pool/gdk-pixbuf
SHA256
3
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 429102 from GNOME:Factory

Browse Source 
New stable release (forwarded request 428763 from Zaitor)

OBS-URL: https://build.opensuse.org/request/show/429102
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gdk-pixbuf?expand=0&rev=54
This commit is contained in:
Dominique Leuenberger 2016-09-21 16:36:56 +00:00 committed by Git OBS Bridge
commit 1b0103f6c0
8 changed files with 71 additions and 399 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
gdk-pixbuf-2.34.0.tar.xz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:d55e5b383ee219bd0e23bf6ed4427d56a7db5379729a6e3e0a0e0eba9a8d8879
size 2709320

3
gdk-pixbuf-2.36.0.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:85ab52ce9f2c26327141b3dcf21cca3da6a3f8de84b95fa1e727d8871a23245c
size 2718648

52
gdk-pixbuf-bgo768484-ico-set-errors.patch
View File

@ -1,52 +0,0 @@
From 0cff83e985fba5350695c00ed1ac30fc31ec5960 Mon Sep 17 00:00:00 2001
From: Hanno Boeck <hanno@hboeck.de>
Date: Wed, 6 Jul 2016 13:05:00 +0000
Subject: [PATCH] ico: Always set errors
When the ico header turn out to be bad, always set an
error when we fail. Otherwise, applications will get
confused.
This commit also adds an example image with a bad ico header.
https://bugzilla.gnome.org/show_bug.cgi?id=768484
---
gdk-pixbuf/io-ico.c | 14 ++++++++++++--
tests/test-images/randomly-modified/bad-header.ico | Bin 0 -> 6 bytes
2 files changed, 12 insertions(+), 2 deletions(-)
create mode 100644 tests/test-images/randomly-modified/bad-header.ico
diff --git a/gdk-pixbuf/io-ico.c b/gdk-pixbuf/io-ico.c
index 86714af..82d3e4e 100644
--- a/gdk-pixbuf/io-ico.c
+++ b/gdk-pixbuf/io-ico.c
@@ -258,8 +258,13 @@ static void DecodeHeader(guchar *Data, gint Bytes,
State->HeaderBuf = tmp;
State->BytesInHeaderBuf = State->HeaderSize;
}
- if (Bytes < State->HeaderSize)
+ if (Bytes < State->HeaderSize) {
+ g_set_error_literal (error,
+ GDK_PIXBUF_ERROR,
+ GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+ _("Not enough bytes for header"));
return;
+ }
/* Now iterate through the ICONDIRENTRY structures, and sort them by
* which one we think is "best" (essentially the largest) */
@@ -399,8 +404,13 @@ static void DecodeHeader(guchar *Data, gint Bytes,
State->HeaderBuf = tmp;
State->BytesInHeaderBuf = State->HeaderSize;
}
- if (Bytes < State->HeaderSize)
+ if (Bytes < State->HeaderSize) {
+ g_set_error_literal (error,
+ GDK_PIXBUF_ERROR,
+ GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+ _("Not enough bytes for header"));
return;
+ }
/* Negative heights mean top-down pixel-order */
if (State->Header.height < 0) {

