Permalink
Browse files

Fix CVE-2009-2688, via <https://bugzilla.redhat.com/show_bug.cgi?id=5…

…11994>

Note xemacs 21.5 still dumps core during the build.
  • Loading branch information...
1 parent cb58dd1 commit 6a19353a843281b879209849fdaf6f5201faebe9 hauke committed Apr 27, 2012
View
4 editors/xemacs-current/Makefile
@@ -1,12 +1,12 @@
-# $NetBSD: Makefile,v 1.75 2012/02/06 12:40:05 wiz Exp $
+# $NetBSD: Makefile,v 1.76 2012/04/27 14:37:37 hauke Exp $
PKGNAME?= ${DISTNAME}
COMMENT?= *BETA* XEmacs text editor version ${PKGVERSION_NOREV}
DISTNAME= xemacs-21.5.27
EMACSVERSION= 21.5-b27
EMACS_DISTNAME= xemacs-${EMACSVERSION}
-PKGREVISION= 12
+PKGREVISION= 13
CATEGORIES= editors
MASTER_SITES= ${MASTER_SITE_XEMACS:=${DISTNAME:C/[.][^.]*$//}/}
View
4 editors/xemacs-current/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.23 2011/04/01 13:00:32 wiz Exp $
+$NetBSD: distinfo,v 1.24 2012/04/27 14:37:37 hauke Exp $
SHA1 (xemacs-21.5.27.tar.gz) = 55fc3e9c8fe3cac92791ffe1a0870aeae1baf0b8
RMD160 (xemacs-21.5.27.tar.gz) = ee0caff8730c999d37aa3a19b19f23d5756837ad
@@ -17,4 +17,4 @@ SHA1 (patch-ak) = c8a3369efdd4af32b1a65cdb3d798724d63b3ed5
SHA1 (patch-al) = 33000a300de6358c0ba3260708d6d625dcd625a2
SHA1 (patch-am) = 0ccbead4be5da92e73a15432ff1b063da13cf0b4
SHA1 (patch-an) = f382865087f011ea3806d707cbf784fac81ad746
-SHA1 (patch-src_glyphs-eimage.c) = 9c5990cf2f806072aeb706bba8aba6133feb9509
+SHA1 (patch-src_glyphs-eimage.c) = a382113190a65d27747a90e58294a41f3bb6df42
View
90 editors/xemacs-current/patches/patch-src_glyphs-eimage.c
@@ -1,21 +1,69 @@
-$NetBSD: patch-src_glyphs-eimage.c,v 1.1 2011/04/01 13:00:32 wiz Exp $
+$NetBSD: patch-src_glyphs-eimage.c,v 1.2 2012/04/27 14:37:37 hauke Exp $
-Fix build with png-1.5.
+Fix CVE-2009-2688, via <https://bugzilla.redhat.com/show_bug.cgi?id=511994>
+
+Adapt to new libpng 1.5 interfaces
--- src/glyphs-eimage.c.orig 2005-11-26 11:46:08.000000000 +0000
+++ src/glyphs-eimage.c
-@@ -929,8 +929,8 @@ png_instantiate (Lisp_Object image_insta
+@@ -401,6 +401,7 @@ jpeg_instantiate (Lisp_Object image_inst
+ */
+
+ {
++ UINT_64_BIT pixels_sq;
+ int jpeg_gray = 0; /* if we're dealing with a grayscale */
+ /* Step 4: set parameters for decompression. */
+
+@@ -423,7 +424,10 @@ jpeg_instantiate (Lisp_Object image_inst
+ jpeg_start_decompress (&cinfo);
+
+ /* Step 6: Read in the data and put into EImage format (8bit RGB triples)*/
+-
++ pixels_sq =
++ (UINT_64_BIT) cinfo.output_width * (UINT_64_BIT) cinfo.output_height;
++ if (pixels_sq > ((size_t) -1) / 3)
++ signal_image_error ("JPEG image too large to instantiate", instantiator);
+ unwind.eimage =
+ xnew_binbytes (cinfo.output_width * cinfo.output_height * 3);
+ if (!unwind.eimage)
+@@ -669,6 +673,7 @@ gif_instantiate (Lisp_Object image_insta
+ {
+ ColorMapObject *cmo = unwind.giffile->SColorMap;
+ int i, j, row, pass, interlace, slice;
++ UINT_64_BIT pixels_sq;
+ Binbyte *eip;
+ /* interlaced gifs have rows in this order:
+ 0, 8, 16, ..., 4, 12, 20, ..., 2, 6, 10, ..., 1, 3, 5, ... */
+@@ -677,6 +682,9 @@ gif_instantiate (Lisp_Object image_insta
+
+ height = unwind.giffile->SHeight;
