pool/gdk-pixbuf
SHA256
3
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 562058 from home:mgorse:branches:GNOME:Factory

Browse Source 
- Add gdk-pixbuf-bgo779012-ico-overflow.patch: fix a potential
  integer overflow (boo#1027026 CVE-2017-6312).
- Add gdk-pixbuf-gif-negative-array-indexes.patch and
  gdk-pixbuf-gif-uninitialized-variable.patch: protect against
  access to negative array indexes (BGO#778584).
- Add gdk-pixbuf-tiff-overflow.patch: avoid overflow during size
  computation (bgo#779020).
- Add gdk-pixbuf-icns-handle-short-blocklen.patch: protect against
  short block length when reading icns (boo#1027024
  CVE-2017-6313).

OBS-URL: https://build.opensuse.org/request/show/562058
OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/gdk-pixbuf?expand=0&rev=144
This commit is contained in:
Dominique Leuenberger 2018-01-08 12:31:19 +00:00 committed by Git OBS Bridge
parent 9874fbf7cc
commit 7d230a8bba
7 changed files with 227 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
gdk-pixbuf-bgo779012-ico-overflow.patch Normal file
View File

@ -0,0 +1,46 @@
From dec9ca22d70c0f0d4492333b4e8147afb038afd2 Mon Sep 17 00:00:00 2001
From: Dhiru Kholia <dhiru.kholia@gmail.com>
Date: Thu, 30 Nov 2017 02:36:26 +0100
Subject: [PATCH] ico: Fix potential integer overflow
Which relies on undefined behaviour. Instead of checking for an
overflowed integer after the fact, check whether the addition would
be possible at all.
Fixes: CVE-2017-6312
https://bugzilla.gnome.org/show_bug.cgi?id=779012
---
gdk-pixbuf/io-ico.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/gdk-pixbuf/io-ico.c b/gdk-pixbuf/io-ico.c
index 8729a0fb9..a86725751 100644
--- a/gdk-pixbuf/io-ico.c
+++ b/gdk-pixbuf/io-ico.c
@@ -333,10 +333,8 @@ static void DecodeHeader(guchar *Data, gint Bytes,
for (l = State->entries; l != NULL; l = g_list_next (l)) {
entry = l->data;
- /* We know how many bytes are in the "header" part. */
- State->HeaderSize = entry->DIBoffset + INFOHEADER_SIZE;
-
- if (State->HeaderSize < 0) {
+ /* Avoid invoking undefined behavior in the State->HeaderSize calculation below */
+ if (entry->DIBoffset > G_MAXINT - INFOHEADER_SIZE) {
g_set_error (error,
GDK_PIXBUF_ERROR,
GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
@@ -344,6 +342,9 @@ static void DecodeHeader(guchar *Data, gint Bytes,
return;
}
+ /* We know how many bytes are in the "header" part. */
+ State->HeaderSize = entry->DIBoffset + INFOHEADER_SIZE;
+
if (State->HeaderSize>State->BytesInHeaderBuf) {
guchar *tmp=g_try_realloc(State->HeaderBuf,State->HeaderSize);
if (!tmp) {
--
2.15.1

37
gdk-pixbuf-gif-negative-array-indexes.patch Normal file
View File

@ -0,0 +1,37 @@
From 23e2a7c4b7794220ecd77389b3976c0767fc839d Mon Sep 17 00:00:00 2001
From: Tobias Mueller <muelli@cryptobitch.de>
Date: Wed, 14 Dec 2016 08:03:16 +0100
Subject: [PATCH] gif: Prevent access to negative array indexes
It seems that a pathological gif file can cause a negative array index
to be read. UBSAN reported this:
io-gif.c:509:44: runtime error: index -2 out of bounds for type 'guchar [280]'
io-gif.c:510:44: runtime error: index -1 out of bounds for type 'guchar [280]'
https://bugzilla.gnome.org/show_bug.cgi?id=778584
---
gdk-pixbuf/io-gif.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/gdk-pixbuf/io-gif.c b/gdk-pixbuf/io-gif.c
index ef1001779..acbd1f3be 100644
--- a/gdk-pixbuf/io-gif.c
+++ b/gdk-pixbuf/io-gif.c
@@ -508,6 +508,14 @@ gif_lzw_fill_buffer (GifContext *context)
return -2;
}
+ if (context->code_last_byte < 2) {
+ g_set_error_literal (context->error,
+ GDK_PIXBUF_ERROR,
+ GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+ _("Bad code encountered"));
+ return -2;
+ }
+
context->block_buf[0] = context->block_buf[context->code_last_byte - 2];
context->block_buf[1] = context->block_buf[context->code_last_byte - 1];
--
2.15.1

