[gentoo-commits] gentoo-x86 commit in media-gfx/gimp/files: gimp-2.8.2-xwd-file-security.patch - gentoo-commits

From:	"Sebastian Pipping (sping)" <sping@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] gentoo-x86 commit in media-gfx/gimp/files: gimp-2.8.2-xwd-file-security.patch
Date:	Sun, 25 Nov 2012 19:38:57
Message-Id:	`20121125193846.55F7620066@flycatcher.gentoo.org`

1

sping       12/11/25 19:38:46

2

3

  Added:                gimp-2.8.2-xwd-file-security.patch

4

  Log:

5

  media-gfx/gimp: 2.8.2-r1 (security, bug #444280)

6

7

  (Portage version: 2.1.11.31/cvs/Linux x86_64, signed Manifest commit with key 0x401A1600)

8

9

Revision  Changes    Path

10

1.1                  media-gfx/gimp/files/gimp-2.8.2-xwd-file-security.patch

11

12

file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/media-gfx/gimp/files/gimp-2.8.2-xwd-file-security.patch?rev=1.1&view=markup

13

plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/media-gfx/gimp/files/gimp-2.8.2-xwd-file-security.patch?rev=1.1&content-type=text/plain

14

15

Index: gimp-2.8.2-xwd-file-security.patch

16

===================================================================

17

From 2873262fccba12af144ed96ed91be144d92ff2e1 Mon Sep 17 00:00:00 2001

18

From: Michael Natterer <mitch@××××.org>

19

Date: Wed, 07 Nov 2012 23:16:31 +0000

20

Subject: Bug 687392 - Memory corruption vulnerability when reading XWD files

21

22

Applied and enhanced patch from andres which makes file-xwd detect

23

this kind of file corruption and abort loading with an error message.

24

(cherry picked from commit 0b35f6a082a0b3c372c568ea6bde39a4796acde2)

25

---

26

diff --git a/plug-ins/common/file-xwd.c b/plug-ins/common/file-xwd.c

27

index 4e8a95e..f91d757 100644

28

--- a/plug-ins/common/file-xwd.c

29

+++ b/plug-ins/common/file-xwd.c

30

@@ -186,11 +186,13 @@ static gint32 load_xwd_f2_d16_b16 (const gchar *,

31

 static gint32 load_xwd_f2_d24_b32 (const gchar *,

32

                                    FILE *,

33

                                    L_XWDFILEHEADER *,

34

-                                   L_XWDCOLOR *);

35

+                                   L_XWDCOLOR *,

36

+                                   GError **);

37

 static gint32 load_xwd_f1_d24_b1  (const gchar *,

38

                                    FILE *,

39

                                    L_XWDFILEHEADER *,

40

-                                   L_XWDCOLOR *);

41

+                                   L_XWDCOLOR *,

42

+                                   GError **);

43

44

 static L_CARD32 read_card32  (FILE *,

45

                               gint *);

46

@@ -540,7 +542,8 @@ load_image (const gchar  *filename,

47

     case 1:    /* Single plane pixmap */

48

       if ((depth <= 24) && (bpp == 1))

49

{

50

-          image_ID = load_xwd_f1_d24_b1 (filename, ifp, &xwdhdr, xwdcolmap);

51

+          image_ID = load_xwd_f1_d24_b1 (filename, ifp, &xwdhdr, xwdcolmap,

52

+                                         error);

53

}

54

       break;

55

56

@@ -559,7 +562,8 @@ load_image (const gchar  *filename,

57

}

58

       else if ((depth <= 24) && ((bpp == 24) || (bpp == 32)))

59

{

60

-          image_ID = load_xwd_f2_d24_b32 (filename, ifp, &xwdhdr, xwdcolmap);

61

+          image_ID = load_xwd_f2_d24_b32 (filename, ifp, &xwdhdr, xwdcolmap,

62

+                                          error);

63

}

64

       break;

