[gimp] harden PSP plugin against bogus input data

Mon May 23 14:01:14 UTC 2011

commit 4af8fc1a3c9a3488254acca77237860d55420c2f
Author: Nils Philippsen <nils at redhat.com>
Date:   Mon May 23 15:57:56 2011 +0200

    harden PSP plugin against bogus input data
    
    (CVE-2010-4543, CVE-2011-1782)

 gimp-2.6.11-psp-overflow.patch |   45 ++++++++++++++++++++++++++++++++++++++++
 gimp.spec                      |    7 ++++++
 2 files changed, 52 insertions(+), 0 deletions(-)
---

diff --git a/gimp-2.6.11-psp-overflow.patch b/gimp-2.6.11-psp-overflow.patch
new file mode 100644
index 0000000..8ced9d0
--- /dev/null
+++ b/gimp-2.6.11-psp-overflow.patch
@@ -0,0 +1,45 @@
+From 282feeae8df77bae287284f74e9f9c54d21e6d8d Mon Sep 17 00:00:00 2001
+From: Nils Philippsen <nils at redhat.com>
+Date: Mon, 23 May 2011 15:52:48 +0200
+Subject: [PATCH] patch: psp-overflow
+
+Squashed commit of the following:
+
+commit c5b7e71d89c60a329d4db05f8ddb4610eab013d6
+Author: Nils Philippsen <nils at redhat.com>
+Date:   Fri May 13 17:08:02 2011 +0200
+
+    file-psp: fix overflow protection (CVE-2011-1782)
+
+    amends commit 48ec15890e1751dede061f6d1f469b6508c13439, related to
+    CVE-2010-4543
+    (cherry picked from commit f657361db04de69ce003328724c59e3f942d7d15)
+
+commit ab592eb5015f81defdd1e74cd5bcc7edfcd7ebf7
+Author: Simon Budig <simon at budig.de>
+Date:   Mon Feb 14 21:46:31 2011 +0100
+
+    file-psp: fix for bogus input data. Fixes bug #639203
+    (cherry picked from commit 48ec15890e1751dede061f6d1f469b6508c13439)
+---
+ plug-ins/common/file-psp.c |    4 ++++
+ 1 files changed, 4 insertions(+), 0 deletions(-)
+
+diff --git a/plug-ins/common/file-psp.c b/plug-ins/common/file-psp.c
+index db12770..4931c87 100644
+--- a/plug-ins/common/file-psp.c
++++ b/plug-ins/common/file-psp.c
+@@ -1244,6 +1244,10 @@ read_channel_data (FILE       *f,
+             }
+           else
+             fread (buf, runcount, 1, f);
++
++          /* prevent buffer overflow for bogus data */
++          runcount = MIN (runcount, (endq - q) / bytespp);
++
+           if (bytespp == 1)
+             {
+               memmove (q, buf, runcount);
+-- 
+1.7.5.1
+
diff --git a/gimp.spec b/gimp.spec
index 64cc924..7c972bf 100644
--- a/gimp.spec
+++ b/gimp.spec
@@ -147,6 +147,9 @@ Patch5:         gimp-2.6.11-colorxhtml.patch
 Patch6:         gimp-2.6.11-pyslice.patch
 # backport: work with poppler-0.17, upstreamed
 Patch7:         gimp-2.6.11-poppler-0.17.patch
+# backport: CVE-2010-4543, CVE-2011-1782
+# harden PSP plugin against bogus input data
+Patch8:         gimp-2.6.11-psp-overflow.patch
 # files changed by autoreconf after applying the above
 Patch10:        gimp-2.6.11-11-autoreconf.patch.bz2
 
@@ -236,6 +239,7 @@ EOF
 %patch5 -p1 -b .colorxhtml
 %patch6 -p1 -b .pyslice
 %patch7 -p1 -b .poppler-0.17
+%patch8 -p1 -b .psp-overflow
 
 %patch10 -p1 -b .autoreconf
 
@@ -503,6 +507,9 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
 %{_libdir}/gimp/%{interfacever}/plug-ins/help-browser
 
 %changelog
+* Mon May 23 2011 Nils Philippsen <nils at redhat.com> - 2:2.6.11-13
+- harden PSP plugin against bogus input data (CVE-2010-4543, CVE-2011-1782)
+
 * Sat May 07 2011 Christopher Aillon <caillon at redhat.com> - 2:2.6.11-12
 - Update desktop database, icon cache scriptlets
 
