Bugzilla – Attachment 25903 Details for
Bug 63061
VUL-0: CVE-2004-1026: xpm crash bug in imlib
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
IDP Log In
|
Forgot Password
patch
imlib-1.9.13-sec2.patch (text/plain), 12.73 KB, created by
Ludwig Nussel
on 2004-11-09 18:21:31 UTC
(
hide
)
Description:
patch
Filename:
MIME Type:
Creator:
Ludwig Nussel
Created:
2004-11-09 18:21:31 UTC
Size:
12.73 KB
patch
obsolete
>diff -urN imlib-1.9.13.orig/Imlib/load.c imlib-1.9.13/Imlib/load.c >--- imlib-1.9.13.orig/Imlib/load.c Wed Mar 13 19:06:29 2002 >+++ imlib-1.9.13/Imlib/load.c Thu Sep 16 17:21:01 2004 >@@ -4,6 +4,8 @@ > #include "Imlib_private.h" > #include <setjmp.h> > >+#define G_MAXINT ((int) 0x7fffffff) >+ > /* Split the ID - damages input */ > > static char * >@@ -41,13 +43,17 @@ > > /* > * Make sure we don't wrap on our memory allocations >+ * we check G_MAXINT/4 because rend.c malloc's w * h * bpp >+ * + 3 is safety margin > */ > > void * _imlib_malloc_image(unsigned int w, unsigned int h) > { >- if( w > 32767 || h > 32767) >- return NULL; >- return malloc(w * h * 3); >+ if (w <= 0 || w > 32767 || >+ h <= 0 || h > 32767 || >+ h >= (G_MAXINT/4 - 1) / w) >+ return NULL; >+ return malloc(w * h * 3 + 3); > } > > #ifdef HAVE_LIBJPEG >@@ -360,7 +366,9 @@ > npix = ww * hh; > *w = (int)ww; > *h = (int)hh; >- if(ww > 32767 || hh > 32767) >+ if (ww <= 0 || ww > 32767 || >+ hh <= 0 || hh > 32767 || >+ hh >= (G_MAXINT/sizeof(uint32)) / ww) > { > TIFFClose(tif); > return NULL; >@@ -463,7 +471,7 @@ > } > *w = gif->Image.Width; > *h = gif->Image.Height; >- if (*h > 32767 || *w > 32767) >+ if (*h <= 0 || *h > 32767 || *w <= 0 || *w > 32767) > { > return NULL; > } >@@ -965,7 +973,12 @@ > comment = 0; > quote = 0; > context = 0; >+ memset(lookup, 0, sizeof(lookup)); >+ > line = malloc(lsz); >+ if (!line) >+ return NULL; >+ > while (!done) > { > pc = c; >@@ -994,25 +1007,25 @@ > { > /* Header */ > sscanf(line, "%i %i %i %i", w, h, &ncolors, &cpp); >- if (ncolors > 32766) >+ if (ncolors <= 0 || ncolors > 32766) > { > fprintf(stderr, "IMLIB ERROR: XPM files wth colors > 32766 not supported\n"); > free(line); > return NULL; > } >- if (cpp > 5) >+ if (cpp <= 0 || cpp > 5) > { > fprintf(stderr, "IMLIB ERROR: XPM files with characters per pixel > 5 not supported\n"); > free(line); > return NULL; > } >- if (*w > 32767) >+ if (*w <= 0 || *w > 32767) > { > fprintf(stderr, "IMLIB ERROR: Image width > 32767 pixels for file\n"); > free(line); > return NULL; > } >- if (*h > 32767) >+ if (*h <= 0 || *h > 32767) > { > fprintf(stderr, "IMLIB ERROR: Image height > 32767 pixels for file\n"); > free(line); >@@ -1045,11 +1058,13 @@ > { > int slen; > int hascolor, iscolor; >+ int space; > > iscolor = 0; > hascolor = 0; > tok[0] = 0; > col[0] = 0; >+ space = sizeof(col) - 1; > s[0] = 0; > len = strlen(line); > strncpy(cmap[j].str, line, cpp); >@@ -1072,10 +1087,10 @@ > { > if (k >= len) > { >- if (col[0]) >- strcat(col, " "); >- if (strlen(col) + strlen(s) < sizeof(col)) >- strcat(col, s); >+ if (col[0] && space > 0) >+ strcat(col, " "), space -= 1; >+ if (slen <= space) >+ strcat(col, s), space -= slen; > } > if (col[0]) > { >@@ -1105,14 +1120,17 @@ > } > } > } >- strcpy(tok, s); >+ if (slen < sizeof(tok)); >+ strcpy(tok, s); > col[0] = 0; >+ space = sizeof(col) - 1; > } > else > { >- if (col[0]) >- strcat(col, " "); >- strcat(col, s); >+ if (col[0] && space > 0) >+ strcat(col, " "), space -=1; >+ if (slen <= space) >+ strcat(col, s), space -= slen; > } > } > } >@@ -1341,12 +1359,12 @@ > sscanf(s, "%i %i", w, h); > a = *w; > b = *h; >- if (a > 32767) >+ if (a <= 0 || a > 32767) > { > fprintf(stderr, "IMLIB ERROR: Image width > 32767 pixels for file\n"); > return NULL; > } >- if (b > 32767) >+ if (b <= 0 || b > 32767) > { > fprintf(stderr, "IMLIB ERROR: Image height > 32767 pixels for file\n"); > return NULL; >diff -urN imlib-1.9.13.orig/Imlib/utils.c imlib-1.9.13/Imlib/utils.c >--- imlib-1.9.13.orig/Imlib/utils.c Mon Mar 4 17:45:28 2002 >+++ imlib-1.9.13/Imlib/utils.c Thu Sep 16 17:21:15 2004 >@@ -1496,36 +1496,56 @@ > context = 0; > ptr = NULL; > end = NULL; >+ memset(lookup, 0, sizeof(lookup)); > > while (!done) > { > line = data[count++]; >+ if (!line) >+ break; >+ line = strdup(line); >+ if (!line) >+ break; >+ len = strlen(line); >+ for (i = 0; i < len; ++i) >+ { >+ c = line[i]; >+ if (c < 32) >+ line[i] = 32; >+ else if (c > 127) >+ line[i] = 127; >+ } >+ > if (context == 0) > { > /* Header */ > sscanf(line, "%i %i %i %i", &w, &h, &ncolors, &cpp); >- if (ncolors > 32766) >+ if (ncolors <= 0 || ncolors > 32766) > { > fprintf(stderr, "IMLIB ERROR: XPM data wth colors > 32766 not supported\n"); > free(im); >+ free(line); > return NULL; > } >- if (cpp > 5) >+ if (cpp <= 0 || cpp > 5) > { > fprintf(stderr, "IMLIB ERROR: XPM data with characters per pixel > 5 not supported\n"); > free(im); >+ free(line); > return NULL; > } >- if (w > 32767) >+ if (w <= 0 || w > 32767) > { > fprintf(stderr, "IMLIB ERROR: Image width > 32767 pixels for data\n"); > free(im); >+ free(line); > return NULL; > } >- if (h > 32767) >+ if (h <= 0 || h > 32767) > { > fprintf(stderr, "IMLIB ERROR: Image height > 32767 pixels for data\n"); > free(im); >+ free(line); > return NULL; > } > cmap = malloc(sizeof(struct _cmap) * ncolors); >@@ -1533,6 +1553,7 @@ > if (!cmap) > { > free(im); >+ free(line); > return NULL; > } > im->rgb_width = w; >@@ -1542,6 +1563,7 @@ > { > free(cmap); > free(im); >+ free(line); > return NULL; > } > im->alpha_data = NULL; >@@ -1817,6 +1839,7 @@ > } > if ((ptr) && ((ptr - im->rgb_data) >= w * h * 3)) > done = 1; >+ free(line); > } > if (!transp) > { >diff -urN imlib-1.9.13.orig/gdk_imlib/io-gif.c imlib-1.9.13/gdk_imlib/io-gif.c >--- imlib-1.9.13.orig/gdk_imlib/io-gif.c Mon Mar 4 17:26:51 2002 >+++ imlib-1.9.13/gdk_imlib/io-gif.c Thu Sep 16 16:11:31 2004 >@@ -55,7 +55,7 @@ > } > *w = gif->Image.Width; > *h = gif->Image.Height; >- if(*h > 32767 || *w > 