Fix gif (lzw) decoding vulnerability (CVS-2011-2896). Patches from upstream;

passes upstream's test now.
This commit is contained in:
is 2013-01-24 12:03:08 +00:00
parent f8e05d9116
commit 2ca0723d93
3 changed files with 88 additions and 3 deletions

View file

@ -1,4 +1,4 @@
$NetBSD: distinfo,v 1.15 2012/11/07 15:30:04 joerg Exp $
$NetBSD: distinfo,v 1.16 2013/01/24 12:03:08 is Exp $
SHA1 (swi-prolog/pl-5.11.18.tar.gz) = b929d47f2e92230e2afcaaaf25e9a34c40adc54e
RMD160 (swi-prolog/pl-5.11.18.tar.gz) = 1cbf0dab3a9cd63b3178d6a43c983b31402d7b7f
@ -7,4 +7,5 @@ SHA1 (patch-ad) = 7b3899fe4162582efe955c67d5dc3ed42e7d1702
SHA1 (patch-ae) = 4135212b4c5faf70e01e78e45df5e1a0ccc927a6
SHA1 (patch-ar) = 2bf3648f29c6263ea2efe13b95309a1fe72b14b8
SHA1 (patch-packages_clib_sha1_brg_endian.h) = db9f50eb0d0f92e44a79048d0bb84b690945964b
SHA1 (patch-packages_xpce_src_img_gifread.c) = 5ef16b048f8343cde92a17d9fd3c78b0c3e7c374
SHA1 (patch-src_pl-funcs.h) = 792257fcc533c835a607e6d660ed42058b7a8a95

View file

@ -0,0 +1,84 @@
$NetBSD: patch-packages_xpce_src_img_gifread.c,v 1.1 2013/01/24 12:03:09 is Exp $
--- gifread.c.orig 2011-03-23 18:57:54.000000000 +0000
+++ packages/xpce/src/img/gifread.c
@@ -169,7 +169,7 @@ GIFReadFD(IOSTREAM *fd,
/* read colormaps */
if ( BitSet((UCHAR) buf[4], LOCALCOLORMAP) )
{ if ( (rval=ReadColorMap(fd, GifScreen.BitPixel, at, ac, closure))
- != GIF_OK )
+ != GIF_OK )
{ setGifError("Error reading GIF colormap");
return rval;
}
@@ -466,7 +466,7 @@ LZWReadByte(IOSTREAM * fd, int flag, int
firstcode = oldcode = GetCode(fd, code_size, FALSE);
}
while (firstcode == clear_code);
- return firstcode;
+ return (firstcode&255);
}
if (sp > stack)
return *--sp;
@@ -487,11 +487,11 @@ LZWReadByte(IOSTREAM * fd, int flag, int
max_code = clear_code + 2;
sp = stack;
firstcode = oldcode = GetCode(fd, code_size, FALSE);
- return firstcode;
- } else if (code == end_code)
+ return (firstcode&255);
+ } else if (code == end_code || code > max_code)
{
int count;
- UCHAR buf[260];
+ UCHAR buf[260]; /* Block buffer */
if (ZeroDataBlock)
return -2;
@@ -505,11 +505,12 @@ LZWReadByte(IOSTREAM * fd, int flag, int
incode = code;
if (code >= max_code)
- {
- *sp++ = firstcode;
+ { if ( sp < stack+sizeof(stack) ) /* stack is UCHAR */
+ *sp++ = firstcode;
+
code = oldcode;
}
- while (code >= clear_code)
+ while (code >= clear_code && sp < stack+sizeof(stack))
{
*sp++ = vals[code];
if (code == (int) next[code])
@@ -520,7 +521,8 @@ LZWReadByte(IOSTREAM * fd, int flag, int
code = next[code];
}
- *sp++ = firstcode = vals[code];
+ if ( sp < stack+sizeof(stack) )
+ *sp++ = firstcode = vals[code];
if ((code = max_code) < (1 << MAX_LZW_BITS))
{
@@ -537,9 +539,9 @@ LZWReadByte(IOSTREAM * fd, int flag, int
oldcode = incode;
if (sp > stack)
- return *--sp;
+ return ((*--sp) & 255);
}
- return code;
+ return (code&255);
}
@@ -554,7 +556,7 @@ ReadImage(IOSTREAM *fd,
int xpos = 0, ypos = 0, pass = 0;
long curidx;
- if (!ReadOK(fd, &c, 1))
+ if ( !ReadOK(fd, &c, 1) || c > MAX_LZW_BITS )
{ return GIF_INVALID;
}
if (LZWReadByte(fd, TRUE, c) < 0)

View file

@ -1,9 +1,9 @@
# $NetBSD: Makefile,v 1.33 2012/10/02 20:11:55 asau Exp $
# $NetBSD: Makefile,v 1.34 2013/01/24 12:03:09 is Exp $
.include "../../lang/swi-prolog-lite/Makefile.common"
PKGNAME= swi-prolog-packages-${SWIPLVERS}
PKGREVISION= 2
PKGREVISION= 3
MAINTAINER= pkgsrc-users@NetBSD.org
COMMENT= Packages for SWI Prolog