NetCube-Systems-Austria/kumquat-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1c02dee955
kumquat-buildroot/package/imlib2/0002-fix-CVE-2011-5326.patch
Gustavo Zacarias 779676f62d imlib2: security bump to version 1.4.8 
Fixes:
CVE-2016-3994 - out of bound read in GIF loader
CVE-2011-5326 - divide by zero on 2x1 ellipse

Switch to sourceforge hashes.
And drop all previous patches, they're upstream, yay.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2016-04-14 22:51:10 +02:00

105 lines
2.9 KiB
Diff
Raw Blame History

From c94d83ccab15d5ef02f88d42dce38ed3f0892882 Mon Sep 17 00:00:00 2001
From: Kim Woelders <kim@woelders.dk>
Date: Wed, 6 Apr 2016 17:42:17 +0200
Subject: [PATCH] Fix potential divide-by-zero in imlib_image_draw_ellipse().
Attempting to draw a 2x1 ellipse with e.g. imlib_image_draw_ellipse(x, y, 2, 1)
causes a divide-by-zero.
It seems happy enough to draw 1x1, 1x2 and 2x2, but not 2x1.
Patch by Simon Lees.
https://bugs.debian.org/639414
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
---
src/lib/ellipse.c | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
diff --git a/src/lib/ellipse.c b/src/lib/ellipse.c
index cd90268..ddb410b 100644
--- a/src/lib/ellipse.c
+++ b/src/lib/ellipse.c
@@ -71,6 +71,9 @@ __imlib_Ellipse_DrawToData(int xc, int yc, int a, int b, DATA32 color,
if (IN_RANGE(rx, by, clw, clh))
pfunc(color, bp + len);
+ if (dx < 1)
+ dx = 1;
+
dy += b2;
yy -= ((dy << 16) / dx);
lx--;
@@ -123,6 +126,9 @@ __imlib_Ellipse_DrawToData(int xc, int yc, int a, int b, DATA32 color,
if (IN_RANGE(rx, by, clw, clh))
pfunc(color, bp + len);
+ if (dy < 1)
+ dy = 1;
+
dx -= a2;
xx += ((dx << 16) / dy);
ty++;
@@ -222,6 +228,9 @@ __imlib_Ellipse_DrawToData_AA(int xc, int yc, int a, int b, DATA32 color,
if (IN_RANGE(rx, by, clw, clh))
pfunc(col1, bp + len);
+ if (dx < 1)
+ dx = 1;
+
dy += b2;
yy -= ((dy << 16) / dx);
lx--;
@@ -295,6 +304,9 @@ __imlib_Ellipse_DrawToData_AA(int xc, int yc, int a, int b, DATA32 color,
if (IN_RANGE(rx, by, clw, clh))
pfunc(col1, bp + len);
+ if (dy < 1)
+ dy = 1;
+
dx -= a2;
xx += ((dx << 16) / dy);
ty++;
@@ -395,6 +407,9 @@ __imlib_Ellipse_FillToData(int xc, int yc, int a, int b, DATA32 color,
if (IN_RANGE(rx, by, clw, clh))
pfunc(color, bp + len);
+ if (dx < 1)
+ dx = 1;
+
dy += b2;
yy -= ((dy << 16) / dx);
lx--;
@@ -453,6 +468,9 @@ __imlib_Ellipse_FillToData(int xc, int yc, int a, int b, DATA32 color,
if (((unsigned)by < (unsigned)clh) && (len > 0))
sfunc(color, bpp, len);
+ if (dy < 1)
+ dy = 1;
+
dx -= a2;
xx += ((dx << 16) / dy);
ty++;
@@ -556,6 +574,9 @@ __imlib_Ellipse_FillToData_AA(int xc, int yc, int a, int b, DATA32 color,
if (IN_RANGE(rx, by, clw, clh))
pfunc(col1, bp + len);
+ if (dx < 1)
+ dx = 1;
+
dy += b2;
yy -= ((dy << 16) / dx);
lx--;
@@ -629,6 +650,9 @@ __imlib_Ellipse_FillToData_AA(int xc, int yc, int a, int b, DATA32 color,
if (IN_RANGE(rx, by, clw, clh))
pfunc(col1, bp + len);
+ if (dy < 1)
+ dy = 1;
+
dx -= a2;
xx += ((dx << 16) / dy);
ty++;
--
2.7.3
Reference in New Issue View Git Blame Copy Permalink