Startsida Utforska Hjälp
Logga in
milisarge
/
milislinux1
Bevaka 1
Stjärnmärk 0
Fork 0
Filer Ärenden 0 Pull-förfrågningar 0 Wiki
Träd: 3c04857d7a
Grenar Taggar
milislinux1
/
talimatname
/
genel
/
gegl2
/
gegl-0.2.0-CVE-2012-4433.patch

gegl-0.2.0-CVE-2012-4433.patch 4.8 KB
Historik

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160 
  1. From ffa77a246652c7e706d690682fe659f50fbe5656 Mon Sep 17 00:00:00 2001
    2. 

  2. From: Nils Philippsen <nils@redhat.com>
    3. 

  3. Date: Mon, 1 Jul 2013 12:03:51 +0200
    4. 

  4. Subject: [PATCH] patch: CVE-2012-4433
    5. 

  5. 

  6. Squashed commit of the following:
    7. 

  7. 

  8. commit 2a9071e2dc4cfe1aaa7a726805985281936f9874
    9. 

  9. Author: Nils Philippsen <nils@redhat.com>
    10. 

  10. Date:   Tue Oct 16 16:57:37 2012 +0200
    11. 

  11. 

  12.     ppm-load: bring comment in line with reality
    13. 

  13. 

  14.     (cherry picked from commit 6975a9cfeaf0698b42ac81b1c2f00d13c8755453)
    15. 

  15. 

  16. commit 8bb88ebf78e54837322d3be74688f98800e9f33a
    17. 

  17. Author: Nils Philippsen <nils@redhat.com>
    18. 

  18. Date:   Tue Oct 16 16:56:40 2012 +0200
    19. 

  19. 

  20.     ppm-load: CVE-2012-4433: add plausibility checks for header fields
    21. 

  21. 

  22.     Refuse values that are non-decimal, negative or overflow the target
    23. 

  23.     type.
    24. 

  24. 

  25.     (cherry picked from commit 4757cdf73d3675478d645a3ec8250ba02168a230)
    26. 

  26. 

  27. commit 2b099886969bf055a8635d06a4d89f20fed1ee42
    28. 

  28. Author: Nils Philippsen <nils@redhat.com>
    29. 

  29. Date:   Tue Oct 16 16:58:27 2012 +0200
    30. 

  30. 

  31.     ppm-load: CVE-2012-4433: don't overflow memory allocation
    32. 

  32. 

  33.     Carefully selected width/height values could cause the size of a later
    34. 

  34.     allocation to overflow, resulting in a buffer much too small to store
    35. 

  35.     the data which would then written beyond its end.
    36. 

  36. 

  37.     (cherry picked from commit 1e92e5235ded0415d555aa86066b8e4041ee5a53)
    38. 

  38. ---
    39. 

  39.  operations/external/ppm-load.c | 64 +++++++++++++++++++++++++++++++++++-------
    40. 

  40.  1 file changed, 54 insertions(+), 10 deletions(-)
    41. 

  41. 

  42. diff --git a/operations/external/ppm-load.c b/operations/external/ppm-load.c
    43. 

  43. index efe6d56..e22521c 100644
    44. 

  44. --- a/operations/external/ppm-load.c
    45. 

  45. +++ b/operations/external/ppm-load.c
    46. 

  46. @@ -36,6 +36,7 @@ gegl_chant_file_path (path, _("File"), "", _("Path of file to load."))
    47. 

  47.  #include "gegl-chant.h"
    48. 

  48.  #include <stdio.h>
    49. 

  49.  #include <stdlib.h>
    50. 

  50. +#include <errno.h>
    51. 

  51.  
    52. 

  52.  typedef enum {
    53. 

  53.    PIXMAP_ASCII  = 51,
    54. 

  54. @@ -44,8 +45,8 @@ typedef enum {
    55. 

  55.  
    56. 

  56.  typedef struct {
    57. 

  57.  	map_type   type;
    58. 

  58. -	gint       width;
    59. 

  59. -	gint       height;
    60. 

  60. +	glong      width;
    61. 

  61. +	glong      height;
    62. 

  62.          gsize      numsamples; /* width * height * channels */
    63. 

  63.          gsize      bpc;        /* bytes per channel */
    64. 

  64.  	guchar    *data;
    65. 

  65. @@ -61,7 +62,7 @@ ppm_load_read_header(FILE       *fp,
    66. 

  66.      gchar  header[MAX_CHARS_IN_ROW];
    67. 

  67.      gint   maxval;
    68. 

  68.  
    69. 

  69. -    /* Check the PPM file Type P2 or P5 */
    70. 

  70. +    /* Check the PPM file Type P3 or P6 */
    71. 

  71.      fgets (header,MAX_CHARS_IN_ROW,fp);
    72. 

