[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SECURITY: gdk-pixbuf fixes for GTK+2

To: ports_(_at_)_openbsd_(_dot_)_org
Subject: SECURITY: gdk-pixbuf fixes for GTK+2
From: Marc Matteo <marcm_(_at_)_lectroid_(_dot_)_net>
Date: Mon, 20 Sep 2004 10:27:58 -0700 (PDT)

Timing is everything...

Attached is a diff for the in-tree GTK+2 to fix the various integer and 
stack overflows dealing with maliciously crafted XPM and ICO files.

Now here's the timing part: I can't actually test this for a few days.  In 
fact, while you can link to the diff on my home server 
(http://www.lectroid.net/ports/gtk+2.diff) my server will be offline along 
with the rest of my systems through some minor construction on my place of 
residence over the next few days.

So, please test and if it is not committed by others before hand... I'll 
get to it when I resurface later in the week.

Thanks,
Marc

Index: Makefile
===================================================================
RCS file: /pub/cvs/ports/x11/gtk+2/Makefile,v
retrieving revision 1.17
diff -u -r1.17 Makefile
--- Makefile	16 Sep 2004 04:14:55 -0000	1.17
+++ Makefile	20 Sep 2004 16:57:43 -0000
@@ -6,6 +6,7 @@
 COMMENT-docs=           	"gtk+-2 documentation"
 
 VERSION=			2.4.9
+PKGNAME=			gtk+-${VERSION}p1
 DISTNAME=			gtk+-${VERSION}
 PKGNAME=			gtk+2-${VERSION}
 PKGNAME-docs=			gtk+2-docs-${VERSION}
Index: patches/patch-gdk-pixbuf_io-ico_c
===================================================================
RCS file: patches/patch-gdk-pixbuf_io-ico_c
diff -N patches/patch-gdk-pixbuf_io-ico_c
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ patches/patch-gdk-pixbuf_io-ico_c	20 Sep 2004 16:55:46 -0000
@@ -0,0 +1,18 @@
+$OpenBSD$
+--- gdk-pixbuf/io-ico.c.orig	Wed Aug 25 09:52:18 2004
++++ gdk-pixbuf/io-ico.c	Mon Sep 20 09:55:18 2004
+@@ -323,6 +323,14 @@ static void DecodeHeader(guchar *Data, g
+ 	
+ 	State->HeaderSize+=I;
+ 	
++	if (State->HeaderSize < 0) {
++		g_set_error (error,
++			     GDK_PIXBUF_ERROR,
++			     GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
++			     _("Invalid header in icon"));
++		return;
++	}
++
+  	if (State->HeaderSize>State->BytesInHeaderBuf) {
+ 	        guchar *tmp=g_try_realloc(State->HeaderBuf,State->HeaderSize);
+ 		if (!tmp) {
Index: patches/patch-gdk-pixbuf_io-xpm_c
===================================================================
RCS file: patches/patch-gdk-pixbuf_io-xpm_c
diff -N patches/patch-gdk-pixbuf_io-xpm_c
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ patches/patch-gdk-pixbuf_io-xpm_c	20 Sep 2004 16:55:46 -0000
@@ -0,0 +1,74 @@
+$OpenBSD$
+--- gdk-pixbuf/io-xpm.c.orig	Wed Aug 25 09:52:18 2004
++++ gdk-pixbuf/io-xpm.c	Mon Sep 20 09:55:10 2004
+@@ -1079,7 +1079,7 @@ xpm_extract_color (const gchar *buffer)
+ 	gint key = 0;
+ 	gint current_key = 1;
+ 	gint space = 128;
+-	gchar word[128], color[128], current_color[128];
++	gchar word[129], color[129], current_color[129];
+ 	gchar *r; 
+ 	
+ 	word[0] = '\0';
+@@ -1121,8 +1121,8 @@ xpm_extract_color (const gchar *buffer)
+ 				return NULL;
+ 			/* accumulate color name */
+ 			if (color[0] != '\0') {
+-				strcat (color, " ");
+-				space--;
++				strncat (color, " ", space);
++				space -= MIN (space, 1);
+ 			}
+ 			strncat (color, word, space);
+ 			space -= MIN (space, strlen (word));
+@@ -1246,27 +1246,43 @@ pixbuf_create_from_xpm (const gchar * (*
+ 		return NULL;
+ 
+ 	}
+-	if (n_col <= 0) {
++	if (cpp <= 0 || cpp >= 32) {
+                 g_set_error (error,
+                              GDK_PIXBUF_ERROR,
+                              GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+-                             _("XPM file has invalid number of colors"));
++                             _("XPM has invalid number of chars per pixel"));
+ 		return NULL;
+-
+ 	}
+-	if (cpp <= 0 || cpp >= 32) {
++	if (n_col <= 0 || n_col >= G_MAXUINT / (cpp + 1)) {
+                 g_set_error (error,
+                              GDK_PIXBUF_ERROR,
+                              GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+-                             _("XPM has invalid number of chars per pixel"));
++                             _("XPM file has invalid number of colors"));
+ 		return NULL;
+ 	}
+ 
+ 	/* The hash is used for fast lookups of color from chars */
+ 	color_hash = g_hash_table_new (g_str_hash, g_str_equal);
+ 
+-	name_buf = g_new (gchar, n_col * (cpp + 1));
+-	colors = g_new (XPMColor, n_col);
++	name_buf = g_try_malloc (n_col * (cpp + 1));
++	if (!name_buf) {
++		g_set_error (error,
++			     GDK_PIXBUF_ERROR,
++                             GDK_PIXBUF_ERROR_INSUFFICIENT_MEMORY,
++                             _("Cannot allocate memory for loading XPM image"));
++		g_hash_table_destroy (color_hash);
++		return NULL;
++	}
++	colors = (XPMColor *) g_try_malloc (sizeof (XPMColor) * n_col);
++	if (!colors) {
++		g_set_error (error,
++			     GDK_PIXBUF_ERROR,
++                             GDK_PIXBUF_ERROR_INSUFFICIENT_MEMORY,
++                             _("Cannot allocate memory for loading XPM image"));
++		g_hash_table_destroy (color_hash);
++		g_free (name_buf);
++		return NULL;
++	}
+ 
+ 	for (cnt = 0; cnt < n_col; cnt++) {
+ 		gchar *color_name;

Prev by Date: Demande de confirmation d'inscription à Gratilog
Next by Date: Re: RFC: MPlayer-1.0pre5
Previous by thread: Demande de confirmation d'inscription à Gratilog
Next by thread: Error while building libiconv-1.9.1 on recent OpenBSD snapshot
Index(es):
- Date
- Thread

Visit your host, monkey.org