NetCube-Systems-Austria/kumquat-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
c500a4f2a8
kumquat-buildroot/package/imlib2/0001-fix-CVE-2016-3994.patch
Gustavo Zacarias 779676f62d imlib2: security bump to version 1.4.8 
Fixes:
CVE-2016-3994 - out of bound read in GIF loader
CVE-2011-5326 - divide by zero on 2x1 ellipse

Switch to sourceforge hashes.
And drop all previous patches, they're upstream, yay.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2016-04-14 22:51:10 +02:00

72 lines
2.9 KiB
Diff
Raw Blame History

From 37a96801663b7b4cd3fbe56cc0eb8b6a17e766a8 Mon Sep 17 00:00:00 2001
From: Kim Woelders <kim@woelders.dk>
Date: Sun, 3 Apr 2016 19:40:25 +0200
Subject: [PATCH] GIF loader: Fix out-of-bound reads from colormap.
Bug-Debian: http://bugs.debian.org/785369
Note: removes all special-casing from the inner loop, optimize for common case.
Author: Yuriy M. Kaminskiy <yumkam+debian@gmail.com>
Reported-By: Jakub Wilk <jwilk@debian.org>
Thanks to Bernhard U:belacker <bernhardu@vr-web.de> for analysis.
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
---
src/modules/loaders/loader_gif.c | 31 +++++++++++++++++--------------
1 file changed, 17 insertions(+), 14 deletions(-)
diff --git a/src/modules/loaders/loader_gif.c b/src/modules/loaders/loader_gif.c
index 638df59..4f08d64 100644
--- a/src/modules/loaders/loader_gif.c
+++ b/src/modules/loaders/loader_gif.c
@@ -141,8 +141,24 @@ load(ImlibImage * im, ImlibProgressFunction progress, char progress_granularity,
if (im->loader || immediate_load || progress)
{
+ DATA32 colormap[256];
+
bg = gif->SBackGroundColor;
cmap = (gif->Image.ColorMap ? gif->Image.ColorMap : gif->SColorMap);
+ memset (colormap, 0, sizeof(colormap));
+ if (cmap != NULL)
+ {
+ for (i = cmap->ColorCount > 256 ? 256 : cmap->ColorCount; i-- > 0;)
+ {
+ r = cmap->Colors[i].Red;
+ g = cmap->Colors[i].Green;
+ b = cmap->Colors[i].Blue;
+ colormap[i] = (0xff << 24) | (r << 16) | (g << 8) | b;
+ }
+ /* if bg > cmap->ColorCount, it is transparent black already */
+ if (transp >= 0 && transp < 256)
+ colormap[transp] = bg >= 0 && bg < 256 ? colormap[bg] & 0x00ffffff : 0x00000000;
+ }
im->data = (DATA32 *) malloc(sizeof(DATA32) * w * h);
if (!im->data)
goto quit;
@@ -161,20 +177,7 @@ load(ImlibImage * im, ImlibProgressFunction progress, char progress_granularity,
{
for (j = 0; j < w; j++)
{
- if (rows[i][j] == transp)
- {
- r = cmap->Colors[bg].Red;
- g = cmap->Colors[bg].Green;
- b = cmap->Colors[bg].Blue;
- *ptr++ = 0x00ffffff & ((r << 16) | (g << 8) | b);
- }
- else
- {
- r = cmap->Colors[rows[i][j]].Red;
- g = cmap->Colors[rows[i][j]].Green;
- b = cmap->Colors[rows[i][j]].Blue;
- *ptr++ = (0xff << 24) | (r << 16) | (g << 8) | b;
- }
+ *ptr++ = colormap[rows[i][j]];
per += per_inc;
if (progress && (((int)per) != last_per)
&& (((int)per) % progress_granularity == 0))
--
2.7.3
Reference in New Issue View Git Blame Copy Permalink