mirror of
https://git.FreeBSD.org/ports.git
synced 2024-10-20 20:09:11 +00:00
Fix heap overflow vulnability.
Be more careful about integer overflow. While here: fix possible divide-by-zero. Notified by: feld@ MFH: 2015Q3
This commit is contained in:
parent
7ba3aedb1d
commit
58d7a21386
Notes:
svn2git
2021-03-31 03:12:20 +00:00
svn path=/head/; revision=392677
@ -1,10 +1,9 @@
|
||||
# Created by: Ade Lovett <ade@lovett.com>
|
||||
# $FreeBSD$
|
||||
# $MCom: ports/trunk/graphics/gdk-pixbuf2/Makefile 20031 2014-11-02 21:47:55Z kwm $
|
||||
|
||||
PORTNAME= gdk-pixbuf
|
||||
PORTVERSION= 2.31.2
|
||||
PORTREVISION= 1
|
||||
PORTREVISION= 2
|
||||
CATEGORIES= graphics
|
||||
MASTER_SITES= GNOME
|
||||
PKGNAMESUFFIX= 2
|
||||
|
@ -0,0 +1,25 @@
|
||||
From 74c418ba2e41ab9e2287420378a6192788b1fab6 Mon Sep 17 00:00:00 2001
|
||||
From: Sarita Rawat <sarita.rawat@samsung.com>
|
||||
Date: Fri, 5 Jun 2015 06:56:00 +0000
|
||||
Subject: Avoid a possible divide-by-zero
|
||||
|
||||
Pointed out in
|
||||
|
||||
https://bugzilla.gnome.org/show_bug.cgi?id=750440
|
||||
|
||||
diff --git a/gdk-pixbuf/gdk-pixbuf-loader.c b/gdk-pixbuf/gdk-pixbuf-loader.c
|
||||
index 65845ed..668b703 100644
|
||||
--- gdk-pixbuf/gdk-pixbuf-loader.c
|
||||
+++ gdk-pixbuf/gdk-pixbuf-loader.c
|
||||
@@ -330,7 +330,7 @@ gdk_pixbuf_loader_prepare (GdkPixbuf *pixbuf,
|
||||
else
|
||||
anim = gdk_pixbuf_non_anim_new (pixbuf);
|
||||
|
||||
- if (priv->needs_scale) {
|
||||
+ if (priv->needs_scale && width != 0 && height != 0) {
|
||||
priv->animation = GDK_PIXBUF_ANIMATION (_gdk_pixbuf_scaled_anim_new (anim,
|
||||
(double) priv->width / width,
|
||||
(double) priv->height / height,
|
||||
--
|
||||
cgit v0.10.2
|
||||
|
82
graphics/gdk-pixbuf2/files/patch-gdk-pixbuf_pixops_pixops.c
Normal file
82
graphics/gdk-pixbuf2/files/patch-gdk-pixbuf_pixops_pixops.c
Normal file
@ -0,0 +1,82 @@
|
||||
From ffec86ed5010c5a2be14f47b33bcf4ed3169a199 Mon Sep 17 00:00:00 2001
|
||||
From: Matthias Clasen <mclasen@redhat.com>
|
||||
Date: Mon, 13 Jul 2015 00:33:40 -0400
|
||||
Subject: pixops: Be more careful about integer overflow
|
||||
|
||||
Our loader code is supposed to handle out-of-memory and overflow
|
||||
situations gracefully, reporting errors instead of aborting. But
|
||||
if you load an image at a specific size, we also execute our
|
||||
scaling code, which was not careful enough about overflow in some
|
||||
places.
|
||||
|
||||
This commit makes the scaling code silently return if it fails to
|
||||
allocate filter tables. This is the best we can do, since
|
||||
gdk_pixbuf_scale() is not taking a GError.
|
||||
|
||||
https://bugzilla.gnome.org/show_bug.cgi?id=752297
|
||||
|
||||
diff --git a/gdk-pixbuf/pixops/pixops.c b/gdk-pixbuf/pixops/pixops.c
|
||||
index 29a1c14..ce51745 100644
|
||||
--- gdk-pixbuf/pixops/pixops.c
|
||||
+++ gdk-pixbuf/pixops/pixops.c
|
||||
@@ -1272,7 +1272,16 @@ make_filter_table (PixopsFilter *filter)
|
||||
int i_offset, j_offset;
|
||||
int n_x = filter->x.n;
|
||||
int n_y = filter->y.n;
|
||||
- int *weights = g_new (int, SUBSAMPLE * SUBSAMPLE * n_x * n_y);
|
||||
+ gsize n_weights;
|
||||
+ int *weights;
|
||||
+
|
||||
+ n_weights = SUBSAMPLE * SUBSAMPLE * n_x * n_y;
|
||||
+ if (n_weights / (SUBSAMPLE * SUBSAMPLE * n_x) != n_y)
|
||||
+ return NULL; /* overflow, bail */
|
||||
+
|
||||
+ weights = g_try_new (int, n_weights);
|
||||
+ if (!weights)
|
||||
+ return NULL; /* overflow, bail */
|
||||
|
||||
for (i_offset=0; i_offset < SUBSAMPLE; i_offset++)
|
||||
for (j_offset=0; j_offset < SUBSAMPLE; j_offset++)
|
||||
@@ -1347,8 +1356,11 @@ pixops_process (guchar *dest_buf,
|
||||
if (x_step == 0 || y_step == 0)
|
||||
return; /* overflow, bail out */
|
||||
|
||||
- line_bufs = g_new (guchar *, filter->y.n);
|
||||
filter_weights = make_filter_table (filter);
|
||||
+ if (!filter_weights)
|
||||
+ return; /* overflow, bail out */
|
||||
+
|
||||
+ line_bufs = g_new (guchar *, filter->y.n);
|
||||
|
||||
check_shift = check_size ? get_check_shift (check_size) : 0;
|
||||
|
||||
@@ -1468,7 +1480,7 @@ tile_make_weights (PixopsFilterDimension *dim,
|
||||
double scale)
|
||||
{
|
||||
int n = ceil (1 / scale + 1);
|
||||
- double *pixel_weights = g_new (double, SUBSAMPLE * n);
|
||||
+ double *pixel_weights = g_malloc_n (sizeof (double) * SUBSAMPLE, n);
|
||||
int offset;
|
||||
int i;
|
||||
|
||||
@@ -1526,7 +1538,7 @@ bilinear_magnify_make_weights (PixopsFilterDimension *dim,
|
||||
}
|
||||
|
||||
dim->n = n;
|
||||
- dim->weights = g_new (double, SUBSAMPLE * n);
|
||||
+ dim->weights = g_malloc_n (sizeof (double) * SUBSAMPLE, n);
|
||||
|
||||
pixel_weights = dim->weights;
|
||||
|
||||
@@ -1617,7 +1629,7 @@ bilinear_box_make_weights (PixopsFilterDimension *dim,
|
||||
double scale)
|
||||
{
|
||||
int n = ceil (1/scale + 3.0);
|
||||
- double *pixel_weights = g_new (double, SUBSAMPLE * n);
|
||||
+ double *pixel_weights = g_malloc_n (sizeof (double) * SUBSAMPLE, n);
|
||||
double w;
|
||||
int offset, i;
|
||||
|
||||
--
|
||||
cgit v0.10.2
|
||||
|
Loading…
Reference in New Issue
Block a user