diff options
| author |   Chris White <chriswhite@gentoo.org> | 2004-09-06 18:17:10 +0000 |
|---|---|---|
| committer | Chris White <chriswhite@gentoo.org> | 2004-09-06 18:17:10 +0000 |
| commit | 78ff4188e78f8da08050d765070f6693040bdb36 (patch) | |
| tree | 0697e459e777249ff595d80bab887b3558b8b51b /media-libs/imlib/files | |
| parent | Switch to use epause and ebeep, bug #62950 (Manifest recommit) (diff) | |
| download | gentoo-2-78ff4188e78f8da08050d765070f6693040bdb36.tar.gz gentoo-2-78ff4188e78f8da08050d765070f6693040bdb36.tar.bz2 gentoo-2-78ff4188e78f8da08050d765070f6693040bdb36.zip | |
Security rev bump per Bug #62487. x86 stable marked for security bug.
Diffstat (limited to 'media-libs/imlib/files')
| -rw-r--r-- | media-libs/imlib/files/digest-imlib-1.9.14-r2 | 1 | ||||
| -rw-r--r-- | media-libs/imlib/files/imlib-1.9.14-bound.patch | 372 |
2 files changed, 373 insertions, 0 deletions
diff --git a/media-libs/imlib/files/digest-imlib-1.9.14-r2 b/media-libs/imlib/files/digest-imlib-1.9.14-r2 new file mode 100644 index 000000000000..2506fdb6b205 --- /dev/null +++ b/media-libs/imlib/files/digest-imlib-1.9.14-r2 @@ -0,0 +1 @@ +MD5 a337643f75bb431034d7213ac74f13dc imlib-1.9.14.tar.bz2 587947 diff --git a/media-libs/imlib/files/imlib-1.9.14-bound.patch b/media-libs/imlib/files/imlib-1.9.14-bound.patch new file mode 100644 index 000000000000..d2385e529392 --- /dev/null +++ b/media-libs/imlib/files/imlib-1.9.14-bound.patch @@ -0,0 +1,372 @@ +diff -uprk.orig imlib-1.9.14.orig/gdk_imlib/io-bmp.c imlib-1.9.14/gdk_imlib/io-bmp.c +--- imlib-1.9.14.orig/gdk_imlib/io-bmp.c 2002-03-04 20:06:29 +0300 ++++ imlib-1.9.14/gdk_imlib/io-bmp.c 2004-09-02 16:36:16 +0400 +@@ -10,7 +10,7 @@ loader_bmp (FILE *file, int *w, int *h, + linesize, linepos, rshift = 0, gshift = 0, bshift = 0; + unsigned char byte; + short int word; +- long int dbuf[4], dword, rmask = 0, gmask = 0, bmask = 0, offset, ++ long int dbuf[4], dword, rmask = 0xff, gmask = 0xff, bmask = 0xff, offset, + size; + signed char bbuf[4]; + struct _cmap +@@ -32,7 +32,7 @@ loader_bmp (FILE *file, int *w, int *h, + * Reading the bmp header + */ + +- fread(&bbuf, 1, 2, file); ++ fread(bbuf, 1, 2, file); + + fread(dbuf, 4, 4, file); + +@@ -42,12 +42,12 @@ loader_bmp (FILE *file, int *w, int *h, + fread(dbuf, 4, 2, file); + *w = (int)dbuf[0]; + *h = (int)dbuf[1]; +- if (*w > 32767) ++ if ((*w < 0) || (*w > 32767)) + { + fprintf(stderr, "IMLIB ERROR: Image width > 32767 pixels for file\n"); + return NULL; + } +- if (*h > 32767) ++ if ((*h < 0) || (*h > 32767)) + { + fprintf(stderr, "IMLIB ERROR: Image height > 32767 pixels for file\n"); + return NULL; +@@ -72,6 +72,9 @@ loader_bmp (FILE *file, int *w, int *h, + ncolors = (int)dbuf[0]; + if (ncolors == 0) + ncolors = 1 << bpp; ++ if ((ncolors < 0) || (ncolors > (1 << bpp))) ++ ncolors = 1 << bpp; ++ + /* some more sanity checks */ + if (((comp == BI_RLE4) && (bpp != 4)) || ((comp == BI_RLE8) && (bpp != 8)) || ((comp == BI_BITFIELDS) && (bpp != 16 && bpp != 32))) + { +@@ -197,9 +200,13 @@ loader_bmp (FILE *file, int *w, int *h, + for (bit = 0; bit < 8; bit++) + { + index = ((byte & (0x80 >> bit)) ? 