1
0
mirror of https://git.FreeBSD.org/ports.git synced 2024-12-29 05:38:00 +00:00

Avoid an integer overflow in the xbm loader, bump the PORTREVISION.

Security:	https://bugzilla.gnome.org/show_bug.cgi?id=672811
Obtained from:	Its git
Reported by:	Eitan Adler <lists@eitanadler.com>
This commit is contained in:
Jeremy Messenger 2012-05-20 17:14:41 +00:00
parent 7dc817c369
commit c7d977210b
Notes: svn2git 2021-03-31 03:12:20 +00:00
svn path=/head/; revision=297052
2 changed files with 45 additions and 1 deletions

View File

@ -7,7 +7,7 @@
PORTNAME?= gdk-pixbuf
PORTVERSION= 2.23.5
PORTREVISION= 1
PORTREVISION= 2
CATEGORIES?= graphics
MASTER_SITES= GNOME
MASTER_SITE_SUBDIR= sources/gdk-pixbuf/${PORTVERSION:R}

View File

@ -0,0 +1,44 @@
From 4f0f465f991cd454d03189497f923eb40c170c22 Mon Sep 17 00:00:00 2001
From: Matthias Clasen <mclasen@redhat.com>
Date: Sat, 14 Apr 2012 18:21:09 +0000
Subject: Avoid an integer overflow in the xbm loader
At the same time, reject some silly input, such as negative
width or height.
https://bugzilla.gnome.org/show_bug.cgi?id=672811
---
diff --git a/gdk-pixbuf/io-xbm.c b/gdk-pixbuf/io-xbm.c
index 46653b9..4f3e1e8 100644
--- gdk-pixbuf/io-xbm.c
+++ gdk-pixbuf/io-xbm.c
@@ -183,10 +183,16 @@ read_bitmap_file_data (FILE *fstream,
type++;
}
- if (!strcmp ("width", type))
+ if (!strcmp ("width", type)) {
+ if (value <= 0)
+ RETURN (FALSE);
ww = (unsigned int) value;
- if (!strcmp ("height", type))
+ }
+ if (!strcmp ("height", type)) {
+ if (value <= 0)
+ RETURN (FALSE);
hh = (unsigned int) value;
+ }
if (!strcmp ("hot", type)) {
if (type-- == name_and_type
|| type-- == name_and_type)
@@ -231,6 +237,8 @@ read_bitmap_file_data (FILE *fstream,
bytes_per_line = (ww+7)/8 + padding;
size = bytes_per_line * hh;
+ if (size / bytes_per_line != hh) /* overflow */
+ RETURN (FALSE);
bits = g_malloc (size);
if (version10p) {
--
cgit v0.9.0.2