[mingw32-gdk-pixbuf/f16] patch for CVE-2012-2370

sailer sailer at fedoraproject.org
Tue Aug 7 09:40:15 UTC 2012 

commit 6ad65bc84fc00f7cbf0f8dd415089d5f424bf9b9
Author: Thomas Sailer <t.sailer at alumni.ethz.ch>
Date:   Tue Aug 7 11:39:57 2012 +0200

    patch for CVE-2012-2370

 mingw32-gdk-pixbuf.spec |    8 +++++++-
 xbmoverflow.patch       |   44 ++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 51 insertions(+), 1 deletions(-)
---
diff --git a/mingw32-gdk-pixbuf.spec b/mingw32-gdk-pixbuf.spec
index 4aab345..19eae87 100644
--- a/mingw32-gdk-pixbuf.spec
+++ b/mingw32-gdk-pixbuf.spec
@@ -4,7 +4,7 @@
 
 Name:           mingw32-gdk-pixbuf
 Version:        2.24.0
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        MinGW Windows GDK Pixbuf library
 
 License:        LGPLv2+
@@ -15,6 +15,8 @@ Source0:        http://download.gnome.org/sources/gdk-pixbuf/2.24/gdk-pixbuf-%{v
 # If you want to rebuild this, do:
 # wine /usr/i686-pc-mingw32/sys-root/mingw/bin/gdk-pixbuf-query-loaders.exe | sed s@'Z:/usr/i686-pc-mingw32/sys-root/mingw'@'..'@ > gdk-pixbuf.loaders
 Source1:        gdk-pixbuf.loaders
+# RHBZ #822468
+Patch0:         xbmoverflow.patch
 
 BuildArch:      noarch
 
@@ -47,6 +49,7 @@ MinGW Windows GDK Pixbuf library.
 
 %prep
 %setup -q -n gdk-pixbuf-%{version}
+%patch0 -p1 -b .xbm
 
 
 %build
@@ -118,6 +121,9 @@ install -m 0644 %{SOURCE1} $RPM_BUILD_ROOT%{_mingw32_libdir}/gdk-pixbuf-2.0/2.10
 
 
 %changelog
+* Tue Aug  7 2012 Thomas Sailer <t.sailer at alumni.ethz.ch> - 2.24.0-2
+- patch for #822468, #822471, CVE-2012-2370
+
 * Sat Aug 27 2011 Kalev Lember <kalevlember at gmail.com> - 2.24.0-1
 - Update to 2.24.0
 
diff --git a/xbmoverflow.patch b/xbmoverflow.patch
new file mode 100644
index 0000000..6d3f89e
--- /dev/null
+++ b/xbmoverflow.patch
@@ -0,0 +1,44 @@
+From 4f0f465f991cd454d03189497f923eb40c170c22 Mon Sep 17 00:00:00 2001
+From: Matthias Clasen <mclasen at redhat.com>
+Date: Sat, 14 Apr 2012 18:21:09 +0000
+Subject: Avoid an integer overflow in the xbm loader
+
+At the same time, reject some silly input, such as negative
+width or height.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=672811
+---
+diff --git a/gdk-pixbuf/io-xbm.c b/gdk-pixbuf/io-xbm.c
+index 46653b9..4f3e1e8 100644
+--- a/gdk-pixbuf/io-xbm.c
++++ b/gdk-pixbuf/io-xbm.c
+@@ -183,10 +183,16 @@ read_bitmap_file_data (FILE    *fstream,
+ 				type++;
+ 			}
+ 
+-			if (!strcmp ("width", type))
++			if (!strcmp ("width", type)) {
++                                if (value <= 0)
++                                        RETURN (FALSE);
+ 				ww = (unsigned int) value;
+-			if (!strcmp ("height", type))
++                        }
++			if (!strcmp ("height", type)) {
++                                if (value <= 0)
++                                        RETURN (FALSE);
+ 				hh = (unsigned int) value;
++                        }
+ 			if (!strcmp ("hot", type)) {
+ 				if (type-- == name_and_type
+ 				    || type-- == name_and_type)
+@@ -231,6 +237,8 @@ read_bitmap_file_data (FILE    *fstream,
+ 		bytes_per_line = (ww+7)/8 + padding;
+ 
+ 		size = bytes_per_line * hh;
++                if (size / bytes_per_line != hh) /* overflow */
++                        RETURN (FALSE);
+ 		bits = g_malloc (size);
+ 
+ 		if (version10p) {
+--
+cgit v0.9.0.2

More information about the scm-commits mailing list