1 : 0); +- ptr[poffset] = cmap[index].r; +- ptr[poffset + 1] = cmap[index].g; +- ptr[poffset + 2] = cmap[index].b; ++ /* possibly corrupted file? */ ++ if (index < ncolors && poffset < *w * *h * 3) ++ { ++ ptr[poffset] = cmap[index].r; ++ ptr[poffset + 1] = cmap[index].g; ++ ptr[poffset + 2] = cmap[index].b; ++ } + column++; + } + } +@@ -221,9 +228,13 @@ loader_bmp (FILE *file, int *w, int *h, + index = ((byte & (0xF0 >> nibble * 4)) >> (!nibble * 4)); + if (index >= 16) + index = 15; +- ptr[poffset] = cmap[index].r; +- ptr[poffset + 1] = cmap[index].g; +- ptr[poffset + 2] = cmap[index].b; ++ /* possibly corrupted file? */ ++ if (index < ncolors && poffset < *w * *h * 3) ++ { ++ ptr[poffset] = cmap[index].r; ++ ptr[poffset + 1] = cmap[index].g; ++ ptr[poffset + 2] = cmap[index].b; ++ } + column++; + } + } +@@ -263,9 +274,13 @@ loader_bmp (FILE *file, int *w, int *h, + { + linepos++; + byte = getc(file); +- ptr[poffset] = cmap[byte].r; +- ptr[poffset + 1] = cmap[byte].g; +- ptr[poffset + 2] = cmap[byte].b; ++ /* possibly corrupted file? */ ++ if (byte < ncolors && poffset < *w * *h * 3) ++ { ++ ptr[poffset] = cmap[byte].r; ++ ptr[poffset + 1] = cmap[byte].g; ++ ptr[poffset + 2] = cmap[byte].b; ++ } + column++; + } + if (absolute & 0x01) +@@ -276,9 +291,13 @@ loader_bmp (FILE *file, int *w, int *h, + { + for (i = 0; i < first; i++) + { +- ptr[poffset] = cmap[byte].r; +- ptr[poffset + 1] = cmap[byte].g; +- ptr[poffset + 2] = cmap[byte].b; ++ /* possibly corrupted file? */ ++ if (byte < ncolors && poffset < *w * *h * 3) ++ { ++ ptr[poffset] = cmap[byte].r; ++ ptr[poffset + 1] = cmap[byte].g; ++ ptr[poffset + 2] = cmap[byte].b; ++ } + column++; + linepos++; + } +@@ -286,20 +305,27 @@ loader_bmp (FILE *file, int *w, int *h, + } + else + { +- ptr[poffset] = cmap[byte].r; +- ptr[poffset + 1] = cmap[byte].g; +- ptr[poffset + 2] = cmap[byte].b; ++ /* possibly corrupted file? */ ++ if (byte < ncolors && poffset < *w * *h * 3) ++ { ++ ptr[poffset] = cmap[byte].r; ++ ptr[poffset + 1] = cmap[byte].g; ++ ptr[poffset + 2] = cmap[byte].b; ++ } + column++; +- linepos += size; + } + } + } + else if (bpp == 24) + { +- linepos += fread(&bbuf, 1, 3, file); +- ptr[poffset] = (unsigned char)bbuf[2]; +- ptr[poffset + 1] = (unsigned char)bbuf[1]; +- ptr[poffset + 2] = (unsigned char)bbuf[0]; ++ linepos += fread(bbuf, 1, 3, file); ++ /* possibly corrupted file? */ ++ if (poffset < *w * *h * 3) ++ { ++ ptr[poffset] = (unsigned char)bbuf[2]; ++ ptr[poffset + 1] = (unsigned char)bbuf[1]; ++ ptr[poffset + 2] = (unsigned char)bbuf[0]; ++ } + column++; + } + else if (bpp == 16) +@@ -307,12 +333,16 @@ loader_bmp (FILE *file, int *w, int *h, + unsigned char temp; + + linepos += fread(&word, 2, 1, file); +- temp = (word & rmask) >> rshift; +- ptr[poffset] = temp; +- temp = (word & gmask) >> gshift; +- ptr[poffset + 1] = temp; +- temp = (word & bmask) >> gshift; +- ptr[poffset + 2] = temp; ++ /* possibly corrupted file? */ ++ if (poffset < *w * *h * 3) ++ { ++ temp = (word & rmask) >> rshift; ++ ptr[poffset] = temp; ++ temp = (word & gmask) >> gshift; ++ ptr[poffset + 1] = temp; ++ temp = (word & bmask) >> gshift; ++ ptr[poffset + 2] = temp; ++ } + column++; + } + else +@@ -320,12 +350,16 @@ loader_bmp (FILE *file, int *w, int *h, + unsigned char temp; + + linepos += fread(&dword, 4, 1, file); +- temp = (dword & rmask) >> rshift; +- ptr[poffset] = temp; +- temp = (dword & gmask) >> gshift; +- ptr[poffset + 1] = temp; +- temp = (dword & bmask) >> bshift; +- ptr[poffset + 2] = temp; ++ /* possibly corrupted file? */ ++ if (poffset < *w * *h * 3) ++ { ++ temp = (dword & rmask) >> rshift; ++ ptr[poffset] = temp; ++ temp = (dword & gmask) >> gshift; ++ ptr[poffset + 1] = temp; ++ temp = (dword & bmask) >> bshift; ++ ptr[poffset + 2] = temp; ++ } + column++; + } + } +diff -uprk.orig imlib-1.9.14.orig/Imlib/load.c imlib-1.9.14/Imlib/load.c +--- imlib-1.9.14.orig/Imlib/load.c 2002-03-22 17:43:04 +0300 ++++ imlib-1.9.14/Imlib/load.c 2004-09-02 16:34:16 +0400 +@@ -631,12 +631,12 @@ _LoadBMP(ImlibData * id, FILE *file, int + fread(dbuf, 4, 2, file); + *w = (int)dbuf[0]; + *h = (int)dbuf[1]; +- if (*w > 32767) ++ if ((*w < 0) || (*w > 32767)) + { + fprintf(stderr, "IMLIB ERROR: Image width > 32767 pixels for file\n"); + return NULL; + } +- if (*h > 32767) ++ if ((*h < 0) || (*h > 32767)) + { + fprintf(stderr, "IMLIB ERROR: Image height > 32767 pixels for file\n"); + return NULL; +@@ -661,6 +661,9 @@ _LoadBMP(ImlibData * id, FILE *file, int + ncolors = (int)dbuf[0]; + if (ncolors == 0) + ncolors = 1 << bpp; ++ if ((ncolors < 0) || (ncolors > (1 << bpp))) ++ ncolors = 1 << bpp; ++ + /* some more sanity checks */ + if (((comp == BI_RLE4) && (bpp != 4)) || ((comp == BI_RLE8) && (bpp != 8)) || ((comp == BI_BITFIELDS) && (bpp != 16 && bpp != 32))) + { +@@ -786,9 +789,13 @@ _LoadBMP(ImlibData * id, FILE *file, int + for (bit = 0; bit < 8; bit++) + { + index = ((byte & (0x80 >> bit)) ? 1 : 0); +- ptr[poffset] = cmap[index].r; +- ptr[poffset + 1] = cmap[index].g; +- ptr[poffset + 2] = cmap[index].b; ++ /* possibly corrupted file? */ ++ if (index < ncolors && poffset < *w * *h * 3) ++ { ++ ptr[poffset] = cmap[index].r; ++ ptr[poffset + 1] = cmap[index].g; ++ ptr[poffset + 2] = cmap[index].b; ++ } + column++; + } + } +@@ -810,9 +817,13 @@ _LoadBMP(ImlibData * id, FILE *file, int + index = ((byte & (0xF0 >> nibble * 4)) >> (!nibble * 4)); + if (index >= 16) + index = 15; +- ptr[poffset] = cmap[index].r; +- ptr[poffset + 1] = cmap[index].g; +- ptr[poffset + 2] = cmap[index].b; ++ /* possibly corrupted file? */ ++ if (index < ncolors && poffset < *w * *h * 3) ++ { ++ ptr[poffset] = cmap[index].r; ++ ptr[poffset + 1] = cmap[index].g; ++ ptr[poffset + 2] = cmap[index].b; ++ } + column++; + } + } +@@ -851,9 +862,13 @@ _LoadBMP(ImlibData * id, FILE *file, int + { + linepos++; + byte = getc(file); +- ptr[poffset] = cmap[byte].r; +- ptr[poffset + 1] = cmap[byte].g; +- ptr[poffset + 2] = cmap[byte].b; ++ /* possibly corrupted file? */ ++ if (byte < ncolors && poffset < *w * *h * 3) ++ { ++ ptr[poffset] = cmap[byte].r; ++ ptr[poffset + 1] = cmap[byte].g; ++ ptr[poffset + 2] = cmap[byte].b; ++ } + column++; + } + if (absolute & 0x01) +@@ -864,9 +879,13 @@ _LoadBMP(ImlibData * id, FILE *file, int + { + for (i = 0; i < first; i++) + { +- ptr[poffset] = cmap[byte].r; +- ptr[poffset + 1] = cmap[byte].g; +- ptr[poffset + 2] = cmap[byte].b; ++ /* possibly corrupted file? */ ++ if (byte < ncolors && poffset < *w * *h * 3) ++ { ++ ptr[poffset] = cmap[byte].r; ++ ptr[poffset + 1] = cmap[byte].g; ++ ptr[poffset + 2] = cmap[byte].b; ++ } + column++; + linepos++; + } +@@ -874,9 +893,13 @@ _LoadBMP(ImlibData * id, FILE *file, int + } + else + { +- ptr[poffset] = cmap[byte].r; +- ptr[poffset + 1] = cmap[byte].g; +- ptr[poffset + 2] = cmap[byte].b; ++ /* possibly corrupted file? */ ++ if (byte < ncolors && poffset < *w * *h * 3) ++ { ++ ptr[poffset] = cmap[byte].r; ++ ptr[poffset + 1] = cmap[byte].g; ++ ptr[poffset + 2] = cmap[byte].b; ++ } + column++; + } + } +@@ -884,9 +907,13 @@ _LoadBMP(ImlibData * id, FILE *file, int + else if (bpp == 24) + { + linepos += fread(bbuf, 1, 3, file); +- ptr[poffset] = (unsigned char)bbuf[2]; +- ptr[poffset + 1] = (unsigned char)bbuf[1]; +- ptr[poffset + 2] = (unsigned char)bbuf[0]; ++ /* possibly corrupted file? */ ++ if (poffset < *w * *h * 3) ++ { ++ ptr[poffset] = (unsigned char)bbuf[2]; ++ ptr[poffset + 1] = (unsigned char)bbuf[1]; ++ ptr[poffset + 2] = (unsigned char)bbuf[0]; ++ } + column++; + } + else if (bpp == 16) +@@ -894,12 +921,16 @@ _LoadBMP(ImlibData * id, FILE *file, int + unsigned char temp; + + linepos += fread(&word, 2, 1, file); +- temp = (word & rmask) >> rshift; +- ptr[poffset] = temp; +- temp = (word & gmask) >> gshift; +- ptr[poffset + 1] = temp; +- temp = (word & bmask) >> gshift; +- ptr[poffset + 2] = temp; ++ /* possibly corrupted file? */ ++ if (poffset < *w * *h * 3) ++ { ++ temp = (word & rmask) >> rshift; ++ ptr[poffset] = temp; ++ temp = (word & gmask) >> gshift; ++ ptr[poffset + 1] = temp; ++ temp = (word & bmask) >> gshift; ++ ptr[poffset + 2] = temp; ++ } + column++; + } + else +@@ -907,12 +938,16 @@ _LoadBMP(ImlibData * id, FILE *file, int + unsigned char temp; + + linepos += fread(&dword, 4, 1, file); +- temp = (dword & rmask) >> rshift; +- ptr[poffset] = temp; +- temp = (dword & gmask) >> gshift; +- ptr[poffset + 1] = temp; +- temp = (dword & bmask) >> bshift; +- ptr[poffset + 2] = temp; ++ /* possibly corrupted file? */ ++ if (poffset < *w * *h * 3) ++ { ++ temp = (dword & rmask) >> rshift; ++ ptr[poffset] = temp; ++ temp = (dword & gmask) >> gshift; ++ ptr[poffset + 1] = temp; ++ temp = (dword & bmask) >> bshift; ++ ptr[poffset + 2] = temp; ++ } + column++; + } + } |