Fix gif (lzw) decoding vulnerability (CVS-2011-2896). Patches from upstream;

passes upstream's test now.
2013-01-24 12:03:08 +00:00 · 2013-01-24 12:03:08 +00:00 · cdf1a2493c
commit cdf1a2493c
parent f8e021b5f6
3 changed files with 88 additions and 3 deletions
--- a/lang/swi-prolog-lite/distinfo
+++ b/lang/swi-prolog-lite/distinfo
@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.15 2012/11/07 15:30:04 joerg Exp $
+$NetBSD: distinfo,v 1.16 2013/01/24 12:03:08 is Exp $
 SHA1 (swi-prolog/pl-5.11.18.tar.gz) = b929d47f2e92230e2afcaaaf25e9a34c40adc54e
 RMD160 (swi-prolog/pl-5.11.18.tar.gz) = 1cbf0dab3a9cd63b3178d6a43c983b31402d7b7f
@ -7,4 +7,5 @@ SHA1 (patch-ad) = 7b3899fe4162582efe955c67d5dc3ed42e7d1702
 SHA1 (patch-ae) = 4135212b4c5faf70e01e78e45df5e1a0ccc927a6
 SHA1 (patch-ar) = 2bf3648f29c6263ea2efe13b95309a1fe72b14b8
 SHA1 (patch-packages_clib_sha1_brg_endian.h) = db9f50eb0d0f92e44a79048d0bb84b690945964b
 SHA1 (patch-packages_xpce_src_img_gifread.c) = 5ef16b048f8343cde92a17d9fd3c78b0c3e7c374
 SHA1 (patch-src_pl-funcs.h) = 792257fcc533c835a607e6d660ed42058b7a8a95
--- a/lang/swi-prolog-lite/patches/patch-packages_xpce_src_img_gifread.c
+++ b/lang/swi-prolog-lite/patches/patch-packages_xpce_src_img_gifread.c
@ -0,0 +1,84 @@
 $NetBSD: patch-packages_xpce_src_img_gifread.c,v 1.1 2013/01/24 12:03:09 is Exp $
 --- gifread.c.orig	2011-03-23 18:57:54.000000000 +0000
 +++ packages/xpce/src/img/gifread.c
@@ -169,7 +169,7 @@ GIFReadFD(IOSTREAM *fd,
   /* read colormaps */
   if ( BitSet((UCHAR) buf[4], LOCALCOLORMAP) )
   { if ( (rval=ReadColorMap(fd, GifScreen.BitPixel, at, ac, closure))
 -	 							!= GIF_OK )
 +								!= GIF_OK )
     { setGifError("Error reading GIF colormap");
       return rval;
     }
@@ -466,7 +466,7 @@ LZWReadByte(IOSTREAM * fd, int flag, int
       firstcode = oldcode = GetCode(fd, code_size, FALSE);
     }
     while (firstcode == clear_code);
 -    return firstcode;
 +    return (firstcode&255);
   }
   if (sp > stack)
     return *--sp;
@@ -487,11 +487,11 @@ LZWReadByte(IOSTREAM * fd, int flag, int
       max_code = clear_code + 2;
       sp = stack;
       firstcode = oldcode = GetCode(fd, code_size, FALSE);
 -      return firstcode;
 -    } else if (code == end_code)
 +      return (firstcode&255);
 +    } else if (code == end_code || code > max_code)
     {
       int count;
 -      UCHAR buf[260];
 +      UCHAR buf[260];			/* Block buffer */
       if (ZeroDataBlock)
 	return -2;
@@ -505,11 +505,12 @@ LZWReadByte(IOSTREAM * fd, int flag, int
     incode = code;
     if (code >= max_code)
 -    {
 -      *sp++ = firstcode;
 +    { if ( sp < stack+sizeof(stack) )  /* stack is UCHAR */
 +         *sp++ = firstcode;
 +
       code = oldcode;
     }
 -    while (code >= clear_code)
 +    while (code >= clear_code && sp < stack+sizeof(stack))
     {
       *sp++ = vals[code];
       if (code == (int) next[code])
@@ -520,7 +521,8 @@ LZWReadByte(IOSTREAM * fd, int flag, int
       code = next[code];
     }
 -    *sp++ = firstcode = vals[code];
 +    if ( sp < stack+sizeof(stack) )
 +      *sp++ = firstcode = vals[code];
     if ((code = max_code) < (1 << MAX_LZW_BITS))
     {
@@ -537,9 +539,9 @@ LZWReadByte(IOSTREAM * fd, int flag, int
     oldcode = incode;
     if (sp > stack)
 -      return *--sp;
 +      return ((*--sp) & 255);
   }
 -  return code;
 +  return (code&255);
 }
@@ -554,7 +556,7 @@ ReadImage(IOSTREAM *fd,
   int xpos = 0, ypos = 0, pass = 0;
   long curidx;
 -  if (!ReadOK(fd, &c, 1))
 +  if ( !ReadOK(fd, &c, 1) || c > MAX_LZW_BITS )
   { return GIF_INVALID;
   }
   if (LZWReadByte(fd, TRUE, c) < 0)
--- a/lang/swi-prolog-packages/Makefile
+++ b/lang/swi-prolog-packages/Makefile
@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.33 2012/10/02 20:11:55 asau Exp $
+# $NetBSD: Makefile,v 1.34 2013/01/24 12:03:09 is Exp $
 .include "../../lang/swi-prolog-lite/Makefile.common"
 PKGNAME=		swi-prolog-packages-${SWIPLVERS}
-PKGREVISION=		2
+PKGREVISION=		3
 MAINTAINER=		pkgsrc-users@NetBSD.org
 COMMENT=		Packages for SWI Prolog