Hello community, here is the log from the commit of package mozilla-xulrunner190 for openSUSE:Factory checked in at Thu Mar 26 23:31:36 CET 2009. -------- --- mozilla-xulrunner190/mozilla-xulrunner190.changes 2009-03-06 08:58:32.000000000 +0100 +++ mozilla-xulrunner190/mozilla-xulrunner190.changes 2009-03-14 15:08:51.000000000 +0100 @@ -1,0 +2,12 @@ +Fri Mar 13 23:00:53 CET 2009 - wr@rosenauer.org + +- make mozjs consumers using rpath to the correct location + to find the library at runtime (bnc#479505) + +------------------------------------------------------------------- +Wed Mar 11 16:14:09 CST 2009 - pwu@suse.de + +- Fixes bnc#479610(MozillaFirefox: LittleCMS integer overflows), + add a patch lcms-bnc479606.patch. + +------------------------------------------------------------------- calling whatdependson for head-i586 New: ---- lcms-bnc479606.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ mozilla-xulrunner190.spec ++++++ --- /var/tmp/diff_new_pack.j25059/_old 2009-03-26 23:25:10.000000000 +0100 +++ /var/tmp/diff_new_pack.j25059/_new 2009-03-26 23:25:10.000000000 +0100 @@ -33,7 +33,7 @@ %endif License: GPL v2 or later; LGPL v2.1 or later; MOZILLA PUBLIC LICENSE (MPL/NPL) Version: 1.9.0.7 -Release: 1 +Release: 2 Summary: Mozilla Runtime Environment 1.9 Url: http://www.mozilla.org Group: Productivity/Other @@ -66,6 +66,7 @@ Patch22: mozilla-shared-nss-db.patch Patch23: bmo472464.patch Patch24: bnc465284-VUL-designMode.patch +Patch25: lcms-bnc479606.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: libstdc++ expat pango xorg-x11-libs fontconfig freetype2 PreReq: gtk2 atk glib2 update-alternatives coreutils @@ -212,6 +213,9 @@ %patch22 %patch23 %patch24 -p1 +pushd modules/lcms +%patch25 -p1 +popd %build MOZ_APP_DIR=%{_libdir}/%{name}-%{version_internal} @@ -480,6 +484,12 @@ %endif %changelog +* Fri Mar 13 2009 wr@rosenauer.org +- make mozjs consumers using rpath to the correct location + to find the library at runtime (bnc#479505) +* Wed Mar 11 2009 pwu@suse.de +- Fixes bnc#479610(MozillaFirefox: LittleCMS integer overflows), + add a patch lcms-bnc479606.patch. * Thu Mar 05 2009 pwu@suse.de - Backport a patch from xulrunner191, and fix bnc#465284 and CVE-2009-0071. @@ -543,7 +553,7 @@ * Fri Dec 05 2008 hfiguiere@suse.de - resetting /system/proxy/mode to 'none' set back network.proxy.type to 5 instead of 0. (bnc#441648) -* Thu Nov 20 2008 maw@suse.de +* Fri Nov 21 2008 maw@suse.de - Review and approve changes. * Wed Nov 19 2008 wr@rosenauer.org - updated mozilla-shared-nss-db.patch @@ -551,16 +561,16 @@ * feature can be disabled completely at runtime exporting MOZ_XRE_NO_NSSHELPER=1 before starting Firefox (that helps to workaround bnc#444780 and makes sense anyway) -* Wed Nov 12 2008 hfiguiere@suse.de +* Thu Nov 13 2008 hfiguiere@suse.de - Added gecko-lockdown.patch and toolkit-ui-lockdown.patch * Iron out some bugs from lockdown (bnc#439380) * Apparently fixes (bnc#443420) -* Wed