Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Fix CVE-2009-2688, via <https://bugzilla.redhat.com/show_bug.cgi?id=5…

…11994>

Note xemacs 21.5 still dumps core during the build.
  • Loading branch information...
commit 6a19353a843281b879209849fdaf6f5201faebe9 1 parent cb58dd1
hauke authored
4 editors/xemacs-current/Makefile
... ... @@ -1,4 +1,4 @@
1   -# $NetBSD: Makefile,v 1.75 2012/02/06 12:40:05 wiz Exp $
  1 +# $NetBSD: Makefile,v 1.76 2012/04/27 14:37:37 hauke Exp $
2 2
3 3 PKGNAME?= ${DISTNAME}
4 4 COMMENT?= *BETA* XEmacs text editor version ${PKGVERSION_NOREV}
@@ -6,7 +6,7 @@ COMMENT?= *BETA* XEmacs text editor version ${PKGVERSION_NOREV}
6 6 DISTNAME= xemacs-21.5.27
7 7 EMACSVERSION= 21.5-b27
8 8 EMACS_DISTNAME= xemacs-${EMACSVERSION}
9   -PKGREVISION= 12
  9 +PKGREVISION= 13
10 10 CATEGORIES= editors
11 11 MASTER_SITES= ${MASTER_SITE_XEMACS:=${DISTNAME:C/[.][^.]*$//}/}
12 12
4 editors/xemacs-current/distinfo
... ... @@ -1,4 +1,4 @@
1   -$NetBSD: distinfo,v 1.23 2011/04/01 13:00:32 wiz Exp $
  1 +$NetBSD: distinfo,v 1.24 2012/04/27 14:37:37 hauke Exp $
2 2
3 3 SHA1 (xemacs-21.5.27.tar.gz) = 55fc3e9c8fe3cac92791ffe1a0870aeae1baf0b8
4 4 RMD160 (xemacs-21.5.27.tar.gz) = ee0caff8730c999d37aa3a19b19f23d5756837ad
@@ -17,4 +17,4 @@ SHA1 (patch-ak) = c8a3369efdd4af32b1a65cdb3d798724d63b3ed5
17 17 SHA1 (patch-al) = 33000a300de6358c0ba3260708d6d625dcd625a2
18 18 SHA1 (patch-am) = 0ccbead4be5da92e73a15432ff1b063da13cf0b4
19 19 SHA1 (patch-an) = f382865087f011ea3806d707cbf784fac81ad746
20   -SHA1 (patch-src_glyphs-eimage.c) = 9c5990cf2f806072aeb706bba8aba6133feb9509
  20 +SHA1 (patch-src_glyphs-eimage.c) = a382113190a65d27747a90e58294a41f3bb6df42
90 editors/xemacs-current/patches/patch-src_glyphs-eimage.c
... ... @@ -1,21 +1,69 @@
1   -$NetBSD: patch-src_glyphs-eimage.c,v 1.1 2011/04/01 13:00:32 wiz Exp $
  1 +$NetBSD: patch-src_glyphs-eimage.c,v 1.2 2012/04/27 14:37:37 hauke Exp $
2 2
3   -Fix build with png-1.5.
  3 +Fix CVE-2009-2688, via <https://bugzilla.redhat.com/show_bug.cgi?id=511994>
  4 +
  5 +Adapt to new libpng 1.5 interfaces
4 6
5 7 --- src/glyphs-eimage.c.orig 2005-11-26 11:46:08.000000000 +0000
6 8 +++ src/glyphs-eimage.c
7   -@@ -929,8 +929,8 @@ png_instantiate (Lisp_Object image_insta
  9 +@@ -401,6 +401,7 @@ jpeg_instantiate (Lisp_Object image_inst
  10 + */
  11 +
  12 + {
  13 ++ UINT_64_BIT pixels_sq;
  14 + int jpeg_gray = 0; /* if we're dealing with a grayscale */
  15 + /* Step 4: set parameters for decompression. */
  16 +
  17 +@@ -423,7 +424,10 @@ jpeg_instantiate (Lisp_Object image_inst
  18 + jpeg_start_decompress (&cinfo);
  19 +
  20 + /* Step 6: Read in the data and put into EImage format (8bit RGB triples)*/
  21 +-
  22 ++ pixels_sq =
  23 ++ (UINT_64_BIT) cinfo.output_width * (UINT_64_BIT) cinfo.output_height;
  24 ++ if (pixels_sq > ((size_t) -1) / 3)
  25 ++ signal_image_error ("JPEG image too large to instantiate", instantiator);
  26 + unwind.eimage =
  27 + xnew_binbytes (cinfo.output_width * cinfo.output_height * 3);
  28 + if (!unwind.eimage)
  29 +@@ -669,6 +673,7 @@ gif_instantiate (Lisp_Object image_insta
  30 + {
  31 + ColorMapObject *cmo = unwind.giffile->SColorMap;
  32 + int i, j, row, pass, interlace, slice;
  33 ++ UINT_64_BIT pixels_sq;
  34 + Binbyte *eip;
  35 + /* interlaced gifs have rows in this order:
  36 + 0, 8, 16, ..., 4, 12, 20, ..., 2, 6, 10, ..., 1, 3, 5, ... */
  37 +@@ -677,6 +682,9 @@ gif_instantiate (Lisp_Object image_insta
  38 +
  39 + height = unwind.giffile->SHeight;
  40 + width = unwind.giffile->SWidth;
