![](https://seccdn.libravatar.org/avatar/af22e20b6884acbc89be6d7736c43e92.jpg?s=120&d=mm&r=g)
Hello community,
here is the log from the commit of package xzgv
checked in at Fri Apr 7 17:05:25 CEST 2006.
--------
--- xzgv/xzgv.changes 2006-02-14 18:08:13.000000000 +0100
+++ xzgv/xzgv.changes 2006-03-28 00:29:34.000000000 +0200
@@ -1,0 +2,5 @@
+Tue Mar 28 00:20:49 CEST 2006 - jreuter@suse.de
+
+- fix CVE-2006-1060: JPEG CMYK/YCCK heap overflow (#159699)
+
+-------------------------------------------------------------------
New:
----
xzgv-cmyk-ycc-fix.diff
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ xzgv.spec ++++++
--- /var/tmp/diff_new_pack.nsy35n/_old 2006-04-07 17:05:00.000000000 +0200
+++ /var/tmp/diff_new_pack.nsy35n/_new 2006-04-07 17:05:00.000000000 +0200
@@ -14,7 +14,7 @@
BuildRequires: gcc-c++ gtk-devel imlib-devel libpng-devel libtiff-devel te_ams te_latex update-desktop-files xorg-x11
URL: http://rus.members.beeb.net/xzgv.html
Version: 0.8
-Release: 118
+Release: 125
Group: Productivity/Graphics/Viewers
License: GPL
Summary: A Fast Picture Viewer for the X Window System
@@ -25,6 +25,7 @@
Patch2: xzgv-secfix.diff
Patch3: xzgv-fixgcc4.diff
Patch4: xzgv-jpegdetect.diff
+Patch5: xzgv-cmyk-ycc-fix.diff
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@@ -50,6 +51,7 @@
%patch2
%patch3
%patch4
+%patch5
%build
CFLAGS=$RPM_OPT_FLAGS make
@@ -71,6 +73,8 @@
%doc %{_infodir}/xzgv-3.gz
%changelog -n xzgv
+* Tue Mar 28 2006 - jreuter@suse.de
+- fix CVE-2006-1060: JPEG CMYK/YCCK heap overflow (#159699)
* Tue Feb 14 2006 - jreuter@suse.de
- fix broken JPEG detection introduced with fixes for gcc4 (#150534)
* Wed Jan 25 2006 - mls@suse.de
++++++ xzgv-cmyk-ycc-fix.diff ++++++
diff -Nur ../xzgv-0.8.dist/src/readjpeg.c ./src/readjpeg.c
--- ../xzgv-0.8.dist/src/readjpeg.c 2006-03-27 23:30:07.000000000 +0200
+++ ./src/readjpeg.c 2006-03-27 23:54:41.000000000 +0200
@@ -178,11 +178,13 @@
static int have_image;
static int width,height;
static unsigned char *image;
+static int cmyk;
unsigned char *ptr,*ptr2;
int chkw,chkh;
int f,rec;
static int greyscale; /* static to satisfy gcc -Wall */
+cmyk=0;
greyscale=0;
lineptrs=NULL;
@@ -224,6 +226,15 @@
greyscale=1;
}
+if(cinfo.jpeg_color_space==JCS_CMYK)
+ cmyk=1;
+
+if(cinfo.jpeg_color_space==JCS_YCCK)
+ {
+ cmyk=1;
+ cinfo.out_color_space=JCS_CMYK;
+ }
+
*wp=width=cinfo.image_width;
*hp=height=cinfo.image_height;
@@ -267,10 +278,10 @@
if ((width <= 0) || (height <=0 ) ||
(width > (SIZE_T_MAX/height)) ||
- ((width * height) > SIZE_T_MAX/3))
+ ((width * (height+cmyk)) > SIZE_T_MAX/3))
longjmp(jerr.setjmp_buffer,1);
-if((*imagep=image=malloc(width*height*3))==NULL)
+if((*imagep=image=malloc(width*(height+cmyk)*3))==NULL)
longjmp(jerr.setjmp_buffer,1);
jpeg_start_decompress(&cinfo);
@@ -287,12 +298,33 @@
for(f=0;f