OpenSDE
/
rocklinux
mirror of https://github.com/amery/rocklinux.git
2
0
Fork 0
Code Releases Wiki Activity
mirror of the now-defunct rocklinux.org
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4924 Commits
1 Branch
0 Tags
34 MiB
Tree: 0afd8f3e9c
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '0afd8f3e9c'
${ noResults }
rocklinux/package/public/xzgv/xzgv-0.8-integer-overflow-f...

216 lines
7.1 KiB
Raw Normal View History

Clifford Wolf: massive copyright note update git-svn-id: http://www.rocklinux.org/svn/rock-linux/trunk@5477 c5f82cb5-29bc-0310-9cd0-bff59a50e3bc
20 years ago
giftnuss: xzgv updated to 0.8 [U] added there was a integer overflow problem (patch) reported on december 14 gcc-3.3 patch removed Index: package/rene/xzgv/xzgv.desc =================================================================== [2004121820191313764] (https://www.rocklinux.net/submaster) git-svn-id: http://www.rocklinux.org/svn/rock-linux/trunk@5299 c5f82cb5-29bc-0310-9cd0-bff59a50e3bc
20 years ago
  1. # --- ROCK-COPYRIGHT-NOTE-BEGIN ---
  2. #
  3. # This copyright note is auto-generated by ./scripts/Create-CopyPatch.
  4. # Please add additional copyright information _after_ the line containing
  5. # the ROCK-COPYRIGHT-NOTE-END tag. Otherwise it might get removed by
  6. # the ./scripts/Create-CopyPatch script. Do not edit this copyright text!
  7. #
  8. # ROCK Linux: rock-src/package/rene/xzgv/xzgv-0.8-integer-overflow-fix.patch
  9. # ROCK Linux is Copyright (C) 1998 - 2005 Clifford Wolf
  10. #
  11. # This patch file is dual-licensed. It is available under the license the
  12. # patched project is licensed under, as long as it is an OpenSource license
  13. # as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms
  14. # of the GNU General Public License as published by the Free Software
  15. # Foundation; either version 2 of the License, or (at your option) any later
  16. # version.
  17. #
  18. # --- ROCK-COPYRIGHT-NOTE-END ---
  20. diff -urN xzgv-0.8/ChangeLog xzgv/ChangeLog
  21. --- xzgv-0.8/ChangeLog Tue Sep 16 15:08:42 2003
  22. +++ xzgv/ChangeLog Wed Dec 15 03:30:46 2004
  23. @@ -1,3 +1,13 @@
  24. +2004-11-03 Russell Marks <russell.marks@ntlworld.com>
  25. +
  26. + * Added width/height limits to all native picture readers. This is
  27. + a crude (albeit effective) fix for heap overflow bugs - there may
  28. + yet be more subtle problems, but I can't really fix them until I
  29. + know they're there. :-) Thanks to Luke Macken for letting me know
  30. + about the heap overflow problems (in zgv). I suppose I should also
  31. + thank "infamous41md" for publishing the original advisory/exploit
  32. + (again for zgv), even if he didn't bother emailing me or anything.
  33. +
  34. 2003-09-16 Russell Marks <russell.marks@ntlworld.com>
  36. * Version 0.8.
