pool/gdk-pixbuf
SHA256
3
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 510608 from home:hpjansson:bsc1048289-gf

Browse Source 
- Add fixes for crashes, taken from upstream git (CVE-2017-2862,
  CVE-2017-2870, bgo#784866, bgo#780269):
  gdk-pixbuf-cve-2017-2862-jpeg-channels.patch
  gdk-pixbuf-cve-2017-2870-tiff-mul-overflow.patch

OBS-URL: https://build.opensuse.org/request/show/510608
OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/gdk-pixbuf?expand=0&rev=130
This commit is contained in:
Dominique Leuenberger 2017-07-16 19:03:40 +00:00 committed by Git OBS Bridge
parent 512ce263f7
commit 88750fa0a2
4 changed files with 139 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
gdk-pixbuf-cve-2017-2862-jpeg-channels.patch Normal file
View File

@ -0,0 +1,63 @@
commit c2a40a92fe3df4111ed9da51fe3368c079b86926
Author: Tobias Mueller <muelli@cryptobitch.de>
Date: Wed Jul 12 20:36:11 2017 +0200
jpeg: Throw error when number of color components is unsupported
Explicitly check "3" or "4" output color components.
gdk-pixbuf assumed that the value of output_components to be either
3 or 4, but not an invalid value (9) or an unsupported value (1).
The way the buffer size was deduced was using a naive "== 4" check,
with a 1, 3 or 9 color component picture getting the same buffer size,
a size just sufficient for 3 color components, causing invalid writes
later when libjpeg-turbo was decoding the image.
CVE-2017-2862
Sent by from Marcin 'Icewall' Noga of Cisco Talos
https://bugzilla.gnome.org/show_bug.cgi?id=784866
diff --git a/gdk-pixbuf/io-jpeg.c b/gdk-pixbuf/io-jpeg.c
index dd88a350a..1c0eba1a9 100644
--- a/gdk-pixbuf/io-jpeg.c
+++ b/gdk-pixbuf/io-jpeg.c
@@ -1051,6 +1051,7 @@ gdk_pixbuf__jpeg_image_load_increment (gpointer data,
if (!context->got_header) {
int rc;
gchar* comment;
+ gboolean has_alpha;
jpeg_save_markers (cinfo, JPEG_APP0+1, 0xffff);
jpeg_save_markers (cinfo, JPEG_APP0+2, 0xffff);
@@ -1089,10 +1090,24 @@ gdk_pixbuf__jpeg_image_load_increment (gpointer data,
}
}
jpeg_calc_output_dimensions (cinfo);
-
- context->pixbuf = gdk_pixbuf_new (GDK_COLORSPACE_RGB,
- cinfo->output_components == 4 ? TRUE : FALSE,
- 8,
+
+ if (cinfo->output_components == 3) {
+ has_alpha = FALSE;
+ } else if (cinfo->output_components == 4) {
+ has_alpha = TRUE;
+ } else {
+ g_set_error (error,
+ GDK_PIXBUF_ERROR,
+ GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+ _("Unsupported number of color components (%d)"),
+ cinfo->output_components);
+ retval = FALSE;
+ goto out;
+ }
+
+ context->pixbuf = gdk_pixbuf_new (GDK_COLORSPACE_RGB,
+ has_alpha,
+ 8,
cinfo->output_width,
cinfo->output_height);

62
gdk-pixbuf-cve-2017-2870-tiff-mul-overflow.patch Normal file
View File

@ -0,0 +1,62 @@
commit 31a6cff3dfc6944aad4612a9668b8ad39122e48b
Author: Ludovico de Nittis <aasonykk@gmail.com>
Date: Sun Mar 19 16:11:13 2017 +0100
tiff: Check for integer overflows in multiplication
The checks currently in use are not sufficient, because they depend on
undefined behaviour:
rowstride = width * 4;
if (rowstride / 4 != width) { /* overflow */
If the multiplication has already overflowed, the compiler may decide
to optimize the if out and thus we do not handle the erroneous case.
Rearrange the checks to avoid the undefined behaviour.
Note that gcc doesn't seem to be impacted, though a defined behaviour is
obviously preferred.
CVE-2017-2870
https://bugzilla.gnome.org/show_bug.cgi?id=780269
diff --git a/gdk-pixbuf/io-tiff.c b/gdk-pixbuf/io-tiff.c
index fb5d55095..7d055cfa8 100644
--- a/gdk-pixbuf/io-tiff.c
+++ b/gdk-pixbuf/io-tiff.c
@@ -124,18 +124,18 @@ tiff_image_parse (TIFF *tiff, TiffContext *context, GError **error)
_("Width or height of TIFF image is zero"));
return NULL;
}
-
- rowstride = width * 4;
- if (rowstride / 4 != width) { /* overflow */
+
+ if (width > G_MAXINT / 4) { /* overflow */
g_set_error_literal (error,
GDK_PIXBUF_ERROR,
GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
_("Dimensions of TIFF image too large"));
return NULL;
}
-
- bytes = height * rowstride;
- if (bytes / rowstride != height) { /* overflow */
+
+ rowstride = width * 4;
+
+ if (height > G_MAXINT / rowstride) { /* overflow */
g_set_error_literal (error,
GDK_PIXBUF_ERROR,
GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
@@ -143,6 +143,8 @@ tiff_image_parse (TIFF *tiff, TiffContext *context, GError **error)
return NULL;
}
+ bytes = height * rowstride;
+
if (context && context->size_func) {
gint w = width;
gint h = height;

8
gdk-pixbuf.changes
View File

@ -1,3 +1,11 @@
-------------------------------------------------------------------
Sun Jul 16 20:57:27 CEST 2017 - hpj@suse.com
- Add fixes for crashes, taken from upstream git (CVE-2017-2862,
CVE-2017-2870, bgo#784866, bgo#780269):
gdk-pixbuf-cve-2017-2862-jpeg-channels.patch
gdk-pixbuf-cve-2017-2870-tiff-mul-overflow.patch
-------------------------------------------------------------------
Wed May 10 09:10:45 UTC 2017 - dimstar@opensuse.org

6
gdk-pixbuf.spec
View File

@ -32,6 +32,10 @@ Source2: README.SUSE
Source99: baselibs.conf
# PATCH-FIX-UPSTREAM u_contrib-gdk-pixbuf-xlib-Fix-rgb888amsb.patch boo#929462 bsc#1010497 bgo#775896 mstaudt@suse.com -- Fix RGBA conversion for big endian X11 environments
Patch0: u_contrib-gdk-pixbuf-xlib-Fix-rgb888amsb.patch
# PATCH-FIX-UPSTREAM gdk-pixbuf-cve-2017-2862-jpeg-channels.patch bsc#1048289 bgo#784866 CVE-2017-2862 hpj@suse.com -- fix heap overwrite when JPEG channels is not 3 or 4.
Patch1: gdk-pixbuf-cve-2017-2862-jpeg-channels.patch
# PATCH-FIX-UPSTREAM gdk-pixbuf-cve-2017-2870-tiff-mul-overflow.patch bgo#780269 CVE-2017-2870 hpj@suse.com -- fix reliance on undefined behavior to handle integer overflows.
Patch2: gdk-pixbuf-cve-2017-2870-tiff-mul-overflow.patch
BuildRequires: libjasper-devel
BuildRequires: libjpeg-devel
BuildRequires: libtiff-devel
@ -117,6 +121,8 @@ This package contains development files for gdk-pixbuf.
translation-update-upstream
%endif
%patch0 -p1
%patch1 -p1
%patch2 -p1
%if "%_lib" == "lib64"
cp -a %{S:2} .
%endif