rpms/xzgv/devel xzgv-0.8-integer-overflow-fix.diff, NONE, 1.1 xzgv.spec, NONE, 1.1 .cvsignore, 1.1, 1.2 sources, 1.1, 1.2

Terje Røsten (terjeros) fedora-extras-commits at redhat.com
Wed Jul 4 16:54:01 UTC 2007


Author: terjeros

Update of /cvs/extras/rpms/xzgv/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv23243/devel

Modified Files:
	.cvsignore sources 
Added Files:
	xzgv-0.8-integer-overflow-fix.diff xzgv.spec 
Log Message:
Importing new package: xzgv



xzgv-0.8-integer-overflow-fix.diff:

--- NEW FILE xzgv-0.8-integer-overflow-fix.diff ---
diff -urN xzgv-0.8/ChangeLog xzgv/ChangeLog
--- xzgv-0.8/ChangeLog	Tue Sep 16 15:08:42 2003
+++ xzgv/ChangeLog	Wed Dec 15 03:30:46 2004
@@ -1,3 +1,13 @@
+2004-11-03  Russell Marks  <russell.marks at ntlworld.com>
+
+	* Added width/height limits to all native picture readers. This is
+	a crude (albeit effective) fix for heap overflow bugs - there may
+	yet be more subtle problems, but I can't really fix them until I
+	know they're there. :-) Thanks to Luke Macken for letting me know
+	about the heap overflow problems (in zgv). I suppose I should also
+	thank "infamous41md" for publishing the original advisory/exploit
+	(again for zgv), even if he didn't bother emailing me or anything.
+
 2003-09-16  Russell Marks  <russell.marks at ntlworld.com>
 
 	* Version 0.8.
diff -urN xzgv-0.8/src/Makefile xzgv/src/Makefile
--- xzgv-0.8/src/Makefile	Tue Jan  1 05:37:45 2002
+++ xzgv/src/Makefile	Wed Dec 15 03:30:46 2004
@@ -84,18 +84,19 @@
 logo.o: logo.c logodata.h
 logoconv.o: logoconv.c
 main.o: main.c backend.h readmrf.h readgif.h readpng.h readjpeg.h \
- readtiff.h resizepic.h rcfile.h filedetails.h gotodir.h updatetn.h \
- confirm.h misc.h copymove.h rename.h help.h dir_icon.xpm \
+ readtiff.h readprf.h resizepic.h rcfile.h filedetails.h gotodir.h \
+ updatetn.h confirm.h misc.h copymove.h rename.h help.h dir_icon.xpm \
  dir_icon_small.xpm file_icon.xpm file_icon_small.xpm logo.h \
  icon-48.xpm main.h
 misc.o: misc.c misc.h
 rcfile.o: rcfile.c getopt.h rcfile.h rcfile_opt.h rcfile_var.h \
  rcfile_short.h
-readgif.o: readgif.c readgif.h
-readjpeg.o: readjpeg.c rcfile.h readjpeg.h
-readmrf.o: readmrf.c readmrf.h
+readgif.o: readgif.c reader.h readgif.h
+readjpeg.o: readjpeg.c rcfile.h reader.h readjpeg.h
+readmrf.o: readmrf.c reader.h readmrf.h
 readpng.o: readpng.c readpng.h
-readtiff.o: readtiff.c readtiff.h
+readprf.o: readprf.c reader.h readprf.h
+readtiff.o: readtiff.c reader.h readtiff.h
 rename.o: rename.c backend.h main.h rename.h
 resizepic.o: resizepic.c resizepic.h
 updatetn.o: updatetn.c backend.h main.h rcfile.h dither.h resizepic.h \
diff -urN xzgv-0.8/src/reader.h xzgv/src/reader.h
--- xzgv-0.8/src/reader.h	Thu Jan  1 01:00:00 1970
+++ xzgv/src/reader.h	Wed Dec 15 03:30:46 2004
@@ -0,0 +1,15 @@
+/* xzgv 0.8 - picture viewer for X, with file selector.
+ * Copyright (C) 1999-2004 Russell Marks. See main.c for license details.
+ *
+ * reader.h
+ */
+
+/* range check on width and height as a crude way of avoiding overflows
+ * when calling malloc/calloc. 32767 is the obvious limit to use given that
+ * xzgv effectively imposes such a limit anyway.
+ * Adds an extra 2 to height for max-height check, partly to reflect what
+ * the check in zgv does but also to allow for readtiff.c allocating an
+ * extra line (so at least an extra 1 would have been needed in any case).
+ */
+#define WH_MAX	32767
+#define WH_BAD(w,h)	((w)<=0 || (w)>WH_MAX || (h)<=0 || ((h)+2)>WH_MAX)
diff -urN xzgv-0.8/src/readgif.c xzgv/src/readgif.c
--- xzgv-0.8/src/readgif.c	Sun Mar  3 04:34:32 2002
+++ xzgv/src/readgif.c	Wed Dec 15 03:30:46 2004
@@ -8,6 +8,7 @@
 #include <string.h>
 #include <unistd.h>
 #include <stdlib.h>
+#include "reader.h"
 #include "readgif.h"
 
