rpms/xemacs/devel xemacs-21.5.29-image-overflow.patch, NONE, 1.1 xemacs-21.5.29-no-xft.patch, NONE, 1.1 xemacs-21.5.25-mk-nochk-features.patch, 1.1, 1.2 xemacs-21.5.25-x-paths.patch, 1.1, 1.2 xemacs-21.5.28-courier-default.patch, 1.2, 1.3 xemacs.spec, 1.50, 1.51

Jerry James jjames at fedoraproject.org
Mon Aug 24 21:11:52 UTC 2009 

Author: jjames

Update of /cvs/pkgs/rpms/xemacs/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv5098

Modified Files:
	xemacs-21.5.25-mk-nochk-features.patch 
	xemacs-21.5.25-x-paths.patch 
	xemacs-21.5.28-courier-default.patch xemacs.spec 
Added Files:
	xemacs-21.5.29-image-overflow.patch 
	xemacs-21.5.29-no-xft.patch 
Log Message:
* Mon Aug 24 2009 Jerry James <loganjerry at gmail.com> - 21.5.29-3
- Fix image overflow bug (CVE-2009-2688).
- Fix calling xft-font-create-object in non-Xft builds (#512623).
- Rebase patches to eliminate fuzz/offsets.


xemacs-21.5.29-image-overflow.patch:
 glyphs-eimage.c |   24 ++++++++++++++++++++----
 1 file changed, 20 insertions(+), 4 deletions(-)

--- NEW FILE xemacs-21.5.29-image-overflow.patch ---
--- xemacs-21.5.29/src/glyphs-eimage.c	2009-05-18 08:51:08.000000000 -0600
+++ xemacs-21.5.29/src/glyphs-eimage.c	2009-08-24 10:21:21.274947236 -0600
@@ -409,6 +409,7 @@
    */
 
   {
+    UINT_64_BIT pixels_sq;
     int jpeg_gray = 0;		/* if we're dealing with a grayscale */
     /* Step 4: set parameters for decompression.   */
 
@@ -431,7 +432,10 @@
     jpeg_start_decompress (&cinfo);
 
     /* Step 6: Read in the data and put into EImage format (8bit RGB triples)*/
-
+    pixels_sq =
+      (UINT_64_BIT) cinfo.output_width * (UINT_64_BIT) cinfo.output_height;
+    if (pixels_sq > ((size_t) -1) / 3)
+      signal_image_error ("JPEG image too large to instantiate", instantiator);
     unwind.eimage =
       xnew_binbytes (cinfo.output_width * cinfo.output_height * 3);
     if (!unwind.eimage)
@@ -677,6 +681,7 @@
   {
     ColorMapObject *cmo = unwind.giffile->SColorMap;
     int i, j, row, pass, interlace, slice;
+    UINT_64_BIT pixels_sq;
     Binbyte *eip;
     /* interlaced gifs have rows in this order:
        0, 8, 16, ..., 4, 12, 20, ..., 2, 6, 10, ..., 1, 3, 5, ...  */
@@ -685,6 +690,9 @@
 
     height = unwind.giffile->SHeight;
     width = unwind.giffile->SWidth;
+    pixels_sq = (UINT_64_BIT) width * (UINT_64_BIT) height;
+    if (pixels_sq > ((size_t) -1) / (3 * unwind.giffile->ImageCount))
+      signal_image_error ("GIF image too large to instantiate", instantiator);
     unwind.eimage =
       xnew_binbytes (width * height * 3 * unwind.giffile->ImageCount);
     if (!unwind.eimage)
@@ -948,11 +956,15 @@
   {
     int y;
     Binbyte **row_pointers;
+    UINT_64_BIT pixels_sq;
     height = info_ptr->height;
     width = info_ptr->width;
+    pixels_sq = (UINT_64_BIT) width * (UINT_64_BIT) height;
+    if (pixels_sq > ((size_t) -1) / 3)
+      signal_image_error ("PNG image too large to instantiate", instantiator);
 