46
gdk-pixbuf-gif-uninitialized-variable.patch Normal file
View File

@ -0,0 +1,46 @@
From c1fd9f5d6592c0183c54efc806b3ca6871e1f496 Mon Sep 17 00:00:00 2001
From: Tobias Mueller <muelli@cryptobitch.de>
Date: Fri, 10 Nov 2017 18:51:21 +0100
Subject: [PATCH] gif: Initialise code_last_byte to not cause undefined
behaviour
Currently, code_last_byte is set only after it has been used, i.e.
context->block_buf[0] = context->block_buf[context->code_last_byte - 2];
comes before anything has touched context->code_last_byte yet.
Except for the initialisation.
context->code_last_byte is set a few lines later, though.
And nowhere else, except for the initialisation which sets it
to 0. That will inevitably lead to context->block_buf[-2] which is
undefined behaviour.
We hence set the code_last_byte to 2 in order to not make that
array index invalid.
https://bugzilla.gnome.org/show_bug.cgi?id=778584
---
gdk-pixbuf/io-gif.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/gdk-pixbuf/io-gif.c b/gdk-pixbuf/io-gif.c
index acbd1f3be..61821bdf9 100644
--- a/gdk-pixbuf/io-gif.c
+++ b/gdk-pixbuf/io-gif.c
@@ -1165,7 +1165,12 @@ gif_prepare_lzw (GifContext *context)
context->lzw_fresh = TRUE;
context->code_curbit = 0;
context->code_lastbit = 0;
- context->code_last_byte = 0;
+ /* During initialistion (in gif_lzw_fill_buffer) we substract 2 from
+ * this value to peek into a buffer.
+ * In order to not get a negative array index later, we set the value
+ * to that magic 2 now.
+ */
+ context->code_last_byte = 2;
context->code_done = FALSE;
g_assert (context->lzw_clear_code <=
--
2.15.1

30
gdk-pixbuf-icns-handle-short-blocklen.patch Normal file
View File

@ -0,0 +1,30 @@
From 210b16399a492d05efb209615a143920b24251f4 Mon Sep 17 00:00:00 2001
From: Bastien Nocera <hadess@hadess.net>
Date: Tue, 5 Dec 2017 11:51:02 +0100
Subject: [PATCH] icns: Protect against too short blocklen (CVE-2017-6313)
The blocklen needs to be at least header sized to be valid, otherwise we
can underflow picture data or mask data lengths.
https://bugzilla.gnome.org/show_bug.cgi?id=779016
---
gdk-pixbuf/io-icns.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/gdk-pixbuf/io-icns.c b/gdk-pixbuf/io-icns.c
index a432e463f..41732b153 100644
--- a/gdk-pixbuf/io-icns.c
+++ b/gdk-pixbuf/io-icns.c
@@ -95,7 +95,8 @@ load_resources (unsigned size, IN gpointer data, gsize datalen,
blocklen = GUINT32_FROM_BE (header->size);
/* Check that blocklen isn't garbage */
- if (blocklen > icnslen - (current - bytes))
+ if (blocklen > icnslen - (current - bytes) ||
+ blocklen < sizeof (IcnsBlockHeader))
return FALSE;
switch (size)
--
2.15.1

