rpms/imlib2/FC-3 imlib2-1.3.0-loader_overflows.patch, NONE, 1.1 .cvsignore, 1.3, 1.4 imlib2.spec, 1.10, 1.11 sources, 1.4, 1.5 imlib2-1.2.0-configure-xlib64.patch, 1.1, NONE
Hans de Goede (jwrdegoede)
fedora-extras-commits at redhat.com
Thu Nov 9 10:20:26 UTC 2006
- Previous message: rpms/mod_fcgid/FC-6 .cvsignore, 1.2, 1.3 configuration.htm, 1.1, 1.2 doc.htm, 1.1, 1.2 mod_fcgid.spec, 1.2, 1.3 sources, 1.2, 1.3
- Next message: rpms/mod_fcgid/FC-5 .cvsignore, 1.2, 1.3 configuration.htm, 1.1, 1.2 doc.htm, 1.1, 1.2 mod_fcgid.spec, 1.2, 1.3 sources, 1.2, 1.3
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: jwrdegoede
Update of /cvs/extras/rpms/imlib2/FC-3
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv13082
Modified Files:
.cvsignore imlib2.spec sources
Added Files:
imlib2-1.3.0-loader_overflows.patch
Removed Files:
imlib2-1.2.0-configure-xlib64.patch
Log Message:
* Thu Nov 9 2006 Hans de Goede <j.w.r.degoede at hhs.nl> 1.2.1-2
- Fix CVE-2006-4806, CVE-2006-4807, CVE-2006-4808, CVE-2006-4809, thanks to
Ubuntu for the patch (bug 214676)
imlib2-1.3.0-loader_overflows.patch:
--- NEW FILE imlib2-1.3.0-loader_overflows.patch ---
diff -Nur imlib2-1.2.1/src/modules/loaders/loader_argb.c imlib2-1.2.1.new/src/modules/loaders/loader_argb.c
--- imlib2-1.2.1/src/modules/loaders/loader_argb.c 2006-11-06 01:27:59.000000000 -0800
+++ imlib2-1.2.1.new/src/modules/loaders/loader_argb.c 2006-11-06 01:30:41.000000000 -0800
@@ -23,7 +23,7 @@
load(ImlibImage * im, ImlibProgressFunction progress,
char progress_granularity, char immediate_load)
{
- int w, h, alpha;
+ int w=0, h=0, alpha=0;
FILE *f;
if (im->data)
@@ -36,13 +36,15 @@
{
char buf[256], buf2[256];
+ memset(buf, 0, sizeof(buf));
+ memset(buf2, 0, sizeof(buf));
if (!fgets(buf, 255, f))
{
fclose(f);
return 0;
}
sscanf(buf, "%s %i %i %i", buf2, &w, &h, &alpha);
- if (strcmp(buf2, "ARGB"))
+ if (strcmp(buf2, "ARGB") || w < 1 || h < 1 || w > 16383 || h > 16383)
{
fclose(f);
return 0;
diff -Nur imlib2-1.2.1/src/modules/loaders/loader_jpeg.c imlib2-1.2.1.new/src/modules/loaders/loader_jpeg.c
--- imlib2-1.2.1/src/modules/loaders/loader_jpeg.c 2006-11-06 01:27:59.000000000 -0800
+++ imlib2-1.2.1.new/src/modules/loaders/loader_jpeg.c 2006-11-06 01:33:01.000000000 -0800
@@ -104,8 +104,9 @@
im->w = w = cinfo.output_width;
im->h = h = cinfo.output_height;
- if (cinfo.rec_outbuf_height > 16)
+ if (cinfo.rec_outbuf_height > 16 || w < 1 || h < 1 || w > 16383 || h > 16383)
{
+ im->w = im->h = 0;
jpeg_destroy_decompress(&cinfo);
fclose(f);
return 0;
diff -Nur imlib2-1.2.1/src/modules/loaders/loader_lbm.c imlib2-1.2.1.new/src/modules/loaders/loader_lbm.c
--- imlib2-1.2.1/src/modules/loaders/loader_lbm.c 2006-11-06 01:27:59.000000000 -0800
+++ imlib2-1.2.1.new/src/modules/loaders/loader_lbm.c 2006-11-06 01:30:41.000000000 -0800
@@ -421,7 +421,7 @@
im->w = L2RWORD(ilbm.bmhd.data);
im->h = L2RWORD(ilbm.bmhd.data + 2);
- if (im->w <= 0 || im->h <= 0) ok = 0;