 
@@ -103,7 +104,7 @@
   
   if(local_colour_map) readcolmap(in);
   
-  if((image=malloc(width*height*3))==NULL)
+  if(WH_BAD(width,height) || (image=malloc(width*height*3))==NULL)
     {
     fclose(in);
     return(0);
diff -urN xzgv-0.8/src/readjpeg.c xzgv/src/readjpeg.c
--- xzgv-0.8/src/readjpeg.c	Tue Sep 16 12:52:04 2003
+++ xzgv/src/readjpeg.c	Wed Dec 15 03:30:46 2004
@@ -13,6 +13,7 @@
 #include <jpeglib.h>
 
 #include "rcfile.h"
+#include "reader.h"
 
 #include "readjpeg.h"
 
@@ -265,7 +266,7 @@
 /* this one shouldn't hurt */
 cinfo.do_block_smoothing=FALSE;
 
-if((*imagep=image=malloc(width*height*3))==NULL)
+if(WH_BAD(width,height) || (*imagep=image=malloc(width*height*3))==NULL)
   longjmp(jerr.setjmp_buffer,1);
 
 jpeg_start_decompress(&cinfo);
diff -urN xzgv-0.8/src/readmrf.c xzgv/src/readmrf.c
--- xzgv-0.8/src/readmrf.c	Sat Oct  7 14:26:55 2000
+++ xzgv/src/readmrf.c	Wed Dec 15 03:30:46 2004
@@ -7,6 +7,7 @@
 #include <stdio.h>
 #include <string.h>
 #include <stdlib.h>
+#include "reader.h"
 #include "readmrf.h"
 
 
@@ -91,7 +92,8 @@
 w64=(w+63)/64;
 h64=(h+63)/64;
 
-if((*bmap=malloc(w*h*3))==NULL ||
+if(WH_BAD(w64*64,h64*64) || WH_BAD(w,h) ||
+   (*bmap=malloc(w*h*3))==NULL ||
    (image=calloc(w64*h64*64*64,1))==NULL)
   {
   if(*bmap) free(*bmap),*bmap=NULL;
diff -urN xzgv-0.8/src/readpng.c xzgv/src/readpng.c
--- xzgv-0.8/src/readpng.c	Thu Jul 10 16:13:43 2003
+++ xzgv/src/readpng.c	Wed Dec 15 03:32:46 2004
@@ -16,6 +16,7 @@
 #include <stdlib.h>
 #include <png.h>
 #include <setjmp.h>	/* after png.h to avoid horrible thing in pngconf.h */
+#include "reader.h"
 #include "readpng.h"
 
 
@@ -129,7 +130,8 @@
   }
 
 /* allocate image memory */
-if((*theimageptr=theimage=malloc(width*height*3))==NULL)
+if(WH_BAD(width,height) ||
+   (*theimageptr=theimage=malloc(width*height*3))==NULL)
   {
   png_read_end(png_ptr,info_ptr);
   png_destroy_read_struct(&png_ptr,&info_ptr,NULL);
diff -urN xzgv-0.8/src/readprf.c xzgv/src/readprf.c
--- xzgv-0.8/src/readprf.c	Mon Apr  9 19:08:19 2001
+++ xzgv/src/readprf.c	Wed Dec 15 03:30:46 2004
@@ -7,6 +7,7 @@
 #include <stdio.h>
 #include <string.h>
 #include <stdlib.h>
+#include "reader.h"
 #include "readprf.h"
 
 #define squaresize	64
@@ -164,7 +165,7 @@
   bytepp=1;
 
 n=width*squaresize;
-if((planebuf[0]=calloc(n,planes))==NULL)
+if(WH_BAD(width,height) || (planebuf[0]=calloc(n,planes))==NULL)
   {
   fclose(in);
   return(0);
@@ -173,6 +174,7 @@
 for(f=1;f<planes;f++)
   planebuf[f]=planebuf[f-1]+n;
 
+/* width/height already checked above */
 if((*theimageptr=malloc(width*height*3))==NULL)
   {
   free(planebuf[0]);
diff -urN xzgv-0.8/src/readtiff.c xzgv/src/readtiff.c
--- xzgv-0.8/src/readtiff.c	Thu Dec 28 03:20:55 2000
+++ xzgv/src/readtiff.c	Wed Dec 15 03:30:46 2004
@@ -11,7 +11,7 @@
 #include <setjmp.h>
 #include <sys/file.h>  /* for open et al */
 #include <tiffio.h>
-
+#include "reader.h"
 #include "readtiff.h"
 
 
@@ -36,7 +36,8 @@
  * spare for the flip afterwards.
  */
 numpix=width*height;
-if((image=malloc(numpix*sizeof(uint32)+width*3))==NULL)
+if(WH_BAD(width,height) ||
+   (image=malloc(numpix*sizeof(uint32)+width*3))==NULL)
   {
   TIFFClose(in);
   return(0);


--- NEW FILE xzgv.spec ---
Summary:   A GTK+/Imlib-based picture viewer for X
Name:      xzgv
Version:   0.8
Release:   4%{?dist}
License:   GPL
Group:     Applications/Multimedia
Source:    ftp://ftp.ibiblio.org/pub/Linux/apps/graphics/viewers/X/%{name}-%{version}.tar.gz
Patch0:    http://rus.members.beeb.net/xzgv-0.8-integer-overflow-fix.diff
URL:       http://rus.members.beeb.net/xzgv.html
Requires:  xterm gnome-icon-theme
Requires(post): /sbin/install-info
Requires(preun): /sbin/install-info
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: gtk+-devel imlib-devel libpng-devel desktop-file-utils

%description
A picture viewer for X, with a thumbnail-based file selector. It uses
GTK+ and Imlib. Most file formats are supported, and the thumbnails
used are compatible with xv, zgv, and the Gimp.

