[pl] Fix segfault in PutImagePixels32() while displaying malformed GIF
Petr Pisar
ppisar at fedoraproject.org
Wed Aug 24 15:37:18 UTC 2011
commit 29406e7433243a4f804f0e9080a321c9794dd307
Author: Petr Písař <ppisar at redhat.com>
Date: Wed Aug 24 17:35:50 2011 +0200
Fix segfault in PutImagePixels32() while displaying malformed GIF
pl.spec | 13 ++++-
...g-9-Loading-incomplete-GIF-files-causes-a.patch | 60 +++++++++++++++++++
...ke-sure-all-pixels-are-within-the-allocat.patch | 61 ++++++++++++++++++++
3 files changed, 133 insertions(+), 1 deletions(-)
---
diff --git a/pl.spec b/pl.spec
index 8e4b35f..4fecd32 100644
--- a/pl.spec
+++ b/pl.spec
@@ -6,7 +6,7 @@
Name: pl
Version: 5.10.5
-Release: 1%{?dist}
+Release: 2%{?dist}
Summary: SWI-Prolog - Edinburgh compatible Prolog compiler
@@ -27,6 +27,8 @@ Patch1: %{name}-5.10.5-jpl-configure.patch
Patch2: %{name}-5.10.5-man-files.patch
Patch3: %{name}-5.10.2-jni.patch
Patch4: %{name}-5.10.5-pc.patch
+Patch5: xpce-5.10.5-SECURITY-Bug-9-Loading-incomplete-GIF-files-causes-a.patch
+Patch6: xpce-5.10.5-SECURITY-Make-sure-all-pixels-are-within-the-allocat.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
# Base
@@ -134,6 +136,11 @@ in Prolog. In both setups it provides a re-entrant bidirectional interface.
%patch3 -p1 -b .jni
%patch4 -p1 -b .pc
(
+cd packages/xpce
+%patch5 -p1 -b .incomplete_gif
+%patch6 -p1 -b .validate_pixel_color
+)
+(
cd src
autoconf
)
@@ -306,6 +313,10 @@ rm -rf $RPM_BUILD_ROOT
%changelog
+* Wed Aug 24 2011 Petr Pisar <ppisar at redhat.com> - 5.10.5-2
+- Fix segfault in PutImagePixels32() while displaying malformed GIF (bug
+ #732952)
+
* Mon Aug 22 2011 Petr Pisar <ppisar at redhat.com> - 5.10.5-1
- 5.10.5 bump
- Adjust patches and remove merged ones
diff --git a/xpce-5.10.5-SECURITY-Bug-9-Loading-incomplete-GIF-files-causes-a.patch b/xpce-5.10.5-SECURITY-Bug-9-Loading-incomplete-GIF-files-causes-a.patch
new file mode 100644
index 0000000..7a55ca7
--- /dev/null
+++ b/xpce-5.10.5-SECURITY-Bug-9-Loading-incomplete-GIF-files-causes-a.patch
@@ -0,0 +1,60 @@
+From 797226335ec47573f80e84d0fbdf1536292868d0 Mon Sep 17 00:00:00 2001
+From: Jan Wielemaker <J.Wielemaker at cs.vu.nl>
+Date: Wed, 24 Aug 2011 14:08:17 +0200
+Subject: [PATCH 1/2] SECURITY: Bug#9: Loading incomplete GIF files causes an
+ invalid read. Petr Pisar.
+
+An incomplete image file causes part of the pixels to be uninitialised.
+As the pixels are entries in a colormap, this causes invalid reads.