+ if (im->w <= 0 || im->h <= 0 || im->w > 16383 || im->h > 16383) ok = 0;
ilbm.depth = ilbm.bmhd.data[8];
if (ilbm.depth < 1 || (ilbm.depth > 8 && ilbm.depth != 24 && ilbm.depth != 32)) ok = 0; /* Only 1 to 8, 24, or 32 planes. */
@@ -453,6 +453,7 @@
}
}
if (!full || !ok) {
+ im->w = im->h = 0;
freeilbm(&ilbm);
return ok;
}
@@ -467,12 +468,13 @@
cancel = 0;
plane[0] = NULL;
+ n = ilbm.depth;
+ if (ilbm.mask == 1) n++;
+
im->data = malloc(im->w * im->h * sizeof(DATA32));
- if (im->data) {
- n = ilbm.depth;
- if (ilbm.mask == 1) n++;
+ plane[0] = malloc(((im->w + 15) / 16) * 2 * n);
+ if (im->data && plane[0]) {
- plane[0] = malloc(((im->w + 15) / 16) * 2 * n);
for (i = 1; i < n; i++) plane[i] = plane[i - 1] + ((im->w + 15) / 16) * 2;
z = ((im->w + 15) / 16) * 2 * n;
@@ -511,6 +513,7 @@
* the memory for im->data.
*----------*/
if (!ok) {
+ im->w = im->h = 0;
if (im->data) free(im->data);
im->data = NULL;
}
diff -Nur imlib2-1.2.1/src/modules/loaders/loader_png.c imlib2-1.2.1.new/src/modules/loaders/loader_png.c
--- imlib2-1.2.1/src/modules/loaders/loader_png.c 2006-11-06 01:27:59.000000000 -0800
+++ imlib2-1.2.1.new/src/modules/loaders/loader_png.c 2006-11-06 01:30:41.000000000 -0800
@@ -83,6 +83,13 @@
png_get_IHDR(png_ptr, info_ptr, (png_uint_32 *) (&w32),
(png_uint_32 *) (&h32), &bit_depth, &color_type,
&interlace_type, NULL, NULL);
+ if (w32 < 1 || h32 < 1 || w32 > 16383 || h32 > 16383)
+ {
+ png_read_end(png_ptr, info_ptr);
+ png_destroy_read_struct(&png_ptr, &info_ptr, (png_infopp) NULL);
+ fclose(f);
+ return 0;
+ }
im->w = (int)w32;
im->h = (int)h32;
if (color_type == PNG_COLOR_TYPE_PALETTE)
diff -Nur imlib2-1.2.1/src/modules/loaders/loader_pnm.c imlib2-1.2.1.new/src/modules/loaders/loader_pnm.c
--- imlib2-1.2.1/src/modules/loaders/loader_pnm.c 2006-11-06 01:27:59.000000000 -0800
+++ imlib2-1.2.1.new/src/modules/loaders/loader_pnm.c 2006-11-06 01:30:41.000000000 -0800
@@ -80,7 +80,7 @@
int i = 0;
/* read numbers */
- while (c != EOF && !isspace(c))
+ while (c != EOF && i+1 < sizeof(buf) && !isspace(c))
{
buf[i++] = c;
c = fgetc(f);
diff -Nur imlib2-1.2.1/src/modules/loaders/loader_tga.c imlib2-1.2.1.new/src/modules/loaders/loader_tga.c
--- imlib2-1.2.1/src/modules/loaders/loader_tga.c 2006-11-06 01:27:59.000000000 -0800
+++ imlib2-1.2.1.new/src/modules/loaders/loader_tga.c 2006-11-06 01:30:41.000000000 -0800
@@ -319,6 +319,7 @@
{
unsigned long datasize;
unsigned char *bufptr;
+ unsigned char *bufend;
DATA32 *dataptr;
int y, pl = 0;
@@ -348,6 +349,9 @@
/* bufptr is the next byte to be read from the buffer */
bufptr = filedata;
+ /* bufend is one past the last byte to be read from the buffer */
+ bufend = filedata + datasize;
+
/* dataptr is the next 32-bit pixel to be filled in */
dataptr = im->data;
@@ -365,7 +369,9 @@
else
dataptr = im->data + (y * im->w);
- for (x = 0; x < im->w; x++) /* for each pixel in the row */
+ for (x = 0;
+ x < im->w && bufptr+bpp/8 < bufend;