  37. diff -urN xzgv-0.8/src/Makefile xzgv/src/Makefile
  38. --- xzgv-0.8/src/Makefile Tue Jan 1 05:37:45 2002
  39. +++ xzgv/src/Makefile Wed Dec 15 03:30:46 2004
  40. @@ -84,18 +84,19 @@
  41. logo.o: logo.c logodata.h
  42. logoconv.o: logoconv.c
  43. main.o: main.c backend.h readmrf.h readgif.h readpng.h readjpeg.h \
  44. - readtiff.h resizepic.h rcfile.h filedetails.h gotodir.h updatetn.h \
  45. - confirm.h misc.h copymove.h rename.h help.h dir_icon.xpm \
  46. + readtiff.h readprf.h resizepic.h rcfile.h filedetails.h gotodir.h \
  47. + updatetn.h confirm.h misc.h copymove.h rename.h help.h dir_icon.xpm \
  48. dir_icon_small.xpm file_icon.xpm file_icon_small.xpm logo.h \
  49. icon-48.xpm main.h
  50. misc.o: misc.c misc.h
  51. rcfile.o: rcfile.c getopt.h rcfile.h rcfile_opt.h rcfile_var.h \
  52. rcfile_short.h
  53. -readgif.o: readgif.c readgif.h
  54. -readjpeg.o: readjpeg.c rcfile.h readjpeg.h
  55. -readmrf.o: readmrf.c readmrf.h
  56. +readgif.o: readgif.c reader.h readgif.h
  57. +readjpeg.o: readjpeg.c rcfile.h reader.h readjpeg.h
  58. +readmrf.o: readmrf.c reader.h readmrf.h
  59. readpng.o: readpng.c readpng.h
  60. -readtiff.o: readtiff.c readtiff.h
  61. +readprf.o: readprf.c reader.h readprf.h
  62. +readtiff.o: readtiff.c reader.h readtiff.h
  63. rename.o: rename.c backend.h main.h rename.h
  64. resizepic.o: resizepic.c resizepic.h
  65. updatetn.o: updatetn.c backend.h main.h rcfile.h dither.h resizepic.h \
  66. diff -urN xzgv-0.8/src/reader.h xzgv/src/reader.h
  67. --- xzgv-0.8/src/reader.h Thu Jan 1 01:00:00 1970
  68. +++ xzgv/src/reader.h Wed Dec 15 03:30:46 2004
  69. @@ -0,0 +1,15 @@
  70. +/* xzgv 0.8 - picture viewer for X, with file selector.
  71. + * Copyright (C) 1999-2004 Russell Marks. See main.c for license details.
  72. + *
  73. + * reader.h
  74. + */
  75. +
  76. +/* range check on width and height as a crude way of avoiding overflows
  77. + * when calling malloc/calloc. 32767 is the obvious limit to use given that
  78. + * xzgv effectively imposes such a limit anyway.
  79. + * Adds an extra 2 to height for max-height check, partly to reflect what
  80. + * the check in zgv does but also to allow for readtiff.c allocating an
  81. + * extra line (so at least an extra 1 would have been needed in any case).
  82. + */
  83. +#define WH_MAX 32767
  84. +#define WH_BAD(w,h) ((w)<=0 || (w)>WH_MAX || (h)<=0 || ((h)+2)>WH_MAX)
  85. diff -urN xzgv-0.8/src/readgif.c xzgv/src/readgif.c
  86. --- xzgv-0.8/src/readgif.c Sun Mar 3 04:34:32 2002
  87. +++ xzgv/src/readgif.c Wed Dec 15 03:30:46 2004
  88. @@ -8,6 +8,7 @@
  89. #include <string.h>
  90. #include <unistd.h>
  91. #include <stdlib.h>
  92. +#include "reader.h"
  93. #include "readgif.h"
  96. @@ -103,7 +104,7 @@
  98. if(local_colour_map) readcolmap(in);
  100. - if((image=malloc(width*height*3))==NULL)
  101. + if(WH_BAD(width,height) || (image=malloc(width*height*3))==NULL)
  102. {
  103. fclose(in);
  104. return(0);
  105. diff -urN xzgv-0.8/src/readjpeg.c xzgv/src/readjpeg.c
  106. --- xzgv-0.8/src/readjpeg.c Tue Sep 16 12:52:04 2003
  107. +++ xzgv/src/readjpeg.c Wed Dec 15 03:30:46 2004
  108. @@ -13,6 +13,7 @@
  109. #include <jpeglib.h>
  111. #include "rcfile.h"