38
gdk-pixbuf-tiff-overflow.patch Normal file
View File

@ -0,0 +1,38 @@
From 1e513abdb55529f888233d3c96b27352d83aad5f Mon Sep 17 00:00:00 2001
From: Bastien Nocera <hadess@hadess.net>
Date: Tue, 5 Dec 2017 10:26:49 +0100
Subject: [PATCH] tiff: Avoid overflowing buffer size computation
Use g_uint_checked_mul() to avoid overflowing the guint used for buffer
size calculation.
https://bugzilla.gnome.org/show_bug.cgi?id=779020
---
gdk-pixbuf/io-tiff.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/gdk-pixbuf/io-tiff.c b/gdk-pixbuf/io-tiff.c
index 7ca0a565a..49fe60eee 100644
--- a/gdk-pixbuf/io-tiff.c
+++ b/gdk-pixbuf/io-tiff.c
@@ -529,8 +529,15 @@ make_available_at_least (TiffContext *context, guint needed)
need_alloc = context->used + needed;
if (need_alloc > context->allocated) {
guint new_size = 1;
- while (new_size < need_alloc)
- new_size *= 2;
+ while (new_size < need_alloc) {
+ if (!g_uint_checked_mul (&new_size, new_size, 2)) {
+ new_size = 0;
+ break;
+ }
+ }
+
+ if (new_size == 0)
+ return FALSE;
new_buffer = g_try_realloc (context->buffer, new_size);
if (new_buffer) {
--
2.15.1

14
gdk-pixbuf.changes
View File

@ -1,3 +1,17 @@
-------------------------------------------------------------------
Fri Jan 5 17:38:55 UTC 2018 - mgorse@suse.com
- Add gdk-pixbuf-bgo779012-ico-overflow.patch: fix a potential
integer overflow (boo#1027026 CVE-2017-6312).
- Add gdk-pixbuf-gif-negative-array-indexes.patch and
gdk-pixbuf-gif-uninitialized-variable.patch: protect against
access to negative array indexes (BGO#778584).
- Add gdk-pixbuf-tiff-overflow.patch: avoid overflow during size
computation (bgo#779020).
- Add gdk-pixbuf-icns-handle-short-blocklen.patch: protect against
short block length when reading icns (boo#1027024
CVE-2017-6313).
-------------------------------------------------------------------
Tue Oct 3 21:36:15 UTC 2017 - luc14n0@linuxmail.org

17
gdk-pixbuf.spec
View File

@ -1,7 +1,7 @@
#
# spec file for package gdk-pixbuf
#
# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -30,6 +30,16 @@ Source1: macros.gdk-pixbuf
Source2: README.SUSE
Source3: gdk-pixbuf-rpmlintrc
Source99: baselibs.conf
# PATCH-FIX-UPSTREAM gdk-pixbuf-bgo779012-ico-overflow.patch boo#1027026 mgorse@suse.com -- fix potential integer overflow (CVE-2017-6312).
Patch0: gdk-pixbuf-bgo779012-ico-overflow.patch
# PATCH-FIX-UPSTREAM gdk-pixbuf-gif-negative-array-indexes.patch bgo#778584 mgorse@suse.com -- gif: prevent access to negative array indexes.
Patch1: gdk-pixbuf-gif-negative-array-indexes.patch
# PATCH-FIX-UPSTREAM gdk-pixbuf-gif-uninitialized-variable.patch bgo#778584 mgorse@suse.com -- fix uninitialized variable.
Patch2: gdk-pixbuf-gif-uninitialized-variable.patch
# PATCH-FIX-UPSTREAM gdk-pixbuf-tiff-overflow.patch bgo#779020 mgorse@suse.com -- avoid overflow during size computation.
Patch3: gdk-pixbuf-tiff-overflow.patch
# PATCH-FIX-UPSTREAM gdk-pixbuf-icns-handle-short-blocklen.patch boo#1027024 bgo#779016 mgorse@suse.com -- icns: protect against too short blocklen (CVE-2017-6313).
Patch4: gdk-pixbuf-icns-handle-short-blocklen.patch
BuildRequires: docbook-xsl-stylesheets
BuildRequires: gtk-doc
BuildRequires: libjpeg-devel
@ -119,6 +129,11 @@ This package contains the development files for gdk-pixbuf.
%if !0%{?is_opensuse}
translation-update-upstream
%endif
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%if "%_lib" == "lib64"
cp -a %{SOURCE2} .
%endif