  41 ++ pixels_sq = (UINT_64_BIT) width * (UINT_64_BIT) height;
  42 ++ if (pixels_sq > ((size_t) -1) / (3 * unwind.giffile->ImageCount))
  43 ++ signal_image_error ("GIF image too large to instantiate", instantiator);
  44 + unwind.eimage =
  45 + xnew_binbytes (width * height * 3 * unwind.giffile->ImageCount);
  46 + if (!unwind.eimage)
  47 +@@ -929,11 +937,15 @@ png_instantiate (Lisp_Object image_insta
8 48 {
9 49 int y;
10 50 Binbyte **row_pointers;
11 51 - height = info_ptr->height;
12 52 - width = info_ptr->width;
  53 ++ UINT_64_BIT pixels_sq;
13 54 + height = png_get_image_height(png_ptr, info_ptr);
14 55 + width = png_get_image_width(png_ptr, info_ptr);
  56 ++ pixels_sq = (UINT_64_BIT) width * (UINT_64_BIT) height;
  57 ++ if (pixels_sq > ((size_t) -1) / 3)
  58 ++ signal_image_error ("PNG image too large to instantiate", instantiator);
15 59
16 60 /* Wow, allocate all the memory. Truly, exciting. */
17   - unwind.eimage = xnew_array_and_zero (Binbyte, width * height * 3);
18   -@@ -982,22 +982,22 @@ png_instantiate (Lisp_Object image_insta
  61 +- unwind.eimage = xnew_array_and_zero (Binbyte, width * height * 3);
  62 ++ unwind.eimage = xnew_array_and_zero (Binbyte, (size_t) (pixels_sq * 3));
  63 + /* libpng expects that the image buffer passed in contains a
  64 + picture to draw on top of if the png has any transparencies.
  65 + This could be a good place to pass that in... */
  66 +@@ -982,22 +994,22 @@ png_instantiate (Lisp_Object image_insta
19 67 /* Now that we're using EImage, ask for 8bit RGB triples for any type
20 68 of image*/
21 69 /* convert palette images to full RGB */
@@ -45,16 +93,16 @@ Fix build with png-1.5.
45 93 png_set_expand (png_ptr);
46 94 else
47 95 png_set_packing (png_ptr);
48   -@@ -1018,16 +1018,20 @@ png_instantiate (Lisp_Object image_insta
  96 +@@ -1018,16 +1030,20 @@ png_instantiate (Lisp_Object image_insta
49 97 unobtrusive. */
50 98 {
51 99 int i;
52 100 + png_textp text_ptr;
53 101 + int num_text;
  102 ++
  103 ++ png_get_text(png_ptr, info_ptr, &text_ptr, &num_text);
54 104
55 105 - for (i = 0 ; i < info_ptr->num_text ; i++)
56   -+ png_get_text(png_ptr, info_ptr, &text_ptr, &num_text);
57   -+
58 106 + for (i = 0 ; i < num_text ; i++)
59 107 {
60 108 /* How paranoid do I have to be about no trailing NULLs, and
@@ -70,3 +118,29 @@ Fix build with png-1.5.
70 118 }
71 119 }
72 120 #endif
  121 +@@ -1268,6 +1284,7 @@ tiff_instantiate (Lisp_Object image_inst
  122 +
  123 + uint32 *raster;
  124 + Binbyte *ep;
  125 ++ UINT_64_BIT pixels_sq;
  126 +
  127 + assert (!NILP (data));
  128 +
  129 +@@ -1290,12 +1307,15 @@ tiff_instantiate (Lisp_Object image_inst
  130 +
  131 + TIFFGetField (unwind.tiff, TIFFTAG_IMAGEWIDTH, &width);
  132 + TIFFGetField (unwind.tiff, TIFFTAG_IMAGELENGTH, &height);
  133 +- unwind.eimage = xnew_binbytes (width * height * 3);
  134 ++ pixels_sq = (UINT_64_BIT) width * (UINT_64_BIT) height;
  135 ++ if (pixels_sq >= 1 << 29)
  136 ++ signal_image_error ("TIFF image too large to instantiate", instantiator);
  137 ++ unwind.eimage = xnew_binbytes (pixels_sq * 3);
  138 +
  139 + /* #### This is little more than proof-of-concept/function testing.
  140 + It needs to be reimplemented via scanline reads for both memory
  141 + compactness. */
  142 +- raster = (uint32*) _TIFFmalloc (width * height * sizeof (uint32));
  143 ++ raster = (uint32*) _TIFFmalloc ((tsize_t) (pixels_sq * sizeof (uint32)));
  144 + if (raster != NULL)
  145 + {
  146 + int i, j;

0 comments on commit 6a19353

Please sign in to comment.
Something went wrong with that request. Please try again.