65

}

66

@@ -570,7 +574,7 @@ load_image (const gchar  *filename,

67

   if (xwdcolmap)

68

     g_free (xwdcolmap);

69

70

-  if (image_ID == -1)

71

+  if (image_ID == -1 && ! (error && *error))

72

     g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,

73

                  _("XWD-file %s has format %d, depth %d and bits per pixel %d. "

74

                    "Currently this is not supported."),

75

@@ -1624,10 +1628,11 @@ load_xwd_f2_d16_b16 (const gchar     *filename,

76

 /* Load XWD with pixmap_format 2, pixmap_depth up to 24, bits_per_pixel 24/32 */

77

78

 static gint32

79

-load_xwd_f2_d24_b32 (const gchar     *filename,

80

-                     FILE            *ifp,

81

-                     L_XWDFILEHEADER *xwdhdr,

82

-                     L_XWDCOLOR      *xwdcolmap)

83

+load_xwd_f2_d24_b32 (const gchar      *filename,

84

+                     FILE             *ifp,

85

+                     L_XWDFILEHEADER  *xwdhdr,

86

+                     L_XWDCOLOR       *xwdcolmap,

87

+                     GError          **error)

88

{

89

   register guchar *dest, lsbyte_first;

90

   gint             width, height, linepad, i, j, c0, c1, c2, c3;

91

@@ -1652,12 +1657,6 @@ load_xwd_f2_d24_b32 (const gchar     *filename,

92

   width  = xwdhdr->l_pixmap_width;

93

   height = xwdhdr->l_pixmap_height;

94

95

-  image_ID = create_new_image (filename, width, height, GIMP_RGB,

96

-                               &layer_ID, &drawable, &pixel_rgn);

97

-

98

-  tile_height = gimp_tile_height ();

99

-  data = g_malloc (tile_height * width * 3);

100

-

101

   redmask   = xwdhdr->l_red_mask;

102

   greenmask = xwdhdr->l_green_mask;

103

   bluemask  = xwdhdr->l_blue_mask;

104

@@ -1685,6 +1684,22 @@ load_xwd_f2_d24_b32 (const gchar     *filename,

105

   maxblue = 0; while (bluemask >> (blueshift + maxblue)) maxblue++;

106

   maxblue = (1 << maxblue) - 1;

107

108

+  if (maxred   > sizeof (redmap)   ||

109

+      maxgreen > sizeof (greenmap) ||

110

+      maxblue  > sizeof (bluemap))

111

+    {

112

+      g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,

113

+                   _("XWD-file %s is corrupt."),

114

+                   gimp_filename_to_utf8 (filename));

115

+      return -1;

116

+    }

117

+

118

+  image_ID = create_new_image (filename, width, height, GIMP_RGB,

119

+                               &layer_ID, &drawable, &pixel_rgn);

120

+

121

+  tile_height = gimp_tile_height ();

122

+  data = g_malloc (tile_height * width * 3);

123

+

124

   /* Set map-arrays for red, green, blue */

125

   for (red = 0; red <= maxred; red++)

126

     redmap[red] = (red * 255) / maxred;

127

@@ -1825,10 +1840,11 @@ load_xwd_f2_d24_b32 (const gchar     *filename,

128

 /* Load XWD with pixmap_format 1, pixmap_depth up to 24, bits_per_pixel 1 */

129

130

 static gint32

131

-load_xwd_f1_d24_b1 (const gchar     *filename,

132

-                    FILE            *ifp,

133

-                    L_XWDFILEHEADER *xwdhdr,

134

-                    L_XWDCOLOR      *xwdcolmap)

135

+load_xwd_f1_d24_b1 (const gchar      *filename,

136

+                    FILE             *ifp,

137

+                    L_XWDFILEHEADER  *xwdhdr,

138

+                    L_XWDCOLOR       *xwdcolmap,

139

+                    GError          **error)

140

{

141

   register guchar *dest, outmask, inmask, do_reverse;

