![](https://seccdn.libravatar.org/avatar/af22e20b6884acbc89be6d7736c43e92.jpg?s=120&d=mm&r=g)
Hello community, here is the log from the commit of package imlib2 checked in at Fri Nov 10 13:12:55 CET 2006. -------- --- imlib2/imlib2.changes 2006-09-20 15:24:32.000000000 +0200 +++ /mounts/work_src_done/STABLE/imlib2/imlib2.changes 2006-11-08 10:37:03.000000000 +0100 @@ -1,0 +2,12 @@ +Wed Nov 8 10:36:46 CET 2006 - meissner@suse.de + +- Added an additional JPEG fix. +- Also added a fix for TIFF images on 64bit systems. + +------------------------------------------------------------------- +Wed Oct 25 12:14:29 CEST 2006 - meissner@suse.de + +- fixed various buffer and integer overflows + in various loaders and decoders. #214313 + +------------------------------------------------------------------- New: ---- imlib2-1.2.1-more-fixes.patch imlib2-loader_jpeg.patch imlib2-tiffix.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ imlib2.spec ++++++ --- /var/tmp/diff_new_pack.Qgruh1/_old 2006-11-10 13:12:43.000000000 +0100 +++ /var/tmp/diff_new_pack.Qgruh1/_new 2006-11-10 13:12:43.000000000 +0100 @@ -14,14 +14,17 @@ BuildRequires: freetype2-devel giflib-devel libpng-devel libtiff-devel xorg-x11 xorg-x11-devel Summary: Imlib 2, the Successor to Imlib Version: 1.2.1 -Release: 22 -License: BSD +Release: 36 +License: BSD License and BSD-like Group: Development/Libraries/X11 Source: %name-%version.tar.gz Patch0: imlib2-1.2.1-fixes.patch Patch1: imlib2-X11R6-xorg.patch +Patch2: imlib2-1.2.1-more-fixes.patch +Patch3: imlib2-loader_jpeg.patch +Patch4: imlib2-tiffix.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build -URL: http://www.enlightenment.org/pages/imlib2.html +URL: http://www.enlightenment.org/Libraries/Imlib2/ Provides: imlib2-loader_jpeg imlib2-loader_png imlib2-loader_argb imlib2-loader_tiff imlib2-loader_gif imlib2-loader_zlib imlib2-loader_bz2 imlib2-loader_pnm imlib2-loader_bmp imlib2-loader_xpm imlib2-loader_tga %description @@ -97,6 +100,9 @@ %setup -q %patch0 -p1 %patch1 -p1 +%patch2 -p0 +%patch3 -p1 +%patch4 -p1 %build %if %suse_version > 1000 @@ -169,6 +175,12 @@ %attr(755,root,root) %{_libdir}/imlib2/loaders %changelog -n imlib2 +* Wed Nov 08 2006 - meissner@suse.de +- Added an additional JPEG fix. +- Also added a fix for TIFF images on 64bit systems. +* Wed Oct 25 2006 - meissner@suse.de +- fixed various buffer and integer overflows + in various loaders and decoders. #214313 * Wed Sep 20 2006 - schwab@suse.de - Use AM_PROG_AS. * Fri Aug 11 2006 - jw@suse.de ++++++ imlib2-1.2.1-more-fixes.patch ++++++ --- src/modules/loaders/loader_argb.c +++ src/modules/loaders/loader_argb.c @@ -23,7 +23,7 @@ load(ImlibImage * im, ImlibProgressFunction progress, char progress_granularity, char immediate_load) { - int w, h, alpha; + int w=0, h=0, alpha=0; FILE *f; if (im->data) @@ -36,13 +36,15 @@ { char buf[256], buf2[256]; + memset(buf, 0, sizeof(buf)); + memset(buf2, 0, sizeof(buf2)); if (!fgets(buf, 255, f)) { fclose(f); return 0; } sscanf(buf, "%s %i %i %i", buf2, &w, &h, &alpha); - if (strcmp(buf2, "ARGB")) + if (strcmp(buf2, "ARGB") || w < 1 || h < 1 || w > 16383 || h > 16383) { fclose(f); return 0; --- src/modules/loaders/loader_jpeg.c +++ src/modules/loaders/loader_jpeg.c @@ -95,6 +95,13 @@ UNSET_FLAG(im->flags, F_HAS_ALPHA); im->format = strdup("jpeg"); } + if (w < 1 || h < 1 || w > 16383 || h > 16383) + { + im->w = im->h = 0; + jpeg_destroy_decompress(&cinfo); + fclose(f); + return 0; + } if (((!im->data) && (im->loader)) || (immediate_load) || (progress)) { DATA8 *ptr, *line[16], *data; --- src/modules/loaders/loader_lbm.c +++ src/modules/loaders/loader_lbm.c @@ -421,7 +421,7 @@ im->w = L2RWORD(ilbm.bmhd.data); im->h = L2RWORD(ilbm.bmhd.data + 2); - if (im->w <= 0 || im->h <= 0) ok = 0; + if (im->w <= 0 || im->h <= 0 || im->w > 16383 || im->h > 16383) ok = 0; ilbm.depth = ilbm.bmhd.data[8]; if (ilbm.depth < 1 || (ilbm.depth > 8 && ilbm.depth != 24 && ilbm.depth != 32)) ok = 0; /* Only 1 to 8, 24, or 32 planes. */ @@ -453,6 +453,7 @@ } } if (!full || !ok) { + im->w = im->h = 0; freeilbm(&ilbm); return ok; } @@ -467,12 +468,13 @@ cancel = 0; plane[0] = NULL; + n = ilbm.depth; + if (ilbm.mask == 1) n++; + im->data = malloc(im->w * im->h * sizeof(DATA32)); - if (im->data) { - n = ilbm.depth; - if (ilbm.mask == 1) n++; + plane[0] = malloc(((im->w + 15) / 16) * 2 * n); + if (im->data && plane[0]) { - plane[0] = malloc(((im->w + 15) / 16) * 2 * n); for (i = 1; i < n; i++) plane[i] = plane[i - 1] + ((im->w + 15) / 16) * 2; z = ((im->w + 15) / 16) * 2 * n; @@ -508,9 +510,10 @@ /*---------- * We either had a successful decode, the user cancelled, or we couldn't get - * the memory for im->data. + * the memory for im->data or plane[0]. *----------*/ if (!ok) { + im->w = im->h = 0; if (im->data) free(im->data); im->data = NULL; } --- src/modules/loaders/loader_png.c +++ src/modules/loaders/loader_png.c @@ -83,6 +83,12 @@ png_get_IHDR(png_ptr, info_ptr, (png_uint_32 *) (&w32), (png_uint_32 *) (&h32), &bit_depth, &color_type, &interlace_type, NULL, NULL); + if (w32 < 1 || h32 < 1 || w32 > 16383 || h32 > 16383) + { + png_destroy_read_struct(&png_ptr, NULL, NULL); + fclose(f); + return 0; + } im->w = (int)w32; im->h = (int)h32; if (color_type == PNG_COLOR_TYPE_PALETTE) --- src/modules/loaders/loader_pnm.c +++ src/modules/loaders/loader_pnm.c @@ -80,7 +80,7 @@ int i = 0; /* read numbers */ - while (c != EOF && !isspace(c)) + while (c != EOF && i+1 < sizeof(buf) && !isspace(c)) { buf[i++] = c; c = fgetc(f); --- src/modules/loaders/loader_tga.c +++ src/modules/loaders/loader_tga.c @@ -319,6 +319,7 @@ { unsigned long datasize; unsigned char *bufptr; + unsigned char *bufend; DATA32 *dataptr; int y, pl = 0; @@ -348,6 +349,9 @@ /* bufptr is the next byte to be read from the buffer */ bufptr = filedata; + /* bufend is one past the last byte to be read from the buffer */ + bufend = filedata + datasize; + /* dataptr is the next 32-bit pixel to be filled in */ dataptr = im->data; @@ -365,7 +369,9 @@ else dataptr = im->data + (y * im->w); - for (x = 0; x < im->w; x++) /* for each pixel in the row */ + for (x = 0; x < im->w + && bufptr+bpp/8 < bufend; + x++) /* for each pixel in the row */ { switch (bpp) { @@ -422,13 +428,17 @@ unsigned char curbyte, red, green, blue, alpha; DATA32 *final_pixel = dataptr + im->w * im->h; - /* loop until we've got all the pixels */ - while (dataptr < final_pixel) + /* loop until we've got all the pixels or run out of input. */ + while (dataptr < final_pixel && bufptr+1+bpp/8 < bufend) { int count; curbyte = *bufptr++; count = (curbyte & 0x7F) + 1; + if (dataptr+count > final_pixel) + { + count = final_pixel - dataptr; + } if (curbyte & 0x80) /* RLE packet */ { --- src/modules/loaders/loader_tiff.c +++ src/modules/loaders/loader_tiff.c @@ -192,8 +192,16 @@ } rgba_image.image = im; - im->w = width = rgba_image.rgba.width; - im->h = height = rgba_image.rgba.height; + width = rgba_image.rgba.width; + height = rgba_image.rgba.height; + if (width < 1 || height < 1 || width >= 16384 || height >= 16384) + { + TIFFRGBAImageEnd((TIFFRGBAImage *) &rgba_image); + TIFFClose(tif); + return 0; + } + im->w = width; + im->h = height; rgba_image.num_pixels = num_pixels = width * height; if (rgba_image.rgba.alpha != EXTRASAMPLE_UNSPECIFIED) SET_FLAG(im->flags, F_HAS_ALPHA); ++++++ imlib2-loader_jpeg.patch ++++++ diff -Nur imlib2-1.2.1/src/modules/loaders/loader_jpeg.c imlib2-1.2.1.new/src/modules/loaders/loader_jpeg.c --- imlib2-1.2.1/src/modules/loaders/loader_jpeg.c 2006-11-06 01:27:59.000000000 -0800 +++ imlib2-1.2.1.new/src/modules/loaders/loader_jpeg.c 2006-11-06 01:33:01.000000000 -0800 @@ -104,8 +104,9 @@ im->w = w = cinfo.output_width; im->h = h = cinfo.output_height; - if (cinfo.rec_outbuf_height > 16) + if (cinfo.rec_outbuf_height > 16 || w < 1 || h < 1 || w > 16383 || h > 16383) { + im->w = im->h = 0; jpeg_destroy_decompress(&cinfo); fclose(f); return 0; ++++++ imlib2-tiffix.patch ++++++ --- imlib2-1.2.1/src/modules/loaders/loader_tiff.c.xx 2006-11-07 16:36:48.000000000 +0100 +++ imlib2-1.2.1/src/modules/loaders/loader_tiff.c 2006-11-07 16:36:57.000000000 +0100 @@ -92,7 +92,7 @@ for (i = y, rast_offset = 0; i > dy; i--, rast_offset--) { - pixel = rast + (rast_offset * image_width); + pixel = rast + (rast_offset * (int)image_width); buffer_pixel = buffer + ((((image_height - 1) - i) * image_width) + x); for (j = 0; j < w; j++) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org
participants (1)
-
root@suse.de