rpms/compat-wxGTK26/devel wxGTK-2.6.4-CVE-2009-2369.patch, NONE, 1.1 compat-wxGTK26.spec, 1.27, 1.28
Michael Schwendt
mschwendt at fedoraproject.org
Wed Jul 15 19:11:35 UTC 2009
Author: mschwendt
Update of /cvs/extras/rpms/compat-wxGTK26/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv30207
Modified Files:
compat-wxGTK26.spec
Added Files:
wxGTK-2.6.4-CVE-2009-2369.patch
Log Message:
* Wed Jul 15 2009 Michael Schwendt <mschwendt at fedoraproject.org> - 2.6.4-10
- apply rediffed fix for CVE-2009-2369 (#511279)
wxGTK-2.6.4-CVE-2009-2369.patch:
--- NEW FILE wxGTK-2.6.4-CVE-2009-2369.patch ---
diff -Nur wxGTK-2.6.4-orig/src/common/imagpng.cpp wxGTK-2.6.4/src/common/imagpng.cpp
--- wxGTK-2.6.4-orig/src/common/imagpng.cpp 2007-03-20 16:50:01.000000000 +0100
+++ wxGTK-2.6.4/src/common/imagpng.cpp 2009-07-15 21:07:50.000000000 +0200
@@ -570,18 +570,16 @@
if (!image->Ok())
goto error;
- lines = (unsigned char **)malloc( (size_t)(height * sizeof(unsigned char *)) );
+ // initialize all line pointers to NULL to ensure that they can be safely
+ // free()d if an error occurs before all of them could be allocated
+ lines = (unsigned char **)calloc(height, sizeof(unsigned char *));
if ( !lines )
goto error;
for (i = 0; i < height; i++)
{
if ((lines[i] = (unsigned char *)malloc( (size_t)(width * (sizeof(unsigned char) * 4)))) == NULL)
- {
- for ( unsigned int n = 0; n < i; n++ )
- free( lines[n] );
goto error;
- }
}
png_read_image( png_ptr, lines );
diff -Nur wxGTK-2.6.4-orig/src/common/imagtiff.cpp wxGTK-2.6.4/src/common/imagtiff.cpp
--- wxGTK-2.6.4-orig/src/common/imagtiff.cpp 2007-03-20 16:50:01.000000000 +0100
+++ wxGTK-2.6.4/src/common/imagtiff.cpp 2009-07-15 21:08:08.000000000 +0200
@@ -232,15 +232,25 @@
}
uint32 w, h;
- uint32 npixels;
uint32 *raster;
TIFFGetField( tif, TIFFTAG_IMAGEWIDTH, &w );
TIFFGetField( tif, TIFFTAG_IMAGELENGTH, &h );
- npixels = w * h;
+ // guard against integer overflow during multiplication which could result
+ // in allocating a too small buffer and then overflowing it
+ const double bytesNeeded = (double)w * (double)h * sizeof(uint32);
+ if ( bytesNeeded >= 4294967295U /* UINT32_MAX */ )
+ {
+ if ( verbose )
+ wxLogError( _("TIFF: Image size is abnormally big.") );
+
+ TIFFClose(tif);
+
+ return false;
+ }
- raster = (uint32*) _TIFFmalloc( npixels * sizeof(uint32) );
+ raster = (uint32*) _TIFFmalloc( bytesNeeded );
if (!raster)
{
Index: compat-wxGTK26.spec
===================================================================
RCS file: /cvs/extras/rpms/compat-wxGTK26/devel/compat-wxGTK26.spec,v
retrieving revision 1.27
retrieving revision 1.28
diff -u -p -r1.27 -r1.28
--- compat-wxGTK26.spec 11 Jun 2009 11:35:21 -0000 1.27
+++ compat-wxGTK26.spec 15 Jul 2009 19:11:35 -0000 1.28
@@ -1,6 +1,6 @@
Name: compat-wxGTK26
Version: 2.6.4
-Release: 9%{?dist}
+Release: 10%{?dist}
Summary: GTK2 port of the wxWidgets GUI library
# The wxWindows licence is the LGPL with a specific exemption allowing
# distribution of derived binaries under any terms. (This will eventually
@@ -18,6 +18,7 @@ Patch5: wxGTK-2.6.3-expat2.patch
Patch6: wxGTK-2.6.3-strconv.patch
Patch7: wxGTK-2.6.4-config-script.patch
Patch8: wxGTK-2.6.4-gsocket-conflict.patch
+Patch9: wxGTK-2.6.4-CVE-2009-2369.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: gtk2-devel, zlib-devel >= 1.1.4
@@ -57,6 +58,8 @@ This package include files needed to lin
%patch6 -p1 -b .strconv
%patch7 -p1 -b .config-script
%patch8 -p1 -b .gsocket-conflict
+# http://trac.wxwidgets.org/ticket/10993
+%patch9 -p1 -b .CVE-2009-2369
sed -i -e 's|/usr/lib\b|%{_libdir}|' configure
@@ -205,6 +208,9 @@ rm -rf $RPM_BUILD_ROOT
%changelog
+* Wed Jul 15 2009 Michael Schwendt <mschwendt at fedoraproject.org> - 2.6.4-10
+- apply rediffed fix for CVE-2009-2369 (#511279)
+
* Thu Jun 11 2009 Michael Schwendt <mschwendt at fedoraproject.org> - 2.6.4-9
- glib2 2.21.1's gio in Rawhide F-12 introduces a GSocket that
conflicts with wxGTK's GSocket class (gsocket.h): reduce the glib/gdk
More information about the scm-commits
mailing list