142

   gint             width, height, i, j, plane, fromright;

143

@@ -1863,13 +1879,6 @@ load_xwd_f1_d24_b1 (const gchar     *filename,

144

   indexed         = (xwdhdr->l_pixmap_depth <= 8);

145

   bytes_per_pixel = (indexed ? 1 : 3);

146

147

-  image_ID = create_new_image (filename, width, height,

148

-                               indexed ? GIMP_INDEXED : GIMP_RGB,

149

-                               &layer_ID, &drawable, &pixel_rgn);

150

-

151

-  tile_height = gimp_tile_height ();

152

-  data = g_malloc (tile_height * width * bytes_per_pixel);

153

-

154

   for (j = 0; j < 256; j++)   /* Create an array for reversing bits */

155

{

156

       inmask = 0;

157

@@ -1913,6 +1922,16 @@ load_xwd_f1_d24_b1 (const gchar     *filename,

158

       maxblue = 0; while (bluemask >> (blueshift + maxblue)) maxblue++;

159

       maxblue = (1 << maxblue) - 1;

160

161

+      if (maxred   > sizeof (redmap)   ||

162

+          maxgreen > sizeof (greenmap) ||

163

+          maxblue  > sizeof (bluemap))

164

+        {

165

+          g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,

166

+                       _("XWD-file %s is corrupt."),

167

+                       gimp_filename_to_utf8 (filename));

168

+          return -1;

169

+        }

170

+

171

       /* Set map-arrays for red, green, blue */

172

       for (red = 0; red <= maxred; red++)

173

         redmap[red] = (red * 255) / maxred;

174

@@ -1922,6 +1941,13 @@ load_xwd_f1_d24_b1 (const gchar     *filename,

175

         bluemap[blue] = (blue * 255) / maxblue;

176

}

177

178

+  image_ID = create_new_image (filename, width, height,

179

+                               indexed ? GIMP_INDEXED : GIMP_RGB,

180

+                               &layer_ID, &drawable, &pixel_rgn);

181

+

182

+  tile_height = gimp_tile_height ();

183

+  data = g_malloc (tile_height * width * bytes_per_pixel);

184

+

185

   ncols = xwdhdr->l_colormap_entries;

186

   if (xwdhdr->l_ncolors < ncols)

187

     ncols = xwdhdr->l_ncolors;