     /* Wow, allocate all the memory.  Truly, exciting. */
-    unwind.eimage = xnew_array_and_zero (Binbyte, width * height * 3);
+    unwind.eimage = xnew_array_and_zero (Binbyte, (size_t) (pixels_sq * 3));
     /* libpng expects that the image buffer passed in contains a
        picture to draw on top of if the png has any transparencies.
        This could be a good place to pass that in... */
@@ -1299,6 +1311,7 @@
 
     uint32 *raster;
     Binbyte *ep;
+    UINT_64_BIT pixels_sq;
 
     assert (!NILP (data));
 
@@ -1321,12 +1334,15 @@
 
     TIFFGetField (unwind.tiff, TIFFTAG_IMAGEWIDTH, &width);
     TIFFGetField (unwind.tiff, TIFFTAG_IMAGELENGTH, &height);
-    unwind.eimage = xnew_binbytes (width * height * 3);
+    pixels_sq = (UINT_64_BIT) width * (UINT_64_BIT) height;
+    if (pixels_sq >= 1 << 29)
+      signal_image_error ("TIFF image too large to instantiate", instantiator);
+    unwind.eimage = xnew_binbytes ((size_t) pixels_sq * 3);
 
     /* #### This is little more than proof-of-concept/function testing.
        It needs to be reimplemented via scanline reads for both memory
        compactness. */
-    raster = (uint32*) _TIFFmalloc (width * height * sizeof (uint32));
+    raster = (uint32*) _TIFFmalloc ((tsize_t) (pixels_sq * sizeof (uint32)));
     if (raster != NULL)
       {
 	int i, j;

xemacs-21.5.29-no-xft.patch:
 font.el |    1 +
 1 file changed, 1 insertion(+)

--- NEW FILE xemacs-21.5.29-no-xft.patch ---
--- xemacs-21.5.29/lisp/font.el	2009-05-18 08:51:06.000000000 -0600
+++ xemacs-21.5.29/lisp/font.el	2009-08-24 13:24:14.634385245 -0600
@@ -582,6 +582,7 @@
     (if (or (not (stringp fontname))
 	    (not (string-match font-x-font-regexp fontname)))
 	(if (and (stringp fontname)
+		 (featurep 'xft-fonts)
 		 (string-match font-xft-font-regexp fontname))
 	    ;; Return an XFT font. 
 	    (xft-font-create-object fontname)

xemacs-21.5.25-mk-nochk-features.patch:
 Makefile.in.in |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Index: xemacs-21.5.25-mk-nochk-features.patch
===================================================================
RCS file: /cvs/pkgs/rpms/xemacs/devel/xemacs-21.5.25-mk-nochk-features.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2
--- xemacs-21.5.25-mk-nochk-features.patch	6 Apr 2006 16:27:53 -0000	1.1
+++ xemacs-21.5.25-mk-nochk-features.patch	24 Aug 2009 21:11:51 -0000	1.2
@@ -1,6 +1,6 @@
 --- xemacs-21.5.25/Makefile.in.in.orig	2005-12-31 14:41:23.000000000 +0200
 +++ xemacs-21.5.25/Makefile.in.in	2006-03-30 23:53:48.000000000 +0300
-@@ -375,7 +375,7 @@
+@@ -387,7 +387,7 @@
  
  install-only: ${MAKE_SUBDIR} check-features install-arch-dep install-arch-indep
  

xemacs-21.5.25-x-paths.patch:
 Emacs.ad |    2 +-
 xemacs.1 |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

Index: xemacs-21.5.25-x-paths.patch
===================================================================
RCS file: /cvs/pkgs/rpms/xemacs/devel/xemacs-21.5.25-x-paths.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2
--- xemacs-21.5.25-x-paths.patch	6 Apr 2006 16:27:53 -0000	1.1
+++ xemacs-21.5.25-x-paths.patch	24 Aug 2009 21:11:51 -0000	1.2
@@ -11,7 +11,7 @@
  ! personal customizations should be put into ~/.Xresources instead.)
 --- xemacs-21.5.25/etc/xemacs.1.orig	2001-04-12 21:20:52.000000000 +0300
 +++ xemacs-21.5.25/etc/xemacs.1	2006-03-30 23:36:47.000000000 +0300
-@@ -293,7 +293,7 @@
+@@ -288,7 +288,7 @@
  Sets the color of the text.
  
