imlib2: security bump to version 1.4.9
It already includes the fixes for CVE-2016-3994 and CVE-2011-5326 so drop the patches, and additionally fixes: CVE-2016-4024 - integer overflow in imlib2, which result in insufficient heap allocation. Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
This commit is contained in:
parent
2512fcf41f
commit
69a30b2817
@ -1,71 +0,0 @@
|
||||
From 37a96801663b7b4cd3fbe56cc0eb8b6a17e766a8 Mon Sep 17 00:00:00 2001
|
||||
From: Kim Woelders <kim@woelders.dk>
|
||||
Date: Sun, 3 Apr 2016 19:40:25 +0200
|
||||
Subject: [PATCH] GIF loader: Fix out-of-bound reads from colormap.
|
||||
|
||||
Bug-Debian: http://bugs.debian.org/785369
|
||||
Note: removes all special-casing from the inner loop, optimize for common case.
|
||||
Author: Yuriy M. Kaminskiy <yumkam+debian@gmail.com>
|
||||
Reported-By: Jakub Wilk <jwilk@debian.org>
|
||||
|
||||
Thanks to Bernhard U:belacker <bernhardu@vr-web.de> for analysis.
|
||||
|
||||
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
|
||||
---
|
||||
src/modules/loaders/loader_gif.c | 31 +++++++++++++++++--------------
|
||||
1 file changed, 17 insertions(+), 14 deletions(-)
|
||||
|
||||
diff --git a/src/modules/loaders/loader_gif.c b/src/modules/loaders/loader_gif.c
|
||||
index 638df59..4f08d64 100644
|
||||
--- a/src/modules/loaders/loader_gif.c
|
||||
+++ b/src/modules/loaders/loader_gif.c
|
||||
@@ -141,8 +141,24 @@ load(ImlibImage * im, ImlibProgressFunction progress, char progress_granularity,
|
||||
|
||||
if (im->loader || immediate_load || progress)
|
||||
{
|
||||
+ DATA32 colormap[256];
|
||||
+
|
||||
bg = gif->SBackGroundColor;
|
||||
cmap = (gif->Image.ColorMap ? gif->Image.ColorMap : gif->SColorMap);
|
||||
+ memset (colormap, 0, sizeof(colormap));
|
||||
+ if (cmap != NULL)
|
||||
+ {
|
||||
+ for (i = cmap->ColorCount > 256 ? 256 : cmap->ColorCount; i-- > 0;)
|
||||
+ {
|
||||
+ r = cmap->Colors[i].Red;
|
||||
+ g = cmap->Colors[i].Green;
|
||||
+ b = cmap->Colors[i].Blue;
|
||||
+ colormap[i] = (0xff << 24) | (r << 16) | (g << 8) | b;
|
||||
+ }
|
||||
+ /* if bg > cmap->ColorCount, it is transparent black already */
|
||||
+ if (transp >= 0 && transp < 256)
|
||||
+ colormap[transp] = bg >= 0 && bg < 256 ? colormap[bg] & 0x00ffffff : 0x00000000;
|
||||
+ }
|
||||
im->data = (DATA32 *) malloc(sizeof(DATA32) * w * h);
|
||||
if (!im->data)
|
||||
goto quit;
|
||||
@@ -161,20 +177,7 @@ load(ImlibImage * im, ImlibProgressFunction progress, char progress_granularity,
|
||||
{
|
||||
for (j = 0; j < w; j++)
|
||||
{
|
||||
- if (rows[i][j] == transp)
|
||||
- {
|
||||
- r = cmap->Colors[bg].Red;
|
||||
- g = cmap->Colors[bg].Green;
|
||||
- b = cmap->Colors[bg].Blue;
|
||||
- *ptr++ = 0x00ffffff & ((r << 16) | (g << 8) | b);
|
||||
- }
|
||||
- else
|
||||
- {
|
||||
- r = cmap->Colors[rows[i][j]].Red;
|
||||
- g = cmap->Colors[rows[i][j]].Green;
|
||||
- b = cmap->Colors[rows[i][j]].Blue;
|
||||
- *ptr++ = (0xff << 24) | (r << 16) | (g << 8) | b;
|
||||
- }
|
||||
+ *ptr++ = colormap[rows[i][j]];
|
||||
per += per_inc;
|
||||
if (progress && (((int)per) != last_per)
|
||||
&& (((int)per) % progress_granularity == 0))
|
||||
--
|
||||
2.7.3
|
||||
|
@ -1,104 +0,0 @@
|
||||
From c94d83ccab15d5ef02f88d42dce38ed3f0892882 Mon Sep 17 00:00:00 2001
|
||||
From: Kim Woelders <kim@woelders.dk>
|
||||
Date: Wed, 6 Apr 2016 17:42:17 +0200
|
||||
Subject: [PATCH] Fix potential divide-by-zero in imlib_image_draw_ellipse().
|
||||
|
||||
Attempting to draw a 2x1 ellipse with e.g. imlib_image_draw_ellipse(x, y, 2, 1)
|
||||
causes a divide-by-zero.
|
||||
It seems happy enough to draw 1x1, 1x2 and 2x2, but not 2x1.
|
||||
|
||||
Patch by Simon Lees.