188

--

189

cgit v0.9.0.2

1	sping 12/11/25 19:38:46
2
3	Added: gimp-2.8.2-xwd-file-security.patch
4	Log:
5	media-gfx/gimp: 2.8.2-r1 (security, bug #444280)
6
7	(Portage version: 2.1.11.31/cvs/Linux x86_64, signed Manifest commit with key 0x401A1600)
8
9	Revision Changes Path
10	1.1 media-gfx/gimp/files/gimp-2.8.2-xwd-file-security.patch
11
12	file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/media-gfx/gimp/files/gimp-2.8.2-xwd-file-security.patch?rev=1.1&view=markup
13	plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/media-gfx/gimp/files/gimp-2.8.2-xwd-file-security.patch?rev=1.1&content-type=text/plain
14
15	Index: gimp-2.8.2-xwd-file-security.patch
16	===================================================================
17	From 2873262fccba12af144ed96ed91be144d92ff2e1 Mon Sep 17 00:00:00 2001
18	From: Michael Natterer <mitch@××××.org>
19	Date: Wed, 07 Nov 2012 23:16:31 +0000
20	Subject: Bug 687392 - Memory corruption vulnerability when reading XWD files
21
22	Applied and enhanced patch from andres which makes file-xwd detect
23	this kind of file corruption and abort loading with an error message.
24	(cherry picked from commit 0b35f6a082a0b3c372c568ea6bde39a4796acde2)
25	---
26	diff --git a/plug-ins/common/file-xwd.c b/plug-ins/common/file-xwd.c
27	index 4e8a95e..f91d757 100644
28	--- a/plug-ins/common/file-xwd.c
29	+++ b/plug-ins/common/file-xwd.c
30	@@ -186,11 +186,13 @@ static gint32 load_xwd_f2_d16_b16 (const gchar *,
31	static gint32 load_xwd_f2_d24_b32 (const gchar *,
32	FILE *,
33	L_XWDFILEHEADER *,
34	- L_XWDCOLOR *);
35	+ L_XWDCOLOR *,
36	+ GError **);
37	static gint32 load_xwd_f1_d24_b1 (const gchar *,
38	FILE *,
39	L_XWDFILEHEADER *,
40	- L_XWDCOLOR *);
41	+ L_XWDCOLOR *,
42	+ GError **);
43
44	static L_CARD32 read_card32 (FILE *,
45	gint *);
46	@@ -540,7 +542,8 @@ load_image (const gchar *filename,
47	case 1: /* Single plane pixmap */
48	if ((depth <= 24) && (bpp == 1))
49	{
50	- image_ID = load_xwd_f1_d24_b1 (filename, ifp, &xwdhdr, xwdcolmap);
51	+ image_ID = load_xwd_f1_d24_b1 (filename, ifp, &xwdhdr, xwdcolmap,
52	+ error);
53	}
54	break;
55
56	@@ -559,7 +562,8 @@ load_image (const gchar *filename,
57	}
58	else if ((depth <= 24) && ((bpp == 24) \|\| (bpp == 32)))
59	{
60	- image_ID = load_xwd_f2_d24_b32 (filename, ifp, &xwdhdr, xwdcolmap);
61	+ image_ID = load_xwd_f2_d24_b32 (filename, ifp, &xwdhdr, xwdcolmap,
62	+ error);
63	}
64	break;
65	}
66	@@ -570,7 +574,7 @@ load_image (const gchar *filename,
67	if (xwdcolmap)
68	g_free (xwdcolmap);
69
70	- if (image_ID == -1)
71	+ if (image_ID == -1 && ! (error && *error))
72	g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
73	_("XWD-file %s has format %d, depth %d and bits per pixel %d. "
74	"Currently this is not supported."),
75	@@ -1624,10 +1628,11 @@ load_xwd_f2_d16_b16 (const gchar *filename,
76	/* Load XWD with pixmap_format 2, pixmap_depth up to 24, bits_per_pixel 24/32 */
77
78	static gint32
79	-load_xwd_f2_d24_b32 (const gchar *filename,
80	- FILE *ifp,
81	- L_XWDFILEHEADER *xwdhdr,
82	- L_XWDCOLOR *xwdcolmap)
83	+load_xwd_f2_d24_b32 (const gchar *filename,
84	+ FILE *ifp,
85	+ L_XWDFILEHEADER *xwdhdr,
86	+ L_XWDCOLOR *xwdcolmap,
87	+ GError **error)
88	{
89	register guchar *dest, lsbyte_first;
90	gint width, height, linepad, i, j, c0, c1, c2, c3;
91	@@ -1652,12 +1657,6 @@ load_xwd_f2_d24_b32 (const gchar *filename,
92	width = xwdhdr->l_pixmap_width;
