x11-libs/gdk-pixbuf: more DoS fixes (CVE-2015-4491)

Really fix the overflows this time. Gentoo-Bug: 556314 Upstream-Bug-url: https://bugzilla.gnome.org/show_bug.cgi?id=752297 Upstream-Bug-url: https://bugzilla.gnome.org/show_bug.cgi?id=753908 Upstream-Bug-url: https://bugzilla.gnome.org/show_bug.cgi?id=734556 Upstream-Bug-url: https://bugzilla.gnome.org/show_bug.cgi?id=753569 Package-Manager: portage-2.2.20.1
author: Alexandre Rostovtsev <tetromino@gentoo.org> 2015-09-01 00:28:13 -0400
committer: Alexandre Rostovtsev <tetromino@gentoo.org> 2015-09-01 01:15:38 -0400
commit: 084b0771c60902525706033d8d1ef2ac489954e1 (patch)
tree: 2791f0b59b9c26a0a3a79581a776355c7751d71e /x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.5-pixops-overflow.patch
parent: dev-ruby/calendar_date_select: version bump (diff)
download: gentoo-084b0771c60902525706033d8d1ef2ac489954e1.tar.gz
gentoo-084b0771c60902525706033d8d1ef2ac489954e1.tar.bz2
gentoo-084b0771c60902525706033d8d1ef2ac489954e1.zip
1 files changed, 38 insertions, 0 deletions
diff --git a/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.5-pixops-overflow.patch b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.5-pixops-overflow.patch
new file mode 100644
index 000000000000..6f28dfde29ac
--- /dev/null
+++ b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.5-pixops-overflow.patch
@@ -0,0 +1,38 @@
+From 8dba67cb4f38d62a47757741ad41e3f245b4a32a Mon Sep 17 00:00:00 2001
+From: Benjamin Otte <otte@redhat.com>
+Date: Mon, 17 Aug 2015 18:52:47 +0200
+Subject: [PATCH] pixops: Fix oversight for CVE-2015-4491
+
+The n_x variable could be made large enough to overflow, too.
+
+Also included are various testcases for this vulnerability:
+- The original exploit (adapted for the testsuite)
+- Causing overflow by making both X and Y variables large
+- Causing overflow using only the X variable
+- Causing overflow using only the Y variable
+
+https://bugzilla.gnome.org/show_bug.cgi?id=752297
+---
+ gdk-pixbuf/pixops/pixops.c    |   6 ++-
+ 1 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/gdk-pixbuf/pixops/pixops.c b/gdk-pixbuf/pixops/pixops.c
+index ce51745..7f2cbff 100644
+--- a/gdk-pixbuf/pixops/pixops.c
++++ b/gdk-pixbuf/pixops/pixops.c
+@@ -1275,7 +1275,11 @@ make_filter_table (PixopsFilter *filter)
+   gsize n_weights;
+   int *weights;
+ 
+-  n_weights = SUBSAMPLE * SUBSAMPLE * n_x * n_y;
++  n_weights = SUBSAMPLE * SUBSAMPLE * n_x;
++  if (n_weights / (SUBSAMPLE * SUBSAMPLE) != n_x)
++    return NULL; /* overflow, bail */
++
++  n_weights *= n_y;
+   if (n_weights / (SUBSAMPLE * SUBSAMPLE * n_x) != n_y)
+     return NULL; /* overflow, bail */
+ 
+-- 
+2.5.1
+
author	Alexandre Rostovtsev <tetromino@gentoo.org>	2015-09-01 00:28:13 -0400
committer	Alexandre Rostovtsev <tetromino@gentoo.org>	2015-09-01 01:15:38 -0400
commit	084b0771c60902525706033d8d1ef2ac489954e1 (patch)
tree	2791f0b59b9c26a0a3a79581a776355c7751d71e /x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.5-pixops-overflow.patch
parent	dev-ruby/calendar_date_select: version bump (diff)
download	gentoo-084b0771c60902525706033d8d1ef2ac489954e1.tar.gz gentoo-084b0771c60902525706033d8d1ef2ac489954e1.tar.bz2 gentoo-084b0771c60902525706033d8d1ef2ac489954e1.zip