+ x++) /* for each pixel in the row */
{
switch (bpp)
{
@@ -422,8 +428,8 @@
unsigned char curbyte, red, green, blue, alpha;
DATA32 *final_pixel = dataptr + im->w * im->h;
- /* loop until we've got all the pixels */
- while (dataptr < final_pixel)
+ /* loop until we've got all the pixels or run out of input */
+ while (dataptr < final_pixel && bufptr+1+bpp/8 < bufend)
{
int count;
@@ -441,7 +447,7 @@
green = *bufptr++;
red = *bufptr++;
alpha = *bufptr++;
- for (i = 0; i < count; i++)
+ for (i = 0; i < count && dataptr < final_pixel; i++)
{
WRITE_RGBA(dataptr, red, green, blue, alpha);
dataptr++;
@@ -452,7 +458,7 @@
blue = *bufptr++;
green = *bufptr++;
red = *bufptr++;
- for (i = 0; i < count; i++)
+ for (i = 0; i < count && dataptr < final_pixel; i++)
{
WRITE_RGBA(dataptr, red, green, blue,
(char)0xff);
@@ -462,7 +468,7 @@
case 8:
alpha = *bufptr++;
- for (i = 0; i < count; i++)
+ for (i = 0; i < count && dataptr < final_pixel; i++)
{
WRITE_RGBA(dataptr, alpha, alpha, alpha,
(char)0xff);
@@ -477,7 +483,7 @@
{
int i;
- for (i = 0; i < count; i++)
+ for (i = 0; i < count && dataptr < final_pixel; i++)
{
switch (bpp)
{
diff -Nur imlib2-1.2.1/src/modules/loaders/loader_tiff.c imlib2-1.2.1.new/src/modules/loaders/loader_tiff.c
--- imlib2-1.2.1/src/modules/loaders/loader_tiff.c 2006-11-06 01:27:59.000000000 -0800
+++ imlib2-1.2.1.new/src/modules/loaders/loader_tiff.c 2006-11-06 01:30:41.000000000 -0800
@@ -75,7 +75,7 @@
raster(TIFFRGBAImage_Extra * img, uint32 * rast,
uint32 x, uint32 y, uint32 w, uint32 h)
{
- uint32 image_width, image_height;
+ int image_width, image_height;
uint32 *pixel, pixel_value;
int i, j, dy, rast_offset;
DATA32 *buffer_pixel, *buffer = img->image->data;
@@ -192,8 +192,16 @@
}
rgba_image.image = im;
- im->w = width = rgba_image.rgba.width;
- im->h = height = rgba_image.rgba.height;
+ width = rgba_image.rgba.width;
+ height = rgba_image.rgba.height;
+ if (width < 1 || height < 1 || width >= 16384 || height >= 16384)
+ {
+ TIFFRGBAImageEnd((TIFFRGBAImage *) & rgba_image);
+ TIFFClose(tif);
+ return 0;
+ }
+ im->w = width;
+ im->h = height;
rgba_image.num_pixels = num_pixels = width * height;
if (rgba_image.rgba.alpha != EXTRASAMPLE_UNSPECIFIED)
SET_FLAG(im->flags, F_HAS_ALPHA);
Index: .cvsignore
===================================================================
RCS file: /cvs/extras/rpms/imlib2/FC-3/.cvsignore,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- .cvsignore 8 Nov 2004 04:35:58 -0000 1.3
+++ .cvsignore 9 Nov 2006 10:19:56 -0000 1.4
@@ -1 +1 @@
-imlib2-1.1.2.tar.gz
+imlib2-1.2.1.tar.gz
Index: imlib2.spec
===================================================================
RCS file: /cvs/extras/rpms/imlib2/FC-3/imlib2.spec,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -r1.10 -r1.11
--- imlib2.spec 5 Apr 2005 19:07:53 -0000 1.10
+++ imlib2.spec 9 Nov 2006 10:19:56 -0000 1.11
@@ -1,12 +1,12 @@