32767) >+ if(*h <= 0 || *h > 32767 || *w <= 0 || *w > 32767) > { > return NULL; > } >diff -urN imlib-1.9.13.orig/gdk_imlib/io-ppm.c imlib-1.9.13/gdk_imlib/io-ppm.c >--- imlib-1.9.13.orig/gdk_imlib/io-ppm.c Mon Mar 4 17:26:51 2002 >+++ imlib-1.9.13/gdk_imlib/io-ppm.c Thu Sep 16 16:13:13 2004 >@@ -53,12 +53,12 @@ > sscanf(s, "%i %i", w, h); > a = *w; > b = *h; >- if (a > 32767) >+ if (a <= 0 || a > 32767) > { > fprintf(stderr, "gdk_imlib ERROR: Image width > 32767 pixels for file\n"); > return NULL; > } >- if (b > 32767) >+ if (b <= 0 || b > 32767) > { > fprintf(stderr, "gdk_imlib ERROR: Image height > 32767 pixels for file\n"); > return NULL; >diff -urN imlib-1.9.13.orig/gdk_imlib/io-tiff.c imlib-1.9.13/gdk_imlib/io-tiff.c >--- imlib-1.9.13.orig/gdk_imlib/io-tiff.c Mon Mar 4 17:26:51 2002 >+++ imlib-1.9.13/gdk_imlib/io-tiff.c Thu Sep 16 16:13:57 2004 >@@ -36,7 +36,9 @@ > npix = ww * hh; > *w = (int)ww; > *h = (int)hh; >- if(ww > 32767 || hh > 32767) >+ if (ww <= 0 || ww > 32767 || >+ hh <= 0 || hh > 32767 || >+ hh >= (G_MAXINT/sizeof(uint32)) / ww) > { > TIFFClose(tif); > return NULL; >diff -urN imlib-1.9.13.orig/gdk_imlib/io-xpm.c imlib-1.9.13/gdk_imlib/io-xpm.c >--- imlib-1.9.13.orig/gdk_imlib/io-xpm.c Mon Mar 4 17:26:51 2002 >+++ imlib-1.9.13/gdk_imlib/io-xpm.c Thu Sep 16 17:08:24 2004 >@@ -40,8 +40,12 @@ > context = 0; > i = j = 0; > cmap = NULL; >+ memset(lookup, 0, sizeof(lookup)); > > line = malloc(lsz); >+ if (!line) >+ return NULL; >+ > while (!done) > { > pc = c; >@@ -70,25 +74,25 @@ > { > /* Header */ > sscanf(line, "%i %i %i %i", w, h, &ncolors, &cpp); >- if (ncolors > 32766) >+ if (ncolors <= 0 || ncolors > 32766) > { > fprintf(stderr, "gdk_imlib ERROR: XPM files wth colors > 32766 not supported\n"); > free(line); > return NULL; > } >- if (cpp > 5) >+ if (cpp <= 0 || cpp > 5) > { > fprintf(stderr, "gdk_imlib ERROR: XPM files with characters per pixel > 5 not supported\n"); > free(line); > return NULL; > } >- if (*w > 32767) >+ if (*w <= 0 || *w > 32767) > { > fprintf(stderr, "gdk_imlib ERROR: Image width > 32767 pixels for file\n"); > free(line); > return NULL; > } >- if (*h > 32767) >+ if (*h <= 0 || *h > 32767) > { > fprintf(stderr, "gdk_imlib ERROR: Image height > 32767 pixels for file\n"); > free(line); >@@ -120,11 +124,13 @@ > { > int slen; > int hascolor, iscolor; >+ int space; > > hascolor = 0; > iscolor = 0; > tok[0] = 0; > col[0] = 0; >+ space = sizeof(col) - 1; > s[0] = 0; > len = strlen(line); > strncpy(cmap[j].str, line, cpp); >@@ -147,10 +153,10 @@ > { > if (k >= len) > { >- if (col[0]) >- strcat(col, " "); >- if (strlen(col) + strlen(s) < sizeof(col)) >- strcat(col, s); >+ if (col[0] && space > 0) >+ strncat(col, " ", space), space -= 1; >+ if (slen <= space) >+ strcat(col, s), space -= slen; > } > if (col[0]) > { >@@ -180,14 +186,17 @@ > } > } > } >- strcpy(tok, s); >+ if (slen < sizeof(tok)) >+ strcpy(tok, s); > col[0] = 0; >+ space = sizeof(col) - 1; > } > else > { >- if (col[0]) >- strcat(col, " "); >- strcat(col, s); >+ if (col[0] && space > 0) >+ strcat(col, " "), space -= 1; >+ if (slen <= space) >+ strcat(col, s), space -= slen; > } > } > } >diff -urN imlib-1.9.13.orig/gdk_imlib/misc.c imlib-1.9.13/gdk_imlib/misc.c >--- imlib-1.9.13.orig/gdk_imlib/misc.c Mon Mar 4 17:26:51 2002 >+++ imlib-1.9.13/gdk_imlib/misc.c Thu Sep 16 16:35:32 2004 >@@ -1355,11 +1355,16 @@ > > /* > * Make sure we don't wrap on our memory allocations >+ * we check G_MAX_INT/4 because rend.c malloc's w * h * bpp >+ * + 3 is safety margin > */ > > void *_gdk_malloc_image(unsigned int w, unsigned int h) > { >- if( w > 32767 || h > 32767) >+ if (w <= 0 || w > 32767 || >+ h <= 0 || h > 32767 || >+ h >= (G_MAXINT/4 - 1) / w) > return NULL; >- return malloc(w * h * 3); >+ return malloc(w * h * 3 + 3); > } >+ >diff -urN imlib-1.9.13.orig/gdk_imlib/utils.c imlib-1.9.13/gdk_imlib/utils.c >--- imlib-1.9.13.orig/gdk_imlib/utils.c Mon Mar 4 17:26:51 2002 >+++ imlib-1.9.13/gdk_imlib/utils.c Thu Sep 16 17:28:35 2004 >@@ -1236,36 +1236,56 @@ > context = 0; > ptr = NULL; > end = NULL; >+ memset(lookup, 0, sizeof(lookup)); > > while (!done) > { > line = data[count++]; >+ if (!line) >+ break; >+ line = strdup(line); >+ if (!line) >+ break; >+ len = strlen(line); >+ for (i = 0; i < len; ++i) >+ { >+ c = line[i]; >+ if (c < 32) >+ line[i] = 32; >+ else if (c > 127) >+ line[i] = 127; >+ } >+ > if (context == 0) > { > /* Header */ > sscanf(line, "%i %i %i %i", &w, &h, &ncolors, &cpp); >- if (ncolors > 32766) >+ if (ncolors <= 0 || ncolors > 32766) > { > fprintf(stderr, "gdk_imlib ERROR: XPM data wth colors > 32766 not supported\n"); > free(im); >+ free(line); > return NULL; > } >- if (cpp > 5) >+ if (cpp <= 0 || cpp > 5) > { > fprintf(stderr, "gdk_imlib ERROR: XPM data with characters per pixel > 5 not supported\n"); > free(im); >+ free(line); > return NULL; > } >- if (w > 32767) >+ if (w <= 0 || w > 32767) > { > fprintf(stderr, "gdk_imlib ERROR: Image width > 32767 pixels for data\n"); > free(im); >+ free(line); > return NULL; > } >- if (h > 32767) >+ if (h <= 0 || h > 32767) > { > fprintf(stderr, "gdk_imlib ERROR: Image height > 32767 pixels for data\n"); > free(im); >+ free(line); > return NULL; > } > cmap = malloc(sizeof(struct _cmap) * ncolors); >@@ -1273,6 +1293,7 @@ > if (!cmap) > { > free(im); >+ free(line); > return NULL; > } > im->rgb_width = w; >@@ -1282,6 +1303,7 @@ > { > free(cmap); > free(im); >+ free(line); > return NULL; > } > im->alpha_data = NULL; >@@ -1355,7 +1377,7 @@ > strcpy(col + colptr, " "); > colptr++; > } >- if (colptr + ls <= sizeof(col)) >+ if (colptr + ls < sizeof(col)) > { > strcpy(col + colptr, s); > colptr += ls; >@@ -1558,6 +1580,7 @@ > } > if ((ptr) && ((ptr - im->rgb_data) >= w * h * 3)) > done = 1; >+ free(line); > } > if (!transp) > {
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=25903">View the attachment on a separate page</a>.</b>
Actions:
View
Attachments on
bug 63061
:
25902
| 25903