  See the file

xemacs-21.5.28-courier-default.patch:
 faces.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Index: xemacs-21.5.28-courier-default.patch
===================================================================
RCS file: /cvs/pkgs/rpms/xemacs/devel/xemacs-21.5.28-courier-default.patch,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -p -r1.2 -r1.3
--- xemacs-21.5.28-courier-default.patch	12 Mar 2009 17:01:29 -0000	1.2
+++ xemacs-21.5.28-courier-default.patch	24 Aug 2009 21:11:51 -0000	1.3
@@ -1,7 +1,11 @@
---- src/faces.c	22 Apr 2007 19:58:59 -0000	1.55
-+++ src/faces.c	21 May 2007 14:51:50 -0000
-@@ -2399,3 +2399,3 @@
-        (list1 (device_symbol), 
+--- xemacs-21.5.28/src/faces.c	2009-05-18 14:51:08.000000000 -0000
++++ xemacs-21.5.28/src/faces.c	2009-08-24 17:07:03.000000000 -0000
+@@ -2411,7 +2411,7 @@
+       Fcons
+       (Fcons
+        (list1 (device_symbol),
 -	build_string ("-*-lucidatypewriter-medium-r-*-*-*-120-*-*-*-*-*-*")),
 +	build_string ("-*-courier-medium-r-*-*-*-120-*-*-*-*-*-*")),
         inst_list);
+ 
+ #endif /* !USE_XFT */


Index: xemacs.spec
===================================================================
RCS file: /cvs/pkgs/rpms/xemacs/devel/xemacs.spec,v
retrieving revision 1.50
retrieving revision 1.51
diff -u -p -r1.50 -r1.51
--- xemacs.spec	13 Aug 2009 11:46:46 -0000	1.50
+++ xemacs.spec	24 Aug 2009 21:11:52 -0000	1.51
@@ -21,7 +21,7 @@
 
 Name:           xemacs
 Version:        21.5.29
-Release:        2%{?snap:.%{snap}}%{?dist}
+Release:        3%{?snap:.%{snap}}%{?dist}
 Summary:        Different version of Emacs
 
 Group:          Applications/Editors
@@ -40,9 +40,13 @@ Source5:        xemacs-sitestart.el
 
 Patch0:         %{name}-21.5.26-utf8-fonts.patch
 Patch1:         %{name}-21.5.25-x-paths.patch
+# Applied upstream 2009-07-01
+Patch2:         %{name}-21.5.29-image-overflow.patch
 Patch3:         %{name}-21.5.25-mk-nochk-features.patch
 Patch4:         %{name}-21.5.27-no-expdyn-ia64-106744.patch
 Patch5:         %{name}-21.5.25-wnnfix-128362.patch
+# Sent upstream 2009-08-24
+Patch6:         %{name}-21.5.29-no-xft.patch
 Patch8:         %{name}-21.5.28-courier-default.patch
 Patch9:         %{name}-21.5.29-destdir.patch
 # Sent upstream 2009-03-12
@@ -200,6 +204,7 @@ rm -f configure.in
 sed -i -e /tetris/d lisp/menubar-items.el
 %patch0 -p1
 %patch1 -p1
+%patch2 -p1
 %patch3 -p1
 %ifarch ia64
 touch -r aclocal.m4 aclocal.m4-stamp
@@ -207,7 +212,8 @@ touch -r aclocal.m4 aclocal.m4-stamp
 touch -r aclocal.m4-stamp aclocal.m4
 %endif
 %patch5 -p1
-%patch8 -p0 -F 1
+%patch6 -p1
+%patch8 -p1
 %patch9 -p1
 %patch14 -p1
 
@@ -552,6 +558,11 @@ fi
 
 
 %changelog
+* Mon Aug 24 2009 Jerry James <loganjerry at gmail.com> - 21.5.29-3
+- Fix image overflow bug (CVE-2009-2688).
+- Fix calling xft-font-create-object in non-Xft builds (#512623).
+- Rebase patches to eliminate fuzz/offsets.
+
 * Mon Jul 27 2009 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 21.5.29-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild

More information about the scm-commits mailing list