-Summary: Graphic library for file loading, saving, rendering, and manipulation
+Summary: Image loading, saving, rendering, and manipulation library
Name: imlib2
-Version: 1.2.0
-Release: 7.fc3
+Version: 1.2.1
+Release: 2%{?dist}
License: BSD
Group: System Environment/Libraries
-URL: http://www.enlightenment.org/pages/imlib2.html
+URL: http://www.enlightenment.org/Libraries/Imlib2/
Source0: http://download.sf.net/enlightenment/%{name}-%{version}.tar.gz
-Patch0: imlib2-1.2.0-configure-xlib64.patch
+Patch0: imlib2-1.3.0-loader_overflows.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-buildroot
BuildRequires: XFree86-devel libjpeg-devel libpng-devel libtiff-devel
BuildRequires: libungif-devel freetype-devel libtool bzip2-devel %{__perl}
@@ -19,43 +19,46 @@
%description
-Imlib 2 is the successor to Imlib. It is NOT a newer version -- it is
-a completely new library. Imlib 2 can be installed alongside Imlib 1.x
-without any problems since they are effectively different libraries
-which have very similar functionality. Please see the homepage for the
-long description of the differences.
+Imlib 2 is a library that does image file loading and saving as well
+as rendering, manipulation, arbitrary polygon support, etc. It does
+ALL of these operations FAST. Imlib2 also tries to be highly
+intelligent about doing them, so writing naive programs can be done
+easily, without sacrificing speed. This is a complete rewrite over
+the Imlib 1.x series. The architecture is more modular, simple, and
+flexible.
%description devel
This package contains development files for %{name}.
-Imlib 2 is the successor to Imlib. It is NOT a newer version -- it is
-a completely new library. Imlib 2 can be installed alongside Imlib 1.x
-without any problems since they are effectively different libraries
-which have very similar functionality. Please see the homepage for the
-long description of the differences.
+Imlib 2 is a library that does image file loading and saving as well
+as rendering, manipulation, arbitrary polygon support, etc. It does
+ALL of these operations FAST. Imlib2 also tries to be highly
+intelligent about doing them, so writing naive programs can be done
+easily, without sacrificing speed. This is a complete rewrite over
+the Imlib 1.x series. The architecture is more modular, simple, and
+flexible.
%prep
%setup -q
-%ifarch x86_64
-%patch0 -b .patch0
-%endif
-# loaders need to link with the main lib
-%{__perl} -pi -e \
- 's|^(\w+_la_LDFLAGS .*)|$1 -L\$(top_builddir)/src/lib| ;
- s|^(\w+_la_LIBADD .*)|$1 -lImlib2|' src/modules/loaders/Makefile.*
+%patch0 -p1 -b .overflow
%build
-%configure \
- --x-libraries=%{_prefix}/X11R6/%{_lib} \
- --with-pic \
+asmopts="--disable-mmx --disable-amd64"
%ifarch %{ix86} ia64
- --enable-mmx
-%else
- --disable-mmx
+asmopts="--enable-mmx --disable-amd64"
%endif
%ifarch x86_64
+asmopts="--disable-mmx --enable-amd64"
+%endif
+
+%configure --disable-dependency-tracking \