56
gdk-pixbuf-bgo768688-bmp-overflow.patch
View File

@ -1,56 +0,0 @@
From b69009f2a2de151103ed87e9594615ba0fe72daf Mon Sep 17 00:00:00 2001
From: Tobias Mueller <gnome-bugs@muelli.cryptobitch.de>
Date: Mon, 11 Jul 2016 17:01:00 +0000
Subject: [PATCH] bmp: Fix an integer overflow in DecodeColormap
Return an error if n_colors * samples overflows.
This commit also adds a reproducer that will cause
pixbuf-randomly-modified to crash in the absence of
the patch.
https://bugzilla.gnome.org/show_bug.cgi?id=768688
---
gdk-pixbuf/io-bmp.c | 15 ++++++++++++---
tests/test-images/randomly-modified/decodecolormap.bmp | Bin 0 -> 118 bytes
2 files changed, 12 insertions(+), 3 deletions(-)
create mode 100644 tests/test-images/randomly-modified/decodecolormap.bmp
diff --git a/gdk-pixbuf/io-bmp.c b/gdk-pixbuf/io-bmp.c
index f412997..748ebae 100644
--- a/gdk-pixbuf/io-bmp.c
+++ b/gdk-pixbuf/io-bmp.c
@@ -518,12 +518,16 @@ static gboolean DecodeColormap (guchar *buff,
{
gint i;
gint samples;
+ guint newbuffersize;
g_assert (State->read_state == READ_STATE_PALETTE);
samples = (State->Header.size == 12 ? 3 : 4);
- if (State->BufferSize < State->Header.n_colors * samples) {
- State->BufferSize = State->Header.n_colors * samples;
+ newbuffersize = State->Header.n_colors * samples;
+ if (newbuffersize / samples != State->Header.n_colors) /* Integer overflow check */
+ return FALSE;
+ if (State->BufferSize < newbuffersize) {
+ State->BufferSize = newbuffersize;
if (!grow_buffer (State, error))
return FALSE;
return TRUE;
@@ -1247,8 +1251,13 @@ gdk_pixbuf__bmp_image_load_increment(gpointer data,
break;
case READ_STATE_PALETTE:
- if (!DecodeColormap (context->buff, context, error))
+ if (!DecodeColormap (context->buff, context, error)) {
+ g_set_error (error,
+ GDK_PIXBUF_ERROR,
+ GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+ _("Error while decoding colormap"));
return FALSE;
+ }
break;
case READ_STATE_BITMASKS:

213
gdk-pixbuf-bgo769170-ico-headers.patch
View File

@ -1,213 +0,0 @@
From 88af50a864195da1a4f7bda5f02539704fbda599 Mon Sep 17 00:00:00 2001
From: Matthias Clasen <mclasen@redhat.com>
Date: Wed, 3 Aug 2016 12:40:48 -0400
Subject: [PATCH] ico: Be more careful when parsing headers
There is some redundancy between the ico directory and the
bitmap image header. If the two disagree on the icon dimensions,
just toss the image, instead of risking crashes or OOM later. Also
add some more debug spew that helped in tracking this down, and
make error messages more unique.
The commit also includes a test image that has an example of
this discrepancy and triggers the early exit.
https://bugzilla.gnome.org/show_bug.cgi?id=769170
Backported by Mike Gorse <mgorse@suse.com>
---
diff -urp gdk-pixbuf-2.34.0.orig/gdk-pixbuf/io-ico.c gdk-pixbuf-2.34.0/gdk-pixbuf/io-ico.c
--- gdk-pixbuf-2.34.0.orig/gdk-pixbuf/io-ico.c 2016-08-30 13:57:44.715146613 -0500
+++ gdk-pixbuf-2.34.0/gdk-pixbuf/io-ico.c 2016-08-30 15:17:40.887044723 -0500
@@ -23,6 +23,8 @@
*/
#undef DUMPBIH
+#define DEBUG(s)
+
/*
Icons are just like BMP's, except for the header.
@@ -75,14 +77,14 @@ struct BitmapInfoHeader {
};
#ifdef DUMPBIH
-/*
+/*
DumpBIH printf's the values in a BitmapInfoHeader to the screen, for
debugging purposes.
*/
static void DumpBIH(unsigned char *BIH)
-{
+{
printf("biSize = %i \n",
(int)(BIH[3] << 24) + (BIH[2] << 16) + (BIH[1] << 8) + (BIH[0]));
printf("biWidth = %i \n",
@@ -125,6 +127,8 @@ struct headerpair {
/* Score the various parts of the icon */
struct ico_direntry_data {
gint ImageScore;
+ gint width;
+ gint height;
gint DIBoffset;
gint x_hot;
gint y_hot;
@@ -241,11 +245,12 @@ static void DecodeHeader(guchar *Data, g
return;
}
-
IconCount = (Data[5] << 8) + (Data[4]);
State->HeaderSize = 6 + IconCount*16;
+ DEBUG(g_print ("Image type: %d (%s)\nImage count: %d\n", imgtype, imgtype == 2 ? "cursor" : "icon", IconCount));
+
if (State->HeaderSize>State->BytesInHeaderBuf) {
guchar *tmp=g_try_realloc(State->HeaderBuf,State->HeaderSize);
if (!tmp) {
@@ -259,10 +264,6 @@ static void DecodeHeader(guchar *Data, g
State->BytesInHeaderBuf = State->HeaderSize;
}
if (Bytes < State->HeaderSize) {
- g_set_error_literal (error,
- GDK_PIXBUF_ERROR,
- GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
- _("Not enough bytes for header"));
return;
}
@@ -272,17 +273,37 @@ static void DecodeHeader(guchar *Data, g
State->entries = 0;
Ptr = Data + 6;
for (I=0;I<IconCount;I++) {
+ int width;
+ int height;
+ int x_hot;
+ int y_hot;
+ int data_size;
+ int data_offset;
+
+ width = Ptr[0];
+ height = Ptr[1];
+ x_hot = (Ptr[5] << 8) + Ptr[4];
+ y_hot = (Ptr[7] << 8) + Ptr[6];
+ data_size = (Ptr[11] << 24) + (Ptr[10] << 16) + (Ptr[9] << 8) + (Ptr[8]);
+ data_offset = (Ptr[15] << 24) + (Ptr[14] << 16) + (Ptr[13] << 8) + (Ptr[12]);
+ DEBUG(g_print ("Image %d: %d x %d\n\tPalette: %d\n", I, width, height, {tr[2]);
+ if (imgtype == 2)
+ g_print ("\tHotspot: %d x %d\n", x_hot, y_hot);
+ else
+ g_print ("\tColor planes: %d\n\tBits per pixel: %d\n", x_hot, y_hot);
+ g_print ("\tSize: %d\n\tOffset: %d\n", data_size, data_offset);)
+
entry = g_new0 (struct ico_direntry_data, 1);
- entry->ImageScore = (Ptr[11] << 24) + (Ptr[10] << 16) + (Ptr[9] << 8) + (Ptr[8]);
- if (entry->ImageScore == 0)
- entry->ImageScore = 256;
- entry->x_hot = (Ptr[5] << 8) + Ptr[4];
- entry->y_hot = (Ptr[7] << 8) + Ptr[6];
- entry->DIBoffset = (Ptr[15]<<24)+(Ptr[14]<<16)+
- (Ptr[13]<<8) + (Ptr[12]);
+ entry->ImageScore = data_size;
+
+ entry->width = width ? width : 256;
+ entry->height = height ? height : 256;
+ entry->x_hot = x_hot;
+ entry->y_hot = y_hot;
+ entry->DIBoffset = data_offset;
State->entries = g_list_insert_sorted (State->entries, entry, compare_direntry_scores);
Ptr += 16;
- }
+ }
/* Now go through and find one we can parse */
entry = NULL;
@@ -351,9 +372,9 @@ static void DecodeHeader(guchar *Data, g
#ifdef DUMPBIH
DumpBIH(BIH);
-#endif
+#endif
/* Add the palette to the headersize */
-
+
State->Header.width =
(int)(BIH[7] << 24) + (BIH[6] << 16) + (BIH[5] << 8) + (BIH[4]);
if (State->Header.width == 0)
@@ -364,12 +385,28 @@ static void DecodeHeader(guchar *Data, g
/* /2 because the BIH height includes the transparency mask */
if (State->Header.height == 0)
State->Header.height = 256;
+
+ /* Negative heights mean top-down pixel-order */
+ if (State->Header.height < 0) {
+ State->Header.height = -State->Header.height;
+ State->Header.Negative = 1;
+ }
+ if (State->Header.width < 0) {
+ State->Header.width = -State->Header.width;
+ }
+
+ if (State->Header.width != entry->width ||
+ State->Header.height != entry->height) {
+ g_set_error_literal (error,
+ GDK_PIXBUF_ERROR,
+ GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+ _("Invalid header in icon"));
+ return;
+ }
+
State->Header.depth = (BIH[15] << 8) + (BIH[14]);
+ State->Type = State->Header.depth;
- State->Type = State->Header.depth;
- if (State->Lines>=State->Header.height)
- State->Type = 1; /* The transparency mask is 1 bpp */
-
/* Determine the palette size. If the header indicates 0, it
is actually the maximum for the bpp. You have to love the
guys who made the spec. */
@@ -405,24 +442,9 @@ static void DecodeHeader(guchar *Data, g
State->BytesInHeaderBuf = State->HeaderSize;
}
if (Bytes < State->HeaderSize) {
- g_set_error_literal (error,
- GDK_PIXBUF_ERROR,
- GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
- _("Not enough bytes for header"));
return;
}
- /* Negative heights mean top-down pixel-order */
- if (State->Header.height < 0) {
- State->Header.height = -State->Header.height;
- State->Header.Negative = 1;
- }
- if (State->Header.width < 0) {
- State->Header.width = -State->Header.width;
- }
- g_assert (State->Header.width > 0);
- g_assert (State->Header.height > 0);
-
if (State->Type == 32)
State->LineWidth = State->Header.width * 4;
else if (State->Type == 24)
@@ -465,7 +487,6 @@ static void DecodeHeader(guchar *Data, g
if (State->pixbuf == NULL) {
-#if 1
if (State->size_func) {
gint width = State->Header.width;
gint height = State->Header.height;
@@ -476,7 +497,6 @@ static void DecodeHeader(guchar *Data, g
return;
}
}
-#endif
State->pixbuf =
gdk_pixbuf_new(GDK_COLORSPACE_RGB, TRUE, 8,

