gdk-pixbuf: fix CVE-2017-6311, CVE-2017-6312, CVE-2017-6313, CVE-2017…

…-6314, CVE-2017-1000422

components/library/gdk-pixbuf/Makefile

@@ -18,7 +18,7 @@ include ../../../make-rules/shared-macros.mk
 COMPONENT_NAME= gdk-pixbuf
 
 COMPONENT_VERSION= 2.31.6
-COMPONENT_REVISION= 3
+COMPONENT_REVISION= 4
 COMPONENT_SUMMARY= GNOME gdk-pixbuf
 COMPONENT_SRC= $(COMPONENT_NAME)-$(COMPONENT_VERSION)
 COMPONENT_ARCHIVE= $(COMPONENT_SRC).tar.xz
@@ -43,6 +43,9 @@ CFLAGS   += $(JPEG_CPPFLAGS) $(JPEG_CFLAGS)
 CXXFLAGS += $(JPEG_CPPFLAGS) $(JPEG_CXXFLAGS)
 LDFLAGS  += $(JPEG_LDFLAGS)
 
+# Find issues with undefined symbols in build time
+LD_OPTIONS += $(LD_Z_DEFS)
+
 CONFIGURE_OPTIONS.32 += --sysconfdir=/etc
 CONFIGURE_OPTIONS.64 += --sysconfdir=/etc/$(MACH64)
 CONFIGURE_OPTIONS += --with-x11

components/library/gdk-pixbuf/patches/12-CVE-2017-6311.patch

@@ -0,0 +1,44 @@
+From 758655315bc3760c2d646e1e935f7448847073af Mon Sep 17 00:00:00 2001
+From: Bastien Nocera <hadess@hadess.net>
+Date: Thu, 27 Jul 2017 13:27:47 +0100
+Subject: ico: Return an error when the ICO didn't load
+
+If we don't even read enough data to fill the header, return an
+error. This doesn't cover everything that could go wrong with
+the ICO incremental loader, but this is a good first throw.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=778204
+---
+ gdk-pixbuf/io-ico.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+Index: gdk-pixbuf-2.32.2/gdk-pixbuf/io-ico.c
+===================================================================
+--- gdk-pixbuf-2.32.2.orig/gdk-pixbuf/io-ico.c
++++ gdk-pixbuf-2.32.2/gdk-pixbuf/io-ico.c
+@@ -587,6 +587,7 @@ gdk_pixbuf__ico_image_stop_load(gpointer
+ {
+ 	struct ico_progressive_state *context =
+ 	    (struct ico_progressive_state *) data;
++	gboolean ret = TRUE;
+
+         /* FIXME this thing needs to report errors if
+          * we have unused image data
+@@ -594,8 +595,16 @@ gdk_pixbuf__ico_image_stop_load(gpointer
+
+ 	g_return_val_if_fail(context != NULL, TRUE);
+
++	if (context->HeaderDone < context->HeaderSize) {
++		g_set_error_literal (error,
++				     GDK_PIXBUF_ERROR,
++				     GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
++				     _("ICO image was truncated or incomplete."));
++		ret = FALSE;
++	}
++
+ 	context_free (context);
+-        return TRUE;
++        return ret;
+ }
+
+ static void

components/library/gdk-pixbuf/patches/13-CVE-2017-6312.patch

@@ -0,0 +1,50 @@
+Backported of:
+
+From dec9ca22d70c0f0d4492333b4e8147afb038afd2 Mon Sep 17 00:00:00 2001
+From: Dhiru Kholia <dhiru.kholia@gmail.com>
+Date: Thu, 30 Nov 2017 02:36:26 +0100
+Subject: ico: Fix potential integer overflow
+
+Which relies on undefined behaviour. Instead of checking for an
+overflowed integer after the fact, check whether the addition would
+be possible at all.
+
+Fixes: CVE-2017-6312
+
+Index: gdk-pixbuf-2.32.2/gdk-pixbuf/io-ico.c
+===================================================================
+--- gdk-pixbuf-2.32.2.orig/gdk-pixbuf/io-ico.c
++++ gdk-pixbuf-2.32.2/gdk-pixbuf/io-ico.c
+@@ -25,6 +25,8 @@
+ #undef DUMPBIH
+ #define DEBUG(s)
+
++#define INFOHEADER_SIZE 40
++
+ /*
+
+ Icons are just like BMP's, except for the header.
+@@ -317,10 +319,8 @@ static void DecodeHeader(guchar *Data, g
+ 			return;
+ 		}
+
+-		/* We know how many bytes are in the "header" part. */
+-		State->HeaderSize = entry->DIBoffset + 40; /* 40 = sizeof(InfoHeader) */
+-
+-		if (State->HeaderSize < 0) {
++		/* Avoid invoking undefined behavior in the State->HeaderSize calculation below */
++		if (entry->DIBoffset > G_MAXINT - INFOHEADER_SIZE) {
+ 			g_set_error (error,
+ 			             GDK_PIXBUF_ERROR,
+ 			             GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+@@ -328,6 +328,10 @@ static void DecodeHeader(guchar *Data, g
+ 			return;
+ 		}
+
++		/* We know how many bytes are in the "header" part. */
++		State->HeaderSize = entry->DIBoffset + INFOHEADER_SIZE;
++
++
+ 		if (State->HeaderSize>State->BytesInHeaderBuf) {
+ 			guchar *tmp=g_try_realloc(State->HeaderBuf,State->HeaderSize);
+ 			if (!tmp) {

