Fix gif (lzw) decoding vulnerability (CVS-2011-2896). Patches from upstream;
passes upstream's test now.
This commit is contained in:
parent
f8e05d9116
commit
2ca0723d93
3 changed files with 88 additions and 3 deletions
|
@ -1,4 +1,4 @@
|
|||
$NetBSD: distinfo,v 1.15 2012/11/07 15:30:04 joerg Exp $
|
||||
$NetBSD: distinfo,v 1.16 2013/01/24 12:03:08 is Exp $
|
||||
|
||||
SHA1 (swi-prolog/pl-5.11.18.tar.gz) = b929d47f2e92230e2afcaaaf25e9a34c40adc54e
|
||||
RMD160 (swi-prolog/pl-5.11.18.tar.gz) = 1cbf0dab3a9cd63b3178d6a43c983b31402d7b7f
|
||||
|
@ -7,4 +7,5 @@ SHA1 (patch-ad) = 7b3899fe4162582efe955c67d5dc3ed42e7d1702
|
|||
SHA1 (patch-ae) = 4135212b4c5faf70e01e78e45df5e1a0ccc927a6
|
||||
SHA1 (patch-ar) = 2bf3648f29c6263ea2efe13b95309a1fe72b14b8
|
||||
SHA1 (patch-packages_clib_sha1_brg_endian.h) = db9f50eb0d0f92e44a79048d0bb84b690945964b
|
||||
SHA1 (patch-packages_xpce_src_img_gifread.c) = 5ef16b048f8343cde92a17d9fd3c78b0c3e7c374
|
||||
SHA1 (patch-src_pl-funcs.h) = 792257fcc533c835a607e6d660ed42058b7a8a95
|
||||
|
|
|
@ -0,0 +1,84 @@
|
|||
$NetBSD: patch-packages_xpce_src_img_gifread.c,v 1.1 2013/01/24 12:03:09 is Exp $
|
||||
|
||||
--- gifread.c.orig 2011-03-23 18:57:54.000000000 +0000
|
||||
+++ packages/xpce/src/img/gifread.c
|
||||
@@ -169,7 +169,7 @@ GIFReadFD(IOSTREAM *fd,
|
||||
/* read colormaps */
|
||||
if ( BitSet((UCHAR) buf[4], LOCALCOLORMAP) )
|
||||
{ if ( (rval=ReadColorMap(fd, GifScreen.BitPixel, at, ac, closure))
|
||||
- != GIF_OK )
|
||||
+ != GIF_OK )
|
||||
{ setGifError("Error reading GIF colormap");
|
||||
return rval;
|
||||
}
|
||||
@@ -466,7 +466,7 @@ LZWReadByte(IOSTREAM * fd, int flag, int
|
||||
firstcode = oldcode = GetCode(fd, code_size, FALSE);
|
||||
}
|
||||
while (firstcode == clear_code);
|
||||
- return firstcode;
|
||||
+ return (firstcode&255);
|
||||
}
|
||||
if (sp > stack)
|
||||
return *--sp;
|
||||
@@ -487,11 +487,11 @@ LZWReadByte(IOSTREAM * fd, int flag, int
|
||||
max_code = clear_code + 2;
|
||||
sp = stack;
|
||||
firstcode = oldcode = GetCode(fd, code_size, FALSE);
|
||||
- return firstcode;
|
||||
- } else if (code == end_code)
|
||||
+ return (firstcode&255);
|
||||
+ } else if (code == end_code || code > max_code)
|
||||
{
|
||||
int count;
|
||||
- UCHAR buf[260];
|
||||
+ UCHAR buf[260]; /* Block buffer */
|
||||
|
||||
if (ZeroDataBlock)
|
||||
return -2;
|
||||
@@ -505,11 +505,12 @@ LZWReadByte(IOSTREAM * fd, int flag, int
|
||||
incode = code;
|
||||
|
||||
if (code >= max_code)
|
||||
- {
|
||||
- *sp++ = firstcode;
|
||||
+ { if ( sp < stack+sizeof(stack) ) /* stack is UCHAR */
|
||||
+ *sp++ = firstcode;
|
||||
+
|
||||
code = oldcode;
|
||||
}
|
||||
- while (code >= clear_code)
|
||||
+ while (code >= clear_code && sp < stack+sizeof(stack))
|
||||
{
|
||||
*sp++ = vals[code];
|
||||
if (code == (int) next[code])
|
||||
@@ -520,7 +521,8 @@ LZWReadByte(IOSTREAM * fd, int flag, int
|
||||
code = next[code];
|
||||
}
|
||||
|
||||
- *sp++ = firstcode = vals[code];
|
||||
+ if ( sp < stack+sizeof(stack) )
|
||||
+ *sp++ = firstcode = vals[code];
|
||||
|
||||
if ((code = max_code) < (1 << MAX_LZW_BITS))
|
||||
{
|
||||
@@ -537,9 +539,9 @@ LZWReadByte(IOSTREAM * fd, int flag, int
|
||||
oldcode = incode;
|
||||
|
||||
if (sp > stack)
|
||||
- return *--sp;
|
||||
+ return ((*--sp) & 255);
|
||||
}
|
||||
- return code;
|
||||
+ return (code&255);
|
||||
}
|
||||
|
||||
|
||||
@@ -554,7 +556,7 @@ ReadImage(IOSTREAM *fd,
|
||||
int xpos = 0, ypos = 0, pass = 0;
|
||||
long curidx;
|
||||
|
||||
- if (!ReadOK(fd, &c, 1))
|
||||
+ if ( !ReadOK(fd, &c, 1) || c > MAX_LZW_BITS )
|
||||
{ return GIF_INVALID;
|
||||
}
|
||||
if (LZWReadByte(fd, TRUE, c) < 0)
|
|
@ -1,9 +1,9 @@
|
|||
# $NetBSD: Makefile,v 1.33 2012/10/02 20:11:55 asau Exp $
|
||||
# $NetBSD: Makefile,v 1.34 2013/01/24 12:03:09 is Exp $
|
||||
|
||||
.include "../../lang/swi-prolog-lite/Makefile.common"
|
||||
|
||||
PKGNAME= swi-prolog-packages-${SWIPLVERS}
|
||||
PKGREVISION= 2
|
||||
PKGREVISION= 3
|
||||
|
||||
MAINTAINER= pkgsrc-users@NetBSD.org
|
||||
COMMENT= Packages for SWI Prolog
|
||||
|
|
Loading…
Reference in a new issue