57
gdk-pixbuf-bgo769738-bmp-overflow.patch
View File

@ -1,57 +0,0 @@
From 779429ce34e439c01d257444fe9d6739e72a2024 Mon Sep 17 00:00:00 2001
From: Tobias Mueller <gnome-bugs@muelli.cryptobitch.de>
Date: Tue, 12 Jul 2016 15:20:00 +0000
Subject: [PATCH] bmp: Detect integer overflow of the line width
Instead of risking crashes or OOM, return an error if
we detect integer overflow.
The commit also includes a test image that triggers
this overflow when used with pixbuf-read.
https://bugzilla.gnome.org/show_bug.cgi?id=768738
---
gdk-pixbuf/io-bmp.c | 21 ++++++++++++---------
.../randomly-modified/bmp-line-overflow.bmp | Bin 0 -> 74 bytes
2 files changed, 12 insertions(+), 9 deletions(-)
create mode 100644 tests/test-images/randomly-modified/bmp-line-overflow.bmp
diff --git a/gdk-pixbuf/io-bmp.c b/gdk-pixbuf/io-bmp.c
index 748ebae..08e3c76 100644
--- a/gdk-pixbuf/io-bmp.c
+++ b/gdk-pixbuf/io-bmp.c
@@ -254,6 +254,7 @@ static gboolean DecodeHeader(unsigned char *BFH, unsigned char *BIH,
GError **error)
{
gint clrUsed;
+ guint bytesPerPixel;
/* First check for the two first bytes content. A sane
BMP file must start with bytes 0x42 0x4D. */
@@ -380,15 +381,17 @@ static gboolean DecodeHeader(unsigned char *BFH, unsigned char *BIH,
return FALSE;
}
- if (State->Type == 32)
- State->LineWidth = State->Header.width * 4;
- else if (State->Type == 24)
- State->LineWidth = State->Header.width * 3;
- else if (State->Type == 16)
- State->LineWidth = State->Header.width * 2;
- else if (State->Type == 8)
- State->LineWidth = State->Header.width * 1;
- else if (State->Type == 4)
+ if ((State->Type >= 8) && (State->Type <= 32) && (State->Type % 8 == 0)) {
+ bytesPerPixel = State->Type / 8;
+ State->LineWidth = State->Header.width * bytesPerPixel;
+ if (State->Header.width != State->LineWidth / bytesPerPixel) {
+ g_set_error_literal (error,
+ GDK_PIXBUF_ERROR,
+ GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+ _("BMP image width too large"));
+ return FALSE;
+ }
+ } else if (State->Type == 4)
State->LineWidth = (State->Header.width + 1) / 2;
else if (State->Type == 1) {
State->LineWidth = State->Header.width / 8;