93	height = xwdhdr->l_pixmap_height;
94
95	- image_ID = create_new_image (filename, width, height, GIMP_RGB,
96	- &layer_ID, &drawable, &pixel_rgn);
97	-
98	- tile_height = gimp_tile_height ();
99	- data = g_malloc (tile_height * width * 3);
100	-
101	redmask = xwdhdr->l_red_mask;
102	greenmask = xwdhdr->l_green_mask;
103	bluemask = xwdhdr->l_blue_mask;
104	@@ -1685,6 +1684,22 @@ load_xwd_f2_d24_b32 (const gchar *filename,
105	maxblue = 0; while (bluemask >> (blueshift + maxblue)) maxblue++;
106	maxblue = (1 << maxblue) - 1;
107
108	+ if (maxred > sizeof (redmap) \|\|
109	+ maxgreen > sizeof (greenmap) \|\|
110	+ maxblue > sizeof (bluemap))
111	+ {
112	+ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
113	+ _("XWD-file %s is corrupt."),
114	+ gimp_filename_to_utf8 (filename));
115	+ return -1;
116	+ }
117	+
118	+ image_ID = create_new_image (filename, width, height, GIMP_RGB,
119	+ &layer_ID, &drawable, &pixel_rgn);
120	+
121	+ tile_height = gimp_tile_height ();
122	+ data = g_malloc (tile_height * width * 3);
123	+
124	/* Set map-arrays for red, green, blue */
125	for (red = 0; red <= maxred; red++)
126	redmap[red] = (red * 255) / maxred;
127	@@ -1825,10 +1840,11 @@ load_xwd_f2_d24_b32 (const gchar *filename,
128	/* Load XWD with pixmap_format 1, pixmap_depth up to 24, bits_per_pixel 1 */
129
130	static gint32
131	-load_xwd_f1_d24_b1 (const gchar *filename,
132	- FILE *ifp,
133	- L_XWDFILEHEADER *xwdhdr,
134	- L_XWDCOLOR *xwdcolmap)
135	+load_xwd_f1_d24_b1 (const gchar *filename,
136	+ FILE *ifp,
137	+ L_XWDFILEHEADER *xwdhdr,
138	+ L_XWDCOLOR *xwdcolmap,
139	+ GError **error)
140	{
141	register guchar *dest, outmask, inmask, do_reverse;
142	gint width, height, i, j, plane, fromright;
143	@@ -1863,13 +1879,6 @@ load_xwd_f1_d24_b1 (const gchar *filename,
144	indexed = (xwdhdr->l_pixmap_depth <= 8);
145	bytes_per_pixel = (indexed ? 1 : 3);
146
147	- image_ID = create_new_image (filename, width, height,
148	- indexed ? GIMP_INDEXED : GIMP_RGB,
149	- &layer_ID, &drawable, &pixel_rgn);
150	-
151	- tile_height = gimp_tile_height ();
152	- data = g_malloc (tile_height * width * bytes_per_pixel);
153	-
154	for (j = 0; j < 256; j++) /* Create an array for reversing bits */
155	{
156	inmask = 0;
157	@@ -1913,6 +1922,16 @@ load_xwd_f1_d24_b1 (const gchar *filename,
158	maxblue = 0; while (bluemask >> (blueshift + maxblue)) maxblue++;
159	maxblue = (1 << maxblue) - 1;
160
161	+ if (maxred > sizeof (redmap) \|\|
162	+ maxgreen > sizeof (greenmap) \|\|
163	+ maxblue > sizeof (bluemap))
164	+ {
165	+ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
166	+ _("XWD-file %s is corrupt."),
167	+ gimp_filename_to_utf8 (filename));
168	+ return -1;
169	+ }
170	+
171	/* Set map-arrays for red, green, blue */
172	for (red = 0; red <= maxred; red++)
173	redmap[red] = (red * 255) / maxred;
174	@@ -1922,6 +1941,13 @@ load_xwd_f1_d24_b1 (const gchar *filename,
175	bluemap[blue] = (blue * 255) / maxblue;
176	}
177
178	+ image_ID = create_new_image (filename, width, height,
179	+ indexed ? GIMP_INDEXED : GIMP_RGB,
180	+ &layer_ID, &drawable, &pixel_rgn);
181	+
182	+ tile_height = gimp_tile_height ();
183	+ data = g_malloc (tile_height * width * bytes_per_pixel);
184	+
185	ncols = xwdhdr->l_colormap_entries;
186	if (xwdhdr->l_ncolors < ncols)
187	ncols = xwdhdr->l_ncolors;
188	--
189	cgit v0.9.0.2

Gentoo Archives: gentoo-commits