Gentoo Foundation |
545 |
# Distributed under the terms of the GNU General Public License v2 |
546 |
-# $Header: $ |
547 |
+# $Id$ |
548 |
|
549 |
EAPI="5" |
550 |
GCONF_DEBUG="no" |
551 |
@@ -47,6 +47,19 @@ MULTILIB_CHOST_TOOLS=( |
552 |
) |
553 |
|
554 |
src_prepare() { |
555 |
+ # Upstream patches from 2.31.x |
556 |
+ epatch "${FILESDIR}"/${PN}-2.31.6-pixops-variable-type.patch \ |
557 |
+ "${FILESDIR}"/${PN}-2.31.6-pixops-gcc-optimizer.patch \ |
558 |
+ "${FILESDIR}"/${PN}-2.31.6-png-overflow.patch \ |
559 |
+ "${FILESDIR}"/${PN}-2.31.6-jpeg-overflow.patch \ |
560 |
+ "${FILESDIR}"/${PN}-2.31.6-pixops-overflow.patch \ |
561 |
+ "${FILESDIR}"/${PN}-2.31.6-alpha-overflow.patch \ |
562 |
+ "${FILESDIR}"/${PN}-2.31.6-rotate-overflow.patch #556314 |
563 |
+ |
564 |
+ # ERROR: cve-2015-4491 - missing test plan |
565 |
+ # FIXME - check if this works in 2.31.7 |
566 |
+ sed -e 's/cve-2015-4491$(EXEEXT)//' -i tests/Makefile.in || die |
567 |
+ |
568 |
# This will avoid polluting the pkg-config file with versioned libpng, |
569 |
# which is causing problems with libpng14 -> libpng15 upgrade |
570 |
# See upstream bug #667068 |