58
gdk-pixbuf.changes
View File

@ -1,3 +1,61 @@
-------------------------------------------------------------------
Mon Sep 19 17:22:31 UTC 2016 - zaitor@opensuse.org
- Update to version 2.36.0:
+ Updated translations.
-------------------------------------------------------------------
Tue Sep 13 16:08:17 UTC 2016 - zaitor@opensuse.org
- Update to version 2.35.5:
+ Fix undefined behavior in overflow checks (bgo#770986).
+ Fix a typo (bgo#770756).
+ Avoid segfault in some tests (bgo#771026).
+ Updated translations.
-------------------------------------------------------------------
Tue Aug 30 18:39:13 UTC 2016 - zaitor@opensuse.org
- Update to version 2.35.4:
+ Updated translations.
- Conditionally apply translations-update-upstream BuildRequires
and macro for non-openSUSE only.
- Escape some macros in comments to silence rpmlint.
-------------------------------------------------------------------
Tue Aug 30 18:39:12 UTC 2016 - zaitor@opensuse.org
- Update to version 2.35.3:
+ Add API to determine supported save options (bgo#683371).
+ Add helper API for pixbuf options (bgo#768043).
+ Fix invalid gettext use (bgo#758552).
+ Fix a compiler warning in the xpm loader (bgo#768042).
+ Fix integer overflows in the bmp loader (bgo#768688,
bgo#768738).
+ Fix a crash in the ico loader (bgo#769170).
+ Updated translations.
- Drop gdk-pixbuf-bgo768688-bmp-overflow.patch,
gdk-pixbuf-bgo768484-ico-set-errors.patch,
gdk-pixbuf-bgo769738-bmp-overflow.patch and
gdk-pixbuf-bgo769170-ico-headers.patch: Fixed upstream.
-------------------------------------------------------------------
Tue Aug 30 18:39:11 UTC 2016 - zaitor@opensuse.org
- Update to version 2.35.2:
+ Use compiler directives for exporting symbols (bgo#767164).
+ Fix a problem with nearest scaling (bgo#766842).
+ Avoid redundant property notification.
+ Updated translations.
-------------------------------------------------------------------
Tue Aug 30 18:39:10 UTC 2016 - zaitor@opensuse.org
- Update to version 2.35.1:
+ Add non-varargs variant to save to stream (bgo#683063).
+ Add a common autotools module (bgo#765034).
+ Updated translations.
-------------------------------------------------------------------
Tue Aug 30 18:39:06 UTC 2016 - mgorse@suse.com