Nov 12 2008 maw@suse.de +* Thu Nov 13 2008 maw@suse.de - Review and approve changes. * Tue Nov 11 2008 wr@rosenauer.org - update to security/maintenance release 1.9.0.4 (bnc#439841) * support additional locales -* Wed Nov 05 2008 hpj@novell.com +* Thu Nov 06 2008 hpj@novell.com - Add mozilla-shared-nss-db.patch, which migrates the old NSS DB to the new, shared format and location. * Tue Oct 28 2008 maw@suse.de @@ -598,7 +608,7 @@ - Check whether the build is happening on the build service by using 0%%{?opensuse_bs} - Readd unzip to the list of build requirements. -* Fri Aug 15 2008 maw@novell.com +* Sat Aug 16 2008 maw@novell.com - Review and approve changes. * Wed Aug 06 2008 wr@rosenauer.org - Fix releasedate and apiversion defines ++++++ lcms-bnc479606.patch ++++++ --- lcms-1.17/include/lcms.h +++ lcms-1.18/include/lcms.h @@ -1415,6 +1415,14 @@ return (void*) malloc(size); } +LCMS_INLINE void* _cmsCalloc(size_t nmemb, size_t size) +{ + size_t alloc = nmemb * size; + if (alloc < nmemb || alloc < size) { + return NULL; + } + return _cmsMalloc(alloc); +} LCMS_INLINE void _cmsFree(void *Ptr) { @@ -2027,6 +2035,10 @@ // Build a tone curve for K->K' if possible (only works on CMYK) LPGAMMATABLE _cmsBuildKToneCurve(cmsHTRANSFORM hCMYK2CMYK, int nPoints); +// Validates a LUT +LCMSBOOL cdecl _cmsValidateLUT(LPLUT NewLUT); + + // These are two VITAL macros, from converting between 8 and 16 bit // representation. --- lcms-1.17/src/cmsgamma.c +++ lcms-1.18/src/cmsgamma.c @@ -114,7 +114,7 @@ LPGAMMATABLE p; size_t size; - if (nEntries > 65530 || nEntries < 0) { + if (nEntries > 65530 || nEntries <= 0) { cmsSignalError(LCMS_ERRC_ABORTED, "Couldn't create gammatable of more than 65530 entries"); return NULL; } --- lcms-1.17/src/cmsio0.c +++ lcms-1.18/src/cmsio0.c @@ -33,7 +33,7 @@ typedef struct { LPBYTE Block; // Points to allocated memory size_t Size; // Size of allocated memory - int Pointer; // Points to current location + size_t Pointer; // Points to current location int FreeBlockOnClose; // As title } FILEMEM; @@ -75,7 +75,17 @@ FILEMEM* ResData = (FILEMEM*) Icc ->stream; LPBYTE Ptr; size_t len = size * count; + size_t extent = ResData -> Pointer + len; + if (len < size || len < count) { + cmsSignalError(LCMS_ERRC_ABORTED, "Read from memory error. Integer overflow with count / size."); + return 0; + } + + if (extent < len || extent < ResData -> Pointer) { + cmsSignalError(LCMS_ERRC_ABORTED, "Read from memory error. Integer overflow with len."); + return 0; + } if (ResData -> Pointer + len > ResData -> Size){ --- lcms-1.17/src/cmsio1.c +++ lcms-1.18/src/cmsio1.c @@ -261,11 +261,14 @@ // Read profile header and validate it static -LPLCMSICCPROFILE ReadHeader(LPLCMSICCPROFILE Icc, LCMSBOOL lIsFromMemory) +LPLCMSICCPROFILE ReadHeader(LPLCMSICCPROFILE Icc, + LCMSBOOL lIsFromMemory, + DWORD dwSize) { icTag Tag; icHeader Header; icInt32Number TagCount, i; + icUInt32Number extent; if (Icc -> Read(&Header, sizeof(icHeader), 1, Icc) != 1) goto ErrorCleanup; @@ -287,6 +290,10 @@ if (Header.magic != icMagicNumber) goto ErrorCleanup; + if (dwSize && dwSize != Header.size) { + goto ErrorCleanup; + } + if (Icc ->Read(&TagCount, sizeof(icInt32Number), 1, Icc) != 1) goto ErrorCleanup; @@ -321,7 +328,7 @@ // Read tag directory - if (TagCount > MAX_TABLE_TAG) { + if (TagCount > MAX_TABLE_TAG || TagCount < 0) { cmsSignalError(LCMS_ERRC_ABORTED, "Too many tags (%d)", TagCount); goto ErrorCleanup; @@ -338,8 +345,9 @@ AdjustEndianess32((LPBYTE) &Tag.sig); // Signature // Perform some sanity check. Offset + size should fall inside file. - - if (Tag.offset + Tag.size > Header.size) goto ErrorCleanup; + extent = Tag.offset + Tag.size; + if (extent > Header.size || extent < Tag.offset) + goto ErrorCleanup; Icc -> TagNames[i] = Tag.sig; Icc -> TagOffsets[i] = Tag.offset; @@ -494,9 +502,9 @@ NewLUT -> OutputEntries = 256; // Do some checking - if (NewLUT -> cLutPoints > 100) NewLUT ->cLutPoints = 100; - if (NewLUT -> InputChan > MAXCHANNELS) NewLUT -> InputChan = MAXCHANNELS; - if (NewLUT -> OutputChan > MAXCHANNELS) NewLUT -> OutputChan = MAXCHANNELS; + if (!_cmsValidateLUT(NewLUT)) { + return FALSE; + } AdjustEndianess32((LPBYTE) &LUT8.e00); AdjustEndianess32((LPBYTE) &LUT8.e01); @@ -571,7 +579,7 @@ if (nTabSize > 0) { - PtrW = (LPWORD) _cmsMalloc(sizeof(WORD) * nTabSize); + PtrW = (LPWORD) _cmsCalloc(sizeof(WORD), nTabSize); if (PtrW == NULL) return FALSE; Temp = (LPBYTE) _cmsMalloc(nTabSize); @@ -662,6 +670,15 @@ // some profiles does claim to do that. Poor lcms will try // to detect such condition and fix up "on the fly". + switch (sig) { + + case icSigBToA0Tag: + case icSigBToA1Tag: + case icSigBToA2Tag: + case icSigGamutTag: + case icSigPreview0Tag: + case icSigPreview1Tag: + case icSigPreview2Tag: { LPWORD WhiteLab, ExpectedWhite; WORD WhiteFixed[MAXCHANNELS], WhiteUnfixed[MAXCHANNELS]; @@ -701,7 +718,10 @@ } } + break; + default:; + } } return TRUE; @@ -736,6 +756,9 @@ NewLUT -> InputEntries = LUT16.inputEnt; NewLUT -> OutputEntries = LUT16.outputEnt; + if (!_cmsValidateLUT(NewLUT)) { + return FALSE; + } // Matrix handling @@ -798,11 +821,9 @@ NewLUT->InputChan)); if (nTabSize > 0) { - PtrW = (LPWORD) _cmsMalloc(sizeof(WORD) * nTabSize); - if (PtrW == NULL) { - _cmsFree(PtrW); + PtrW = (LPWORD) _cmsCalloc(sizeof(WORD), nTabSize); + if (PtrW == NULL) return FALSE; - } NewLUT -> T = PtrW; NewLUT -> Tsize = (unsigned int) (nTabSize * sizeof(WORD)); @@ -1108,15 +1129,24 @@ static LCMSBOOL ReadCLUT(LPLCMSICCPROFILE Icc, size_t Offset, LPLUT NewLUT) { - + unsigned int j; icCLutStruct CLUT; if (Icc -> Seek(Icc, Offset)) return FALSE; if (Icc ->Read(&CLUT, sizeof(icCLutStruct), 1, Icc) != 1) return FALSE; - cmsAlloc3DGrid(NewLUT, CLUT.gridPoints[0], NewLUT ->InputChan, - NewLUT ->OutputChan); + for (j=1; j < NewLUT ->InputChan; j++) { + if (CLUT.gridPoints[0] != CLUT.gridPoints[j]) { + cmsSignalError(LCMS_ERRC_ABORTED, "CLUT