%prep

%setup -q
%patch0 -p1

%build
sed -i 's|^CFLAGS.*|CFLAGS=%{optflags}|' config.mk
make %{?_smp_flags}
%{__cat} <<EOF > %{name}.desktop
[Desktop Entry]
Encoding=UTF-8
Name=xzgv Image Viewer
Comment=View different types of images
Exec=xzgv
Icon=image-viewer.png
Terminal=false
Type=Application
Categories=GTK;Graphics;RasterGraphics;Viewer;
EOF

%install
%{__rm} -rf %{buildroot}

%{__install} -d -m 0755 %{buildroot}%{_datadir}/applications/
%{__install} -m 0644 %{name}.desktop %{buildroot}%{_datadir}/applications

make PREFIX=%{buildroot}/%{_prefix}      \
     MANDIR=%{buildroot}/%{_mandir}/man1 \
     INFODIR=%{buildroot}/%{_infodir}    \
     INFO_DIR_UPDATE=no install

chmod 0644 AUTHORS COPYING NEWS README TODO ChangeLog 

desktop-file-install --vendor fedora --delete-original \
  --dir %{buildroot}%{_datadir}/applications           \
  %{buildroot}%{_datadir}/applications/%{name}.desktop


%post
/sbin/install-info %{_infodir}/xzgv.gz %{_infodir}/dir || :

%postun
if [ "$1" = 0 ]; then
   /sbin/install-info --delete %{_infodir}/xzgv.gz %{_infodir}/dir || :
fi

%clean
%{__rm} -rf %{buildroot}

%files
%defattr (-, root, root, -)
%doc AUTHORS COPYING NEWS README TODO ChangeLog
%{_bindir}/%{name}
%{_mandir}/man1/%{name}*
%{_infodir}/*
%{_datadir}/applications/fedora-%{name}.desktop

%changelog
* Tue Jul 03 2007 Terje Rosten <terjeros at phys.ntnu.no> - 0.8-4
- add gnome-icon-theme to req

* Sun Jul 01 2007 Terje Rosten <terjeros at phys.ntnu.no> - 0.8-3
- really add AUTHORS and NEWS to %%doc
- use image-viewer.png from gnome-icon-theme as icon
- help system need xterm

* Wed Jun 20 2007 Terje Rosten <terjeros at phys.ntnu.no> - 0.8-2
- add AUTHORS and NEWS to %%doc
- fix scriplets
- add buildreq: desktop-file-utils
- add smp_mflags macro
- remove app categori from desktop file
- switch icon to eog

* Mon Jun 18 2007 Terje Rosten <terjeros at phys.ntnu.no> - 0.8-1
- 0.8
- add integer overflow patch
- cleanup description
- add correct buildrequires
- desktop file
- add req for post, preun

* Thu Jan  3 2002 Aleksey Nogin <ayn2 at cornell.edu> - 0.7-3.rh
- Borrowed the SPEC from Mandrake
- Minor updates
- Added info files to the package

* Fri Nov 30 2001 Yves Duret <yduret at mandrakesoft.com> - 0.7-2mdk
- rebuild against libpng3
- really fix doc perm aka etienne sux

* Thu Aug 23 2001 Etienne Faure <etienne at mandrakesoft.com> - 0.7-1mdk
- 0.7
- fix doc permissions

* Sat Jan 06 2001 David BAUDENS <baudens at mandrakesoft.com> - 0.6-2mdk
- ExclusiveArch: %%ix86
- Fix group
- %%setup -q
- Fix %%postun
- Spec clean up

* Mon Nov 06 2000 Lenny Cartier <lenny at mandrakesoft.com> - 0.6-1mdk
- new in contribs
- add menu entry


Index: .cvsignore
===================================================================
RCS file: /cvs/extras/rpms/xzgv/devel/.cvsignore,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- .cvsignore	4 Jul 2007 01:46:47 -0000	1.1
+++ .cvsignore	4 Jul 2007 16:53:26 -0000	1.2
@@ -0,0 +1 @@
+xzgv-0.8.tar.gz


Index: sources
===================================================================
RCS file: /cvs/extras/rpms/xzgv/devel/sources,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sources	4 Jul 2007 01:46:47 -0000	1.1
+++ sources	4 Jul 2007 16:53:26 -0000	1.2
@@ -0,0 +1 @@
+e392277f1447076402df2e3d9e782cb2  xzgv-0.8.tar.gz




More information about the scm-commits mailing list