28
gdk-pixbuf.spec
View File

@ -20,28 +20,22 @@
%define gdk_pixbuf_binary_version 2.10.0
Name: gdk-pixbuf
Version: 2.34.0
Version: 2.36.0
Release: 0
Summary: An image loading library
License: LGPL-2.1+
Group: System/Libraries
Url: http://www.gnome.org/
Source: http://download.gnome.org/sources/gdk-pixbuf/2.34/%{name}-%{version}.tar.xz
Source: http://download.gnome.org/sources/gdk-pixbuf/2.36/%{name}-%{version}.tar.xz
Source1: macros.gdk-pixbuf
Source2: README.SUSE
Source99: baselibs.conf
# PATCH-FIX-UPSTREAM gdk-pixbuf-bgo768688-bmp-overflow.patch bgo#768688 mgorse@suse.com -- fix a bmp overflow.
Patch0: gdk-pixbuf-bgo768688-bmp-overflow.patch
# PATCh-FIX-UPSTREAM gdk-pixbuf-bgo768484-ico-set-errors.patch bgo#768484 mgorse@suse.com -- ico: always set errors.
Patch1: gdk-pixbuf-bgo768484-ico-set-errors.patch
# PATCH-FIX-UPSTREAM gdk-pixbuf-bgo769738-bmp-overflow.patch bsc#988745 bgo#769738 mgorse@suse.com -- fix another bmp overflow.
Patch2: gdk-pixbuf-bgo769738-bmp-overflow.patch
# PATCh-FIX-UPSTREAM gdk-pixbuf-bgo769170-ico-headers.patch bsc#991450 bgo#769170 CVE-2016-6352 mgorse@suse.com -- be more careful when parsing ico headers.
Patch3: gdk-pixbuf-bgo769170-ico-headers.patch
BuildRequires: libjasper-devel
BuildRequires: libjpeg-devel
BuildRequires: libtiff-devel
%if !0%{?is_opensuse}
BuildRequires: translation-update-upstream
%endif
BuildRequires: pkgconfig(glib-2.0) >= 2.37.2
BuildRequires: pkgconfig(gobject-introspection-1.0)
BuildRequires: pkgconfig(libpng)
@ -55,7 +49,7 @@ Clutter.
%package -n libgdk_pixbuf-2_0-0
Summary: An image loading library
Group: System/Libraries
# Provide %{name} to make the lang package installable
# Provide %%{name} to make the lang package installable
Provides: %{name} = %{version}
Requires(post): gdk-pixbuf-query-loaders
Recommends: %{name}-lang = %{version}
@ -105,11 +99,9 @@ This package contains development files for gdk-pixbuf.
%lang_package
%prep
%setup -q
%if !0%{?is_opensuse}
translation-update-upstream
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%endif
%if "%_lib" == "lib64"
cp -a %{S:2} .
%endif
@ -139,7 +131,7 @@ cp %{S:1} %{buildroot}%{_sysconfdir}/rpm
# Note: when updating scriptlets, don't forget to also update baselibs.conf
###########################################################################
# Convenient %define for the scriplets
# Convenient %%define for the scriplets
%if "%_lib" == "lib64"
%define _gdk_pixbuf_query_loaders %{_bindir}/gdk-pixbuf-query-loaders-64
%else
@ -152,7 +144,7 @@ cp %{S:1} %{buildroot}%{_sysconfdir}/rpm
%if 0
# In case libgdk_pixbuf-2_0-0 gets installed before gdk-pixbuf-query-loaders,
# we don't want to fail. So we make the call to gdk-pixbuf-query-loaders
# dependent on the existence of the binary. This is why we also have a %post
# dependent on the existence of the binary. This is why we also have a %%post
# for gdk-pixbuf-query-loaders.
%endif
if test -f %{_gdk_pixbuf_query_loaders}; then
@ -163,7 +155,7 @@ fi
%if 0
# If we install gdk-pixbuf-query-loaders for the first time, then we should run
# it in case libgdk_pixbuf-2_0-0 was installed first (ie, if
# %{_libdir}/gdk-pixbuf-2.0/%{gdk_pixbuf_binary_version} already exists) which
# %%{_libdir}/gdk-pixbuf-2.0/%%{gdk_pixbuf_binary_version} already exists) which
# means gdk-pixbuf-query-loaders couldn't run there.
%endif
if [ $1 = 1 ]; then