with different granulatity is currently unsupported."); + return FALSE; + } + + + } + + if (cmsAlloc3DGrid(NewLUT, CLUT.gridPoints[0], NewLUT ->InputChan, + NewLUT ->OutputChan) == NULL) return FALSE; // Precission can be 1 or 2 bytes @@ -1173,10 +1203,11 @@ else nCurves = NewLUT ->OutputChan; + ZeroMemory(Curves, sizeof(Curves)); for (i=0; i < nCurves; i++) { Curves[i] = ReadCurve(Icc); - if (Curves[i] == NULL) return FALSE; + if (Curves[i] == NULL) goto Error; SkipAlignment(Icc); } @@ -1188,6 +1219,16 @@ return TRUE; +Error: + for (i=0; i < nCurves; i++) { + + if (Curves[i]) + cmsFreeGamma(Curves[i]); + } + + return FALSE; + + } // V4 stuff. LutAtoB type @@ -1209,6 +1250,13 @@ NewLUT -> InputChan = LUT16.inputChan; NewLUT -> OutputChan = LUT16.outputChan; + // Validate the NewLUT here to avoid excessive number of channels + // (leading to stack-based buffer overflow in ReadSetOfCurves). + // Needs revalidation after table size is filled in. + if (!_cmsValidateLUT(NewLUT)) { + return FALSE; + } + AdjustEndianess32((LPBYTE) &LUT16.offsetB); AdjustEndianess32((LPBYTE) &LUT16.offsetMat); AdjustEndianess32((LPBYTE) &LUT16.offsetM); @@ -1268,6 +1316,13 @@ NewLUT -> InputChan = LUT16.inputChan; NewLUT -> OutputChan = LUT16.outputChan; + // Validate the NewLUT here to avoid excessive number of channels + // (leading to stack-based buffer overflow in ReadSetOfCurves). + // Needs revalidation after table size is filled in. + if (!_cmsValidateLUT(NewLUT)) { + return FALSE; + } + AdjustEndianess32((LPBYTE) &LUT16.offsetB); AdjustEndianess32((LPBYTE) &LUT16.offsetMat); AdjustEndianess32((LPBYTE) &LUT16.offsetM); @@ -1558,6 +1613,8 @@ for (i=0; i < Offset; i++) { char Discard; + // No return checking; could lead to large loop in + // combination with int oflow above computing Offset. Icc ->Read(&Discard, 1, 1, Icc); } @@ -1566,7 +1623,7 @@ if (Len < 0) Len = 0; if (Len > 20*1024) Len = 20 * 1024; - wchar = (wchar_t*) _cmsMalloc(Len+2); + wchar = (wchar_t*) _cmsMalloc(Len*sizeof(wchar_t)+2); if (!wchar) return -1; if (Icc ->Read(wchar, 1, Len, Icc) != Len) return -1; @@ -1942,6 +1999,8 @@ char Root[33]; ZeroMemory(Colorant, sizeof(WORD) * MAXCHANNELS); + // No return value checking; could cause trouble with + // large count. Icc -> Read(Root, 1, 32, Icc); Icc -> Read(PCS, 3, sizeof(WORD), Icc); @@ -1975,7 +2034,8 @@ LPcmsNAMEDCOLORLIST LCMSEXPORT cmsReadColorantTable(cmsHPROFILE hProfile, icTagSignature sig) { - icInt32Number n, Count, i; + icInt32Number n; + icUInt32Number Count, i; size_t offset; icTagTypeSignature BaseType; LPLCMSICCPROFILE Icc = (LPLCMSICCPROFILE) (LPSTR) hProfile; @@ -2316,6 +2376,10 @@ Icc ->Read(&Count, sizeof(icUInt32Number), 1, Icc); AdjustEndianess32((LPBYTE) &Count); + if (Count > 1000) { + return NULL; + } + size = sizeof(int) + Count * sizeof(cmsPSEQDESC); OutSeq = (LPcmsSEQ) _cmsMalloc(size); if (OutSeq == NULL) return NULL; @@ -2496,7 +2560,7 @@ NewIcc = _cmsCreateProfileFromFilePlaceholder(lpFileName); if (!NewIcc) return NULL; - if (!ReadHeader(NewIcc, FALSE)) return NULL; + if (!ReadHeader(NewIcc, FALSE, 0)) return NULL; ReadCriticalTags(NewIcc); @@ -2516,7 +2580,7 @@ NewIcc = _cmsCreateProfileFromMemPlaceholder(MemPtr, dwSize); if (!NewIcc) return NULL; - if (!ReadHeader(NewIcc, TRUE)) return NULL; + if (!ReadHeader(NewIcc, TRUE, dwSize)) return NULL; ReadCriticalTags(NewIcc); --- lcms-1.17/src/cmslut.c +++ lcms-1.18/src/cmslut.c @@ -183,6 +183,37 @@ } +LCMSBOOL _cmsValidateLUT(LPLUT NewLUT) +{ + unsigned int calc = 1; + unsigned int oldCalc; + unsigned int power = NewLUT -> InputChan; + + if (NewLUT -> cLutPoints > 100) return FALSE; + if (NewLUT -> InputChan > MAXCHANNELS) return FALSE; + if (NewLUT -> OutputChan > MAXCHANNELS) return FALSE; + + if (NewLUT -> cLutPoints == 0) return TRUE; + + for (; power > 0; power--) { + + oldCalc = calc; + calc *= NewLUT -> cLutPoints; + + if (calc < oldCalc || calc < NewLUT -> cLutPoints) { + return FALSE; + } + } + + oldCalc = calc; + calc *= NewLUT -> OutputChan; + if (calc < oldCalc || calc < NewLUT -> OutputChan) { + return FALSE; + } + + return TRUE; +} + LPLUT LCMSEXPORT cmsAlloc3DGrid(LPLUT NewLUT, int clutPoints, int inputChan, int outputChan) { DWORD nTabSize; @@ -192,12 +223,15 @@ NewLUT -> InputChan = inputChan; NewLUT -> OutputChan = outputChan; + if (!_cmsValidateLUT(NewLUT)) { + return NULL; + } - nTabSize = (NewLUT -> OutputChan * UIpow(NewLUT->cLutPoints, - NewLUT->InputChan) - * sizeof(WORD)); + nTabSize = NewLUT -> OutputChan * UIpow(NewLUT->cLutPoints, + NewLUT->InputChan); - NewLUT -> T = (LPWORD) _cmsMalloc(nTabSize); + NewLUT -> T = (LPWORD) _cmsCalloc(sizeof(WORD), nTabSize); + nTabSize *= sizeof(WORD); if (NewLUT -> T == NULL) return NULL; ZeroMemory(NewLUT -> T, nTabSize); ++++++ mozilla-pkgconfig.patch ++++++ --- /var/tmp/diff_new_pack.j25059/_old 2009-03-26 23:25:12.000000000 +0100 +++ /var/tmp/diff_new_pack.j25059/_new 2009-03-26 23:25:12.000000000 +0100 @@ -157,9 +157,9 @@ =================================================================== RCS file: /cvsroot/mozilla/xulrunner/installer/mozilla-js.pc.in,v retrieving revision 1.1 -diff -u -p -6 -r1.1 mozilla-js.pc.in +diff -u -p -r1.1 mozilla-js.pc.in --- xulrunner/installer/mozilla-js.pc.in 3 Aug 2007 14:46:28 -0000 1.1 -+++ xulrunner/installer/mozilla-js.pc.in 6 Jun 2008 09:58:59 -0000 ++++ xulrunner/installer/mozilla-js.pc.in 13 Mar 2009 22:00:10 -0000 @@ -1,10 +1,11 @@ prefix=%prefix% sdkdir=%sdkdir% @@ -170,6 +170,7 @@ Description: The Mozilla JavaScript Library Version: %MOZILLA_VERSION% Requires: %NSPR_NAME% >= %NSPR_VERSION% - Libs: -L${sdkdir}/lib -lmozjs +-Libs: -L${sdkdir}/lib -lmozjs -Cflags: -I${includedir}/stable -DXP_UNIX -DJS_THREADSAFE ++Libs: -Wl,-rpath,${libdir} -L${sdkdir}/lib -lmozjs +Cflags: -I${includedir}/unstable -DXP_UNIX -DJS_THREADSAFE ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org