+---
+ src/img/gifread.c | 19 ++++++++++++-------
+ 1 files changed, 12 insertions(+), 7 deletions(-)
+
+diff --git a/src/img/gifread.c b/src/img/gifread.c
+index 0e24e27..9c35f63 100644
+--- a/src/img/gifread.c
++++ b/src/img/gifread.c
+@@ -553,7 +553,9 @@ ReadImage(IOSTREAM *fd,
+ UCHAR c;
+ int color;
+ int xpos = 0, ypos = 0, pass = 0;
++ int lines = 0;
+ long curidx;
++ int last;
+
+ if ( !ReadOK(fd, &c, 1) || c > MAX_LZW_BITS )
+ { return GIF_INVALID;
+@@ -606,20 +608,23 @@ ReadImage(IOSTREAM *fd,
+ }
+ }
+ } else
+- {
+- ++ypos;
++ { ++ypos;
+ }
++ ++lines;
+ }
+ if (ypos >= height)
+- break;
++ goto fini;
+ }
++ return GIF_INVALID; /* short file */
+
+ fini:
++ if ( lines != height )
++ return GIF_INVALID;
+
+- if (LZWReadByte(fd, FALSE, c) >= 0)
+- {
++ if ( (last=LZWReadByte(fd, FALSE, c)) >= 0 )
++ { return GIF_OK; /* end is 0x3B, but we only read the */
++ } /* first image of animated GIFs */
+
+- }
+- return GIF_OK;
++ return GIF_INVALID;
+ }
+
+--
+1.7.6
+
diff --git a/xpce-5.10.5-SECURITY-Make-sure-all-pixels-are-within-the-allocat.patch b/xpce-5.10.5-SECURITY-Make-sure-all-pixels-are-within-the-allocat.patch
new file mode 100644
index 0000000..31dc43a
--- /dev/null
+++ b/xpce-5.10.5-SECURITY-Make-sure-all-pixels-are-within-the-allocat.patch
@@ -0,0 +1,61 @@
+From 4bc3a0a32132c04b11ad83f2b5847be83ab7364b Mon Sep 17 00:00:00 2001
+From: Jan Wielemaker <J.Wielemaker at cs.vu.nl>
+Date: Wed, 24 Aug 2011 14:40:31 +0200
+Subject: [PATCH 2/2] SECURITY: Make sure all pixels are within the allocated
+ colormap
+
+---
+ src/img/gifread.c | 10 ++++++++--
+ 1 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/src/img/gifread.c b/src/img/gifread.c
+index 9c35f63..5d4755e 100644
+--- a/src/img/gifread.c
++++ b/src/img/gifread.c
+@@ -69,6 +69,7 @@ static int LZWReadByte (IOSTREAM *fd,int flag, int input_code_size);
+ static int ReadImage(IOSTREAM *fd,
+ PIXEL *bigMemBuf,
+ int width, int height,
++ int ncolors,
+ int interlace);
+
+
+@@ -251,14 +252,14 @@ GIFReadFD(IOSTREAM *fd,
+ return rval;
+ }
+ /*read image */
+- if ( (rval=ReadImage(fd, bigBuf, w, h,
++ if ( (rval=ReadImage(fd, bigBuf, w, h, bitPixel,
+ BitSet((UCHAR) buf[8], INTERLACE))) != GIF_OK )
+ { setGifError("Error reading GIF file. LocalColorMap. Giving up");
+ pceFree(bigBuf);
+ return rval;
+ }
+ } else
+- { if ( (rval=ReadImage(fd, bigBuf, w, h,
++ { if ( (rval=ReadImage(fd, bigBuf, w, h, GifScreen.BitPixel,
+ BitSet((UCHAR) buf[8], INTERLACE))) != GIF_OK )
+ { setGifError("Error reading GIF file. GIFScreen Colormap. Giving up");
+ pceFree(bigBuf);
+@@ -548,6 +549,7 @@ static int
+ ReadImage(IOSTREAM *fd,
+ PIXEL *bigMemBuf,
+ int width, int height,
++ int ncolors,
+ int interlace)
+ {
+ UCHAR c;
+@@ -567,6 +569,10 @@ ReadImage(IOSTREAM *fd,
+ {
+ curidx = (long) xpos + (long) ypos *(long) width; /* optimize */
+
++ if ( color >= ncolors )
++ { /*Cprintf("Color %d; ncolors = %d\n", color, ncolors);*/
++ return GIF_INVALID;
++ }
+ bigMemBuf[curidx] = color;
+
+ ++xpos;
+--
+1.7.6
+
More information about the scm-commits
mailing list