+ --x-libraries=%{_prefix}/X11R6/%{_lib} \
+ --with-pic \
+ $asmopts
+
+%ifarch x86_64
# fix hardcoded rpath im Makefiles on x86_64 due to freetype-config --libs
# returning "-L/usr/lib64 -Wl,--rpath -Wl,/usr/lib64 -lfreetype -lz":
%{__perl} -pi.orig -e 's|-Wl,--rpath -Wl,/usr/lib64||g;' \
@@ -66,20 +69,14 @@
%install
-rm -rf $RPM_BUILD_ROOT __doc
+rm -rf $RPM_BUILD_ROOT
make install DESTDIR=$RPM_BUILD_ROOT LIBTOOL=/usr/bin/libtool
-cp -a doc __doc
-rm -f __doc/Makefile*
-
-# remove unexpanded variable in pkgconfig file
-sed -i -e 's!@requirements@!!g' ${RPM_BUILD_ROOT}%{_libdir}/pkgconfig/imlib2.pc
-
rm -f \
$RPM_BUILD_ROOT%{_libdir}/imlib2/{loaders,filters}/*.a \
- $RPM_BUILD_ROOT%{_bindir}/{color_spaces,imlib2,*test}
+ $RPM_BUILD_ROOT%{_bindir}/imlib2_test
-# ship .la files due to a bug in kdelibs (see changelog):
+# ship .la files due to a bug in kdelibs (bugzilla.fedora.us #2284):
# $RPM_BUILD_ROOT%{_libdir}/libImlib2.la \
@@ -93,7 +90,7 @@
%files
%defattr(-,root,root,-)
-%doc COPYING AUTHORS README ChangeLog TODO __doc/*
+%doc COPYING AUTHORS README ChangeLog TODO
%{_bindir}/imlib2_view
%{_bindir}/imlib2_bumpmap
%{_bindir}/imlib2_colorspace
@@ -113,6 +110,7 @@
%files devel
%defattr(-,root,root,-)
+%doc doc/*.gif doc/*.html
%{_bindir}/imlib2-config
%{_includedir}/Imlib2.h
%{_libdir}/libImlib2.a
@@ -122,7 +120,20 @@
%changelog
-* Tue Apr 5 2005 Michael Schwendt <mschwendt[AT]users.sf.net> - 1.2.0-7.fc3
+* Thu Nov 9 2006 Hans de Goede <j.w.r.degoede at hhs.nl> 1.2.1-2
+- Fix CVE-2006-4806, CVE-2006-4807, CVE-2006-4808, CVE-2006-4809, thanks to
+ Ubuntu for the patch (bug 214676)
+
+* Sun Aug 28 2005 Ville Skyttä <ville.skytta at iki.fi> - 1.2.1-1
+- 1.2.1, patches applied/obsoleted upstream.
+- Improve summary and description, fix URL.
+- Move HTML docs to -devel.
+- Build with dependency tracking disabled.
+
+* Mon May 9 2005 Michael Schwendt <mschwendt[AT]users.sf.net> - 1.2.0-8.fc4
+- Fix segfault in XPM loader (#156058).
+
+* Tue Apr 5 2005 Michael Schwendt <mschwendt[AT]users.sf.net> - 1.2.0-7.fc4
- Fix broken pkgconfig file.
* Fri Apr 1 2005 Michael Schwendt <mschwendt[AT]users.sf.net> - 1.2.0-6
Index: sources
===================================================================
RCS file: /cvs/extras/rpms/imlib2/FC-3/sources,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- sources 17 Jan 2005 09:43:09 -0000 1.4
+++ sources 9 Nov 2006 10:19:56 -0000 1.5
@@ -1 +1 @@
-853fb77100ee3c3ca944f52c892ab49b imlib2-1.2.0.tar.gz
+e32970d03d8aee2885782312d0a7f15f imlib2-1.2.1.tar.gz
--- imlib2-1.2.0-configure-xlib64.patch DELETED ---
- Previous message: rpms/mod_fcgid/FC-6 .cvsignore, 1.2, 1.3 configuration.htm, 1.1, 1.2 doc.htm, 1.1, 1.2 mod_fcgid.spec, 1.2, 1.3 sources, 1.2, 1.3
- Next message: rpms/mod_fcgid/FC-5 .cvsignore, 1.2, 1.3 configuration.htm, 1.1, 1.2 doc.htm, 1.1, 1.2 mod_fcgid.spec, 1.2, 1.3 sources, 1.2, 1.3
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list