+ width = unwind.giffile->SWidth;
++ pixels_sq = (UINT_64_BIT) width * (UINT_64_BIT) height;
++ if (pixels_sq > ((size_t) -1) / (3 * unwind.giffile->ImageCount))
++ signal_image_error ("GIF image too large to instantiate", instantiator);
+ unwind.eimage =
+ xnew_binbytes (width * height * 3 * unwind.giffile->ImageCount);
+ if (!unwind.eimage)
+@@ -929,11 +937,15 @@ png_instantiate (Lisp_Object image_insta
{
int y;
Binbyte **row_pointers;
- height = info_ptr->height;
- width = info_ptr->width;
++ UINT_64_BIT pixels_sq;
+ height = png_get_image_height(png_ptr, info_ptr);
+ width = png_get_image_width(png_ptr, info_ptr);
++ pixels_sq = (UINT_64_BIT) width * (UINT_64_BIT) height;
++ if (pixels_sq > ((size_t) -1) / 3)
++ signal_image_error ("PNG image too large to instantiate", instantiator);
/* Wow, allocate all the memory. Truly, exciting. */
- unwind.eimage = xnew_array_and_zero (Binbyte, width * height * 3);
-@@ -982,22 +982,22 @@ png_instantiate (Lisp_Object image_insta
+- unwind.eimage = xnew_array_and_zero (Binbyte, width * height * 3);
++ unwind.eimage = xnew_array_and_zero (Binbyte, (size_t) (pixels_sq * 3));
+ /* libpng expects that the image buffer passed in contains a
+ picture to draw on top of if the png has any transparencies.
+ This could be a good place to pass that in... */
+@@ -982,22 +994,22 @@ png_instantiate (Lisp_Object image_insta
/* Now that we're using EImage, ask for 8bit RGB triples for any type
of image*/
/* convert palette images to full RGB */
@@ -45,16 +93,16 @@ Fix build with png-1.5.
png_set_expand (png_ptr);
else
png_set_packing (png_ptr);
-@@ -1018,16 +1018,20 @@ png_instantiate (Lisp_Object image_insta
+@@ -1018,16 +1030,20 @@ png_instantiate (Lisp_Object image_insta
unobtrusive. */
{
int i;
+ png_textp text_ptr;
+ int num_text;
++
++ png_get_text(png_ptr, info_ptr, &text_ptr, &num_text);
- for (i = 0 ; i < info_ptr->num_text ; i++)
-+ png_get_text(png_ptr, info_ptr, &text_ptr, &num_text);
-+
+ for (i = 0 ; i < num_text ; i++)
{
/* How paranoid do I have to be about no trailing NULLs, and
@@ -70,3 +118,29 @@ Fix build with png-1.5.
}
}
#endif
+@@ -1268,6 +1284,7 @@ tiff_instantiate (Lisp_Object image_inst
+
+ uint32 *raster;
+ Binbyte *ep;
++ UINT_64_BIT pixels_sq;
+
+ assert (!NILP (data));
+
+@@ -1290,12 +1307,15 @@ tiff_instantiate (Lisp_Object image_inst
+
+ TIFFGetField (unwind.tiff, TIFFTAG_IMAGEWIDTH, &width);
+ TIFFGetField (unwind.tiff, TIFFTAG_IMAGELENGTH, &height);
+- unwind.eimage = xnew_binbytes (width * height * 3);
++ pixels_sq = (UINT_64_BIT) width * (UINT_64_BIT) height;
++ if (pixels_sq >= 1 << 29)
++ signal_image_error ("TIFF image too large to instantiate", instantiator);
++ unwind.eimage = xnew_binbytes (pixels_sq * 3);
+
+ /* #### This is little more than proof-of-concept/function testing.
+ It needs to be reimplemented via scanline reads for both memory
+ compactness. */
+- raster = (uint32*) _TIFFmalloc (width * height * sizeof (uint32));
++ raster = (uint32*) _TIFFmalloc ((tsize_t) (pixels_sq * sizeof (uint32)));
+ if (raster != NULL)
+ {
+ int i, j;

0 comments on commit 6a19353

Please sign in to comment.