commit xzgv

7 Apr 2006

Hello community,

here is the log from the commit of package xzgv
checked in at Fri Apr 7 17:05:25 CEST 2006.

--------

--- xzgv/xzgv.changes	2006-02-14 18:08:13.000000000 +0100
+++ xzgv/xzgv.changes	2006-03-28 00:29:34.000000000 +0200
@@ -1,0 +2,5 @@
+Tue Mar 28 00:20:49 CEST 2006 - jreuter@suse.de
+
+- fix CVE-2006-1060: JPEG CMYK/YCCK heap overflow (#159699) 
+
+-------------------------------------------------------------------

New:
----
  xzgv-cmyk-ycc-fix.diff

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ xzgv.spec ++++++
--- /var/tmp/diff_new_pack.nsy35n/_old	2006-04-07 17:05:00.000000000 +0200
+++ /var/tmp/diff_new_pack.nsy35n/_new	2006-04-07 17:05:00.000000000 +0200
@@ -14,7 +14,7 @@
 BuildRequires:  gcc-c++ gtk-devel imlib-devel libpng-devel libtiff-devel te_ams te_latex update-desktop-files xorg-x11
 URL:            http://rus.members.beeb.net/xzgv.html
 Version:        0.8
-Release:        118
+Release:        125
 Group:          Productivity/Graphics/Viewers
 License:        GPL
 Summary:        A Fast Picture Viewer for the X Window System
@@ -25,6 +25,7 @@
 Patch2:         xzgv-secfix.diff
 Patch3:         xzgv-fixgcc4.diff
 Patch4:         xzgv-jpegdetect.diff
+Patch5:         xzgv-cmyk-ycc-fix.diff
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
 %description
@@ -50,6 +51,7 @@
 %patch2
 %patch3
 %patch4
+%patch5
 
 %build
 CFLAGS=$RPM_OPT_FLAGS make
@@ -71,6 +73,8 @@
 %doc %{_infodir}/xzgv-3.gz
 
 %changelog -n xzgv
+* Tue Mar 28 2006 - jreuter@suse.de
+- fix CVE-2006-1060: JPEG CMYK/YCCK heap overflow (#159699)
 * Tue Feb 14 2006 - jreuter@suse.de
 - fix broken JPEG detection introduced with fixes for gcc4 (#150534)
 * Wed Jan 25 2006 - mls@suse.de

++++++ xzgv-cmyk-ycc-fix.diff ++++++
diff -Nur ../xzgv-0.8.dist/src/readjpeg.c ./src/readjpeg.c
--- ../xzgv-0.8.dist/src/readjpeg.c	2006-03-27 23:30:07.000000000 +0200
+++ ./src/readjpeg.c	2006-03-27 23:54:41.000000000 +0200
@@ -178,11 +178,13 @@
 static int have_image;
 static int width,height;
 static unsigned char *image;
+static int cmyk;
 unsigned char *ptr,*ptr2;
 int chkw,chkh;
 int f,rec;
 static int greyscale;	/* static to satisfy gcc -Wall */
 
+cmyk=0;
 greyscale=0;
 
 lineptrs=NULL;
@@ -224,6 +226,15 @@
   greyscale=1;
   }
 
+if(cinfo.jpeg_color_space==JCS_CMYK)
+  cmyk=1;
+
+if(cinfo.jpeg_color_space==JCS_YCCK)
+  {
+  cmyk=1;
+  cinfo.out_color_space=JCS_CMYK;
+  }
+
 *wp=width=cinfo.image_width;
 *hp=height=cinfo.image_height;
 
@@ -267,10 +278,10 @@
 
 if ((width <= 0) || (height <=0 ) ||
       (width > (SIZE_T_MAX/height)) ||
-      ((width * height) > SIZE_T_MAX/3))
+      ((width * (height+cmyk)) > SIZE_T_MAX/3))
   longjmp(jerr.setjmp_buffer,1);
 
-if((*imagep=image=malloc(width*height*3))==NULL)
+if((*imagep=image=malloc(width*(height+cmyk)*3))==NULL)
   longjmp(jerr.setjmp_buffer,1);
 
 jpeg_start_decompress(&cinfo);
@@ -287,12 +298,33 @@
 for(f=0;frec?rec:f);
+  rec=cinfo.rec_outbuf_height;
+  while(cinfo.output_scanlinerec?rec:f);
+    }
+  }
+else	/* cmyk output */
+  {
+  int tmp;
+
+  ptr=image;
+  while(cinfo.output_scanline

    

commit xzgv

root＠suse.de