  112. +#include "reader.h"
  114. #include "readjpeg.h"
  116. @@ -265,7 +266,7 @@
  117. /* this one shouldn't hurt */
  118. cinfo.do_block_smoothing=FALSE;
  120. -if((*imagep=image=malloc(width*height*3))==NULL)
  121. +if(WH_BAD(width,height) || (*imagep=image=malloc(width*height*3))==NULL)
  122. longjmp(jerr.setjmp_buffer,1);
  124. jpeg_start_decompress(&cinfo);
  125. diff -urN xzgv-0.8/src/readmrf.c xzgv/src/readmrf.c
  126. --- xzgv-0.8/src/readmrf.c Sat Oct 7 14:26:55 2000
  127. +++ xzgv/src/readmrf.c Wed Dec 15 03:30:46 2004
  128. @@ -7,6 +7,7 @@
  129. #include <stdio.h>
  130. #include <string.h>
  131. #include <stdlib.h>
  132. +#include "reader.h"
  133. #include "readmrf.h"
  136. @@ -91,7 +92,8 @@
  137. w64=(w+63)/64;
  138. h64=(h+63)/64;
  140. -if((*bmap=malloc(w*h*3))==NULL ||
  141. +if(WH_BAD(w64*64,h64*64) || WH_BAD(w,h) ||
  142. + (*bmap=malloc(w*h*3))==NULL ||
  143. (image=calloc(w64*h64*64*64,1))==NULL)
  144. {
  145. if(*bmap) free(*bmap),*bmap=NULL;
  146. diff -urN xzgv-0.8/src/readpng.c xzgv/src/readpng.c
  147. --- xzgv-0.8/src/readpng.c Thu Jul 10 16:13:43 2003
  148. +++ xzgv/src/readpng.c Wed Dec 15 03:32:46 2004
  149. @@ -16,6 +16,7 @@
  150. #include <stdlib.h>
  151. #include <png.h>
  152. #include <setjmp.h> /* after png.h to avoid horrible thing in pngconf.h */
  153. +#include "reader.h"
  154. #include "readpng.h"
  157. @@ -129,7 +130,8 @@
  158. }
  160. /* allocate image memory */
  161. -if((*theimageptr=theimage=malloc(width*height*3))==NULL)
  162. +if(WH_BAD(width,height) ||
  163. + (*theimageptr=theimage=malloc(width*height*3))==NULL)
  164. {
  165. png_read_end(png_ptr,info_ptr);
  166. png_destroy_read_struct(&png_ptr,&info_ptr,NULL);
  167. diff -urN xzgv-0.8/src/readprf.c xzgv/src/readprf.c
  168. --- xzgv-0.8/src/readprf.c Mon Apr 9 19:08:19 2001
  169. +++ xzgv/src/readprf.c Wed Dec 15 03:30:46 2004
  170. @@ -7,6 +7,7 @@
  171. #include <stdio.h>
  172. #include <string.h>
  173. #include <stdlib.h>
  174. +#include "reader.h"
  175. #include "readprf.h"
  177. #define squaresize 64
  178. @@ -164,7 +165,7 @@
  179. bytepp=1;
  181. n=width*squaresize;
  182. -if((planebuf[0]=calloc(n,planes))==NULL)
  183. +if(WH_BAD(width,height) || (planebuf[0]=calloc(n,planes))==NULL)
  184. {
  185. fclose(in);
  186. return(0);
  187. @@ -173,6 +174,7 @@
  188. for(f=1;f<planes;f++)
  189. planebuf[f]=planebuf[f-1]+n;
  191. +/* width/height already checked above */
  192. if((*theimageptr=malloc(width*height*3))==NULL)
  193. {
  194. free(planebuf[0]);
  195. diff -urN xzgv-0.8/src/readtiff.c xzgv/src/readtiff.c
  196. --- xzgv-0.8/src/readtiff.c Thu Dec 28 03:20:55 2000
  197. +++ xzgv/src/readtiff.c Wed Dec 15 03:30:46 2004
  198. @@ -11,7 +11,7 @@
  199. #include <setjmp.h>
  200. #include <sys/file.h> /* for open et al */
  201. #include <tiffio.h>
  202. -
  203. +#include "reader.h"
  204. #include "readtiff.h"
  207. @@ -36,7 +36,8 @@
  208. * spare for the flip afterwards.
  209. */
  210. numpix=width*height;
  211. -if((image=malloc(numpix*sizeof(uint32)+width*3))==NULL)
  212. +if(WH_BAD(width,height) ||
  213. + (image=malloc(numpix*sizeof(uint32)+width*3))==NULL)
  214. {
  215. TIFFClose(in);
  216. return(0);