[notify] gdk-pixbuf: added patch for CVE-2015-4491.

Advisory: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4491
2015-08-18 20:48:29 +02:00 · 2015-08-18 20:48:29 +02:00 · 6b9a9c2f71
commit 6b9a9c2f71
parent a150c70045
4 changed files with 93 additions and 8 deletions
--- a/gdk-pixbuf/.footprint
+++ b/gdk-pixbuf/.footprint
@ -71,10 +71,10 @@ lrwxrwxrwx	root/root	usr/lib/libgdk_pixbuf_xlib-2.0.so.0 -> libgdk_pixbuf_xlib-2
 drwxr-xr-x	root/root	usr/lib/pkgconfig/
 -rw-r--r--	root/root	usr/lib/pkgconfig/gdk-pixbuf-2.0.pc
 -rw-r--r--	root/root	usr/lib/pkgconfig/gdk-pixbuf-xlib-2.0.pc
-drwxr-xr-x	root/root	usr/man/
-drwxr-xr-x	root/root	usr/man/man1/
-rw-r--r--	root/root	usr/man/man1/gdk-pixbuf-csource.1.gz
-rw-r--r--	root/root	usr/man/man1/gdk-pixbuf-query-loaders.1.gz
 drwxr-xr-x	root/root	usr/share/
 drwxr-xr-x	root/root	usr/share/gir-1.0/
 -rw-r--r--	root/root	usr/share/gir-1.0/GdkPixbuf-2.0.gir
+drwxr-xr-x	root/root	usr/share/man/
+drwxr-xr-x	root/root	usr/share/man/man1/
+-rw-r--r--	root/root	usr/share/man/man1/gdk-pixbuf-csource.1.gz
+-rw-r--r--	root/root	usr/share/man/man1/gdk-pixbuf-query-loaders.1.gz
--- a/gdk-pixbuf/.md5sum
+++ b/gdk-pixbuf/.md5sum
@ -1,3 +1,4 @@
+6c3862a6dfd70e31f8a6a1c3c65caece  CVE-2015-4491.patch
 4fed0d54432f1b69fc6e66e608bd5542  gdk-pixbuf-2.30.8.tar.xz
 d5311640870a5de1dc8aefcb4509a99d  gdk-pixbuf-register.sh
 94f3472231326d5352d007497db82798  gdk-pixbuf.loaders
--- a/gdk-pixbuf/CVE-2015-4491.patch
+++ b/gdk-pixbuf/CVE-2015-4491.patch
@ -0,0 +1,81 @@
+From 62eab9b3d73a07f1b1821ff05eda6ccf5e2c5901 Mon Sep 17 00:00:00 2001
+From: Matthias Clasen <mclasen@redhat.com>
+Date: Mon, 13 Jul 2015 00:33:40 -0400
+Subject: [PATCH] pixops: Be more careful about integer overflow
+
+Our loader code is supposed to handle out-of-memory and overflow
+situations gracefully, reporting errors instead of aborting. But
+if you load an image at a specific size, we also execute our
+scaling code, which was not careful enough about overflow in some
+places. This commit makes the scaling code silently return if
+it fails to allocate filter tables.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=752297
+---
+ gdk-pixbuf/pixops/pixops.c | 22 +++++++++++++++++-----
+ 1 file changed, 17 insertions(+), 5 deletions(-)
+
+diff --git a/gdk-pixbuf/pixops/pixops.c b/gdk-pixbuf/pixops/pixops.c
+index 29a1c14..226ad09 100644
+--- a/gdk-pixbuf/pixops/pixops.c
+++ b/gdk-pixbuf/pixops/pixops.c
+@@ -1272,7 +1272,16 @@ make_filter_table (PixopsFilter *filter)
+   int i_offset, j_offset;
+   int n_x = filter->x.n;
+   int n_y = filter->y.n;
+-  int *weights = g_new (int, SUBSAMPLE * SUBSAMPLE * n_x * n_y);
+  gsize n_weights;
+  int *weights;
+
+  n_weights = SUBSAMPLE * SUBSAMPLE * n_x * n_y;
+  if (n_weights / (SUBSAMPLE * SUBSAMPLE) != n_x * n_y)
+    return NULL; /* overflow, bail */
+
+  weights = g_new (int, n_weights);
+  if (!weights)
+    return NULL; /* overflow, bail */
+ 
+   for (i_offset=0; i_offset < SUBSAMPLE; i_offset++)
+     for (j_offset=0; j_offset < SUBSAMPLE; j_offset++)
+@@ -1347,8 +1356,11 @@ pixops_process (guchar         *dest_buf,
+   if (x_step == 0 || y_step == 0)
+     return; /* overflow, bail out */
+ 
+-  line_bufs = g_new (guchar *, filter->y.n);
+   filter_weights = make_filter_table (filter);
+  if (!filter_weights)
+    return; /* overflow, bail out */
+
+  line_bufs = g_new (guchar *, filter->y.n);
+ 
+   check_shift = check_size ? get_check_shift (check_size) : 0;
+ 
+@@ -1468,7 +1480,7 @@ tile_make_weights (PixopsFilterDimension *dim,
+ 		   double                 scale)
+ {
+   int n = ceil (1 / scale + 1);
+-  double *pixel_weights = g_new (double, SUBSAMPLE * n);
+  double *pixel_weights = g_malloc_n (sizeof (double) * SUBSAMPLE, n);
+   int offset;
+   int i;
+ 
+@@ -1526,7 +1538,7 @@ bilinear_magnify_make_weights (PixopsFilterDimension *dim,
+     }
+ 
+   dim->n = n;
+-  dim->weights = g_new (double, SUBSAMPLE * n);
+  dim->weights = g_malloc_n (sizeof (double) * SUBSAMPLE, n);
+ 
+   pixel_weights = dim->weights;
+ 
+@@ -1617,7 +1629,7 @@ bilinear_box_make_weights (PixopsFilterDimension *dim,
+ 			   double                 scale)
+ {
+   int n = ceil (1/scale + 3.0);
+-  double *pixel_weights = g_new (double, SUBSAMPLE * n);
+  double *pixel_weights = g_malloc_n (sizeof (double) * SUBSAMPLE, n);
+   double w;
+   int offset, i;
+ 
+-- 
+2.4.3
--- a/gdk-pixbuf/Pkgfile
+++ b/gdk-pixbuf/Pkgfile
@ -5,15 +5,18 @@

 name=gdk-pixbuf
 version=2.30.8
-release=2
+release=3
 source=(http://download.gnome.org/sources/$name/2.30/$name-$version.tar.xz \
-        gdk-pixbuf.loaders gdk-pixbuf-register.sh)
+        gdk-pixbuf.loaders gdk-pixbuf-register.sh CVE-2015-4491.patch)

 build () {
    cd $name-$version
+    patch -p1 -i $SRC/CVE-2015-4491.patch

-    ./configure --prefix=/usr --mandir=/usr/man --disable-nls \
-                --without-libjasper --with-x11
+    ./configure --prefix=/usr \
+                --disable-nls \
+                --without-libjasper \
+                --with-x11
    make
    make DESTDIR=$PKG install