  72.  
    73. 

  73.      if (header[0] != ASCII_P ||
    74. 

  74. @@ -82,12 +83,33 @@ ppm_load_read_header(FILE       *fp,
    75. 

  75.        }
    76. 

  76.  
    77. 

  77.      /* Get Width and Height */
    78. 

  78. -    img->width  = strtol (header,&ptr,0);
    79. 

  79. -    img->height = atoi (ptr);
    80. 

  80. -    img->numsamples = img->width * img->height * CHANNEL_COUNT;
    81. 

  81. +    errno = 0;
    82. 

  82. +    img->width  = strtol (header,&ptr,10);
    83. 

  83. +    if (errno)
    84. 

  84. +      {
    85. 

  85. +        g_warning ("Error reading width: %s", strerror(errno));
    86. 

  86. +        return FALSE;
    87. 

  87. +      }
    88. 

  88. +    else if (img->width < 0)
    89. 

  89. +      {
    90. 

  90. +        g_warning ("Error: width is negative");
    91. 

  91. +        return FALSE;
    92. 

  92. +      }
    93. 

  93. +
    94. 

  94. +    img->height = strtol (ptr,&ptr,10);
    95. 

  95. +    if (errno)
    96. 

  96. +      {
    97. 

  97. +        g_warning ("Error reading height: %s", strerror(errno));
    98. 

  98. +        return FALSE;
    99. 

  99. +      }
    100. 

  100. +    else if (img->width < 0)
    101. 

  101. +      {
    102. 

  102. +        g_warning ("Error: height is negative");
    103. 

  103. +        return FALSE;
    104. 

  104. +      }
    105. 

  105.  
    106. 

  106.      fgets (header,MAX_CHARS_IN_ROW,fp);
    107. 

  107. -    maxval = strtol (header,&ptr,0);
    108. 

  108. +    maxval = strtol (header,&ptr,10);
    109. 

  109.  
    110. 

  110.      if ((maxval != 255) && (maxval != 65535))
    111. 

  111.        {
    112. 

  112. @@ -109,6 +131,16 @@ ppm_load_read_header(FILE       *fp,
    113. 

  113.        g_warning ("%s: Programmer stupidity error", G_STRLOC);
    114. 

  114.      }
    115. 

  115.  
    116. 

  116. +    /* Later on, img->numsamples is multiplied with img->bpc to allocate
    117. 

  117. +     * memory. Ensure it doesn't overflow. */
    118. 

  118. +    if (!img->width || !img->height ||
    119. 

  119. +        G_MAXSIZE / img->width / img->height / CHANNEL_COUNT < img->bpc)
    120. 

  120. +      {
    121. 

  121. +        g_warning ("Illegal width/height: %ld/%ld", img->width, img->height);
    122. 

  122. +        return FALSE;
    123. 

  123. +      }
    124. 

  124. +    img->numsamples = img->width * img->height * CHANNEL_COUNT;
    125. 

  125. +
    126. 

  126.      return TRUE;
    127. 

  127.  }
    128. 

  128.  
    129. 

  129. @@ -229,12 +261,24 @@ process (GeglOperation       *operation,
    130. 

  130.    if (!ppm_load_read_header (fp, &img))
    131. 

  131.      goto out;
    132. 

  132.  
    133. 

  133. -  rect.height = img.height;
    134. 

  134. -  rect.width = img.width;
    135. 

  135. -
    136. 

  136.    /* Allocating Array Size */
    137. 

  137. +
    138. 

  138. +  /* Should use g_try_malloc(), but this causes crashes elsewhere because the
    139. 

  139. +   * error signalled by returning FALSE isn't properly acted upon. Therefore
    140. 

  140. +   * g_malloc() is used here which aborts if the requested memory size can't be
    141. 

  141. +   * allocated causing a controlled crash. */
    142. 

  142.    img.data = (guchar*) g_malloc (img.numsamples * img.bpc);
    143. 

  143.  
    144. 

  144. +  /* No-op without g_try_malloc(), see above. */
    145. 

  145. +  if (! img.data)
    146. 

  146. +    {
    147. 

  147. +      g_warning ("Couldn't allocate %" G_GSIZE_FORMAT " bytes, giving up.", ((gsize)img.numsamples * img.bpc));
    148. 

  148. +      goto out;
    149. 

  149. +    }
    150. 

  150. +
    151. 

  151. +  rect.height = img.height;
    152. 

  152. +  rect.width = img.width;
    153. 

  153. +
    154. 

  154.    switch (img.bpc)
    155. 

  155.      {
    156. 

  156.      case 1:
    157. 

  157. -- 
    158. 

  158. 1.8.3.1
    159. 

  159. 

  160.