components/library/gdk-pixbuf/patches/14-CVE-2017-6313.patch

@@ -0,0 +1,30 @@
+From 210b16399a492d05efb209615a143920b24251f4 Mon Sep 17 00:00:00 2001
+From: Bastien Nocera <hadess@hadess.net>
+Date: Tue, 5 Dec 2017 11:51:02 +0100
+Subject: icns: Protect against too short blocklen (CVE-2017-6313)
+
+The blocklen needs to be at least header sized to be valid, otherwise we
+can underflow picture data or mask data lengths.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=779016
+---
+ gdk-pixbuf/io-icns.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/gdk-pixbuf/io-icns.c b/gdk-pixbuf/io-icns.c
+index a432e46..41732b1 100644
+--- a/gdk-pixbuf/io-icns.c
++++ b/gdk-pixbuf/io-icns.c
+@@ -95,7 +95,8 @@ load_resources (unsigned size, IN gpointer data, gsize datalen,
+       blocklen = GUINT32_FROM_BE (header->size);
+
+       /* Check that blocklen isn't garbage */
+-      if (blocklen > icnslen - (current - bytes))
++      if (blocklen > icnslen - (current - bytes) ||
++	  blocklen < sizeof (IcnsBlockHeader))
+         return FALSE;
+
+       switch (size)
+-- 
+cgit v0.12
+

components/library/gdk-pixbuf/patches/15-CVE-2017-6314.patch

@@ -0,0 +1,44 @@
+From 1e513abdb55529f888233d3c96b27352d83aad5f Mon Sep 17 00:00:00 2001
+From: Bastien Nocera <hadess@hadess.net>
+Date: Tue, 5 Dec 2017 10:26:49 +0100
+Subject: [PATCH] tiff: Avoid overflowing buffer size computation
+
+Use g_uint_checked_mul() to avoid overflowing the guint used for buffer
+size calculation.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=779020
+---
+ gdk-pixbuf/io-tiff.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+--- gdk-pixbuf-2.31.6/gdk-pixbuf/io-tiff.c.~2~	2018-01-16 22:19:50.927208007 +0000
++++ gdk-pixbuf-2.31.6/gdk-pixbuf/io-tiff.c	2018-01-16 22:20:49.864524813 +0000
+@@ -497,6 +497,10 @@
+         return retval;
+ }
+
++/* Available in glib since 2.48 */
++static inline gboolean _g_uint_checked_mul (guint32 *dest, guint32 a, guint32 b) {
++  *dest = a * b; return !a || *dest / a == b; }
++
+ static gboolean
+ make_available_at_least (TiffContext *context, guint needed)
+ {
+@@ -506,8 +510,15 @@
+         need_alloc = context->used + needed;
+         if (need_alloc > context->allocated) {
+                 guint new_size = 1;
+-                while (new_size < need_alloc)
+-                        new_size *= 2;
++                while (new_size < need_alloc) {
++                        if (!_g_uint_checked_mul (&new_size, new_size, 2)) {
++                                new_size = 0;
++                                break;
++                        }
++                }
++
++                if (new_size == 0)
++                        return FALSE;
+
+                 new_buffer = g_try_realloc (context->buffer, new_size);
+                 if (new_buffer) {

components/library/gdk-pixbuf/patches/16-CVE-2017-1000422.patch

@@ -0,0 +1,75 @@
+--- a/gdk-pixbuf/io-gif.c
++++ b/gdk-pixbuf/io-gif.c
+@@ -817,6 +817,35 @@
+                                          context->user_data);
+ }
+
++/* Available in glib since 2.48 */
++static inline gboolean _g_uint64_checked_mul (guint64 *dest, guint64 a, guint64 b) {
++  *dest = a * b; return !a || *dest / a == b; }
++
++/* Available in gdk-pixbuf 2.36.8 */
++static gint
++_gdk_pixbuf_calculate_rowstride (GdkColorspace colorspace,
++				gboolean      has_alpha,
++				int           bits_per_sample,
++				int           width,
++				int           height)
++{
++	unsigned int channels;
++
++	g_return_val_if_fail (colorspace == GDK_COLORSPACE_RGB, -1);
++	g_return_val_if_fail (bits_per_sample == 8, -1);
++	g_return_val_if_fail (width > 0, -1);
++	g_return_val_if_fail (height > 0, -1);
++
++	channels = has_alpha ? 4 : 3;
++
++	/* Overflow? */
++	if (width > (G_MAXINT - 3) / channels)
++		return -1;
++
++	/* Always align rows to 32-bit boundaries */
++	return (width * channels + 3) & ~3;
++}
++
+ static int
+ gif_get_lzw (GifContext *context)
+ {
+@@ -850,13 +879,29 @@
+                                 pixels[2] = 0;
+                                 pixels[3] = 0;
+                         }
+-                } else
+-                        context->frame->pixbuf =
+-                                gdk_pixbuf_new (GDK_COLORSPACE_RGB,
+-                                                TRUE,
+-                                                8,
+-                                                context->frame_len,
+-                                                context->frame_height);
++                } else {
++                        int rowstride;
++                        guint64 len;
++
++                        rowstride = _gdk_pixbuf_calculate_rowstride (GDK_COLORSPACE_RGB,
++                                                                    TRUE,
++                                                                    8,
++                                                                    context->frame_len,
++                                                                    context->frame_height);
++                        if (rowstride > 0 &&
++                            _g_uint64_checked_mul (&len, rowstride, context->frame_height) &&
++                            len <= G_MAXINT) {
++                                context->frame->pixbuf =
++                                        gdk_pixbuf_new (GDK_COLORSPACE_RGB,
++                                                        TRUE,
++                                                        8,
++                                                        context->frame_len,
++                                                        context->frame_height);
++                        } else {
++                                context->frame->pixbuf = NULL;
++                        }
++                }
++
+                 if (!context->frame->pixbuf) {
+                         g_free (context->frame);
+                         g_set_error_literal (context->error,