|
||||
|
||||
https://bugs.debian.org/639414
|
||||
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
|
||||
---
|
||||
src/lib/ellipse.c | 24 ++++++++++++++++++++++++
|
||||
1 file changed, 24 insertions(+)
|
||||
|
||||
diff --git a/src/lib/ellipse.c b/src/lib/ellipse.c
|
||||
index cd90268..ddb410b 100644
|
||||
--- a/src/lib/ellipse.c
|
||||
+++ b/src/lib/ellipse.c
|
||||
@@ -71,6 +71,9 @@ __imlib_Ellipse_DrawToData(int xc, int yc, int a, int b, DATA32 color,
|
||||
if (IN_RANGE(rx, by, clw, clh))
|
||||
pfunc(color, bp + len);
|
||||
|
||||
+ if (dx < 1)
|
||||
+ dx = 1;
|
||||
+
|
||||
dy += b2;
|
||||
yy -= ((dy << 16) / dx);
|
||||
lx--;
|
||||
@@ -123,6 +126,9 @@ __imlib_Ellipse_DrawToData(int xc, int yc, int a, int b, DATA32 color,
|
||||
if (IN_RANGE(rx, by, clw, clh))
|
||||
pfunc(color, bp + len);
|
||||
|
||||
+ if (dy < 1)
|
||||
+ dy = 1;
|
||||
+
|
||||
dx -= a2;
|
||||
xx += ((dx << 16) / dy);
|
||||
ty++;
|
||||
@@ -222,6 +228,9 @@ __imlib_Ellipse_DrawToData_AA(int xc, int yc, int a, int b, DATA32 color,
|
||||
if (IN_RANGE(rx, by, clw, clh))
|
||||
pfunc(col1, bp + len);
|
||||
|
||||
+ if (dx < 1)
|
||||
+ dx = 1;
|
||||
+
|
||||
dy += b2;
|
||||
yy -= ((dy << 16) / dx);
|
||||
lx--;
|
||||
@@ -295,6 +304,9 @@ __imlib_Ellipse_DrawToData_AA(int xc, int yc, int a, int b, DATA32 color,
|
||||
if (IN_RANGE(rx, by, clw, clh))
|
||||
pfunc(col1, bp + len);
|
||||
|
||||
+ if (dy < 1)
|
||||
+ dy = 1;
|
||||
+
|
||||
dx -= a2;
|
||||
xx += ((dx << 16) / dy);
|
||||
ty++;
|
||||
@@ -395,6 +407,9 @@ __imlib_Ellipse_FillToData(int xc, int yc, int a, int b, DATA32 color,
|
||||
if (IN_RANGE(rx, by, clw, clh))
|
||||
pfunc(color, bp + len);
|
||||
|
||||
+ if (dx < 1)
|
||||
+ dx = 1;
|
||||
+
|
||||
dy += b2;
|
||||
yy -= ((dy << 16) / dx);
|
||||
lx--;
|
||||
@@ -453,6 +468,9 @@ __imlib_Ellipse_FillToData(int xc, int yc, int a, int b, DATA32 color,
|
||||
if (((unsigned)by < (unsigned)clh) && (len > 0))
|
||||
sfunc(color, bpp, len);
|
||||
|
||||
+ if (dy < 1)
|
||||
+ dy = 1;
|
||||
+
|
||||
dx -= a2;
|
||||
xx += ((dx << 16) / dy);
|
||||
ty++;
|
||||
@@ -556,6 +574,9 @@ __imlib_Ellipse_FillToData_AA(int xc, int yc, int a, int b, DATA32 color,
|
||||
if (IN_RANGE(rx, by, clw, clh))
|
||||
pfunc(col1, bp + len);
|
||||
|
||||
+ if (dx < 1)
|
||||
+ dx = 1;
|
||||
+
|
||||
dy += b2;
|
||||
yy -= ((dy << 16) / dx);
|
||||
lx--;
|
||||
@@ -629,6 +650,9 @@ __imlib_Ellipse_FillToData_AA(int xc, int yc, int a, int b, DATA32 color,
|
||||
if (IN_RANGE(rx, by, clw, clh))
|
||||
pfunc(col1, bp + len);
|
||||
|
||||
+ if (dy < 1)
|
||||
+ dy = 1;
|
||||
+
|
||||
dx -= a2;
|
||||
xx += ((dx << 16) / dy);
|
||||
ty++;
|
||||
--
|
||||
2.7.3
|
||||
|
@ -1,3 +1,3 @@
|
||||
# From https://sourceforge.net/projects/enlightenment/files/imlib2-src/1.4.8/
|
||||
md5 97cf1007b0339102974ce20c8f17c249 imlib2-1.4.8.tar.bz2
|
||||
sha1 09759f9cd0bb530a738032d06b29edf0038f2052 imlib2-1.4.8.tar.bz2
|
||||
# From https://sourceforge.net/projects/enlightenment/files/imlib2-src/1.4.9/
|
||||
md5 23ef8b49f2793bc63b16839a2062298b imlib2-1.4.9.tar.bz2
|
||||
sha1 f389d67c337b604a365e620b0083b2d342dd724e imlib2-1.4.9.tar.bz2
|
||||
|
@ -4,7 +4,7 @@
|
||||
#
|
||||
################################################################################
|
||||
|
||||
IMLIB2_VERSION = 1.4.8
|
||||
IMLIB2_VERSION = 1.4.9
|
||||
IMLIB2_SOURCE = imlib2-$(IMLIB2_VERSION).tar.bz2
|
||||
IMLIB2_SITE = http://downloads.sourceforge.net/project/enlightenment/imlib2-src/$(IMLIB2_VERSION)
|
||||
IMLIB2_LICENSE = imlib2 license
|
||||
|
Loading…
Reference in New Issue
Block a user