pool/gdk-pixbuf
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 511904 from GNOME:Factory

Browse Source 
1

OBS-URL: https://build.opensuse.org/request/show/511904
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gdk-pixbuf?expand=0&rev=62
This commit is contained in:
Yuchen Lin 2017-08-10 11:44:05 +00:00 committed by Git OBS Bridge
commit b1b89f87b6
6 changed files with 18 additions and 135 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
gdk-pixbuf-2.36.6.tar.xz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:455eb90c09ed1b71f95f3ebfe1c904c206727e0eeb34fc94e5aaf944663a820c
size 5166980

3
gdk-pixbuf-2.36.7.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:1b6e5eef09d98f05f383014ecd3503e25dfb03d7e5b5f5904e5a65b049a6a4d8
size 5170080

63
gdk-pixbuf-cve-2017-2862-jpeg-channels.patch
View File

@ -1,63 +0,0 @@
commit c2a40a92fe3df4111ed9da51fe3368c079b86926
Author: Tobias Mueller <muelli@cryptobitch.de>
Date: Wed Jul 12 20:36:11 2017 +0200
jpeg: Throw error when number of color components is unsupported
Explicitly check "3" or "4" output color components.
gdk-pixbuf assumed that the value of output_components to be either
3 or 4, but not an invalid value (9) or an unsupported value (1).
The way the buffer size was deduced was using a naive "== 4" check,
with a 1, 3 or 9 color component picture getting the same buffer size,
a size just sufficient for 3 color components, causing invalid writes
later when libjpeg-turbo was decoding the image.
CVE-2017-2862
Sent by from Marcin 'Icewall' Noga of Cisco Talos
https://bugzilla.gnome.org/show_bug.cgi?id=784866
diff --git a/gdk-pixbuf/io-jpeg.c b/gdk-pixbuf/io-jpeg.c
index dd88a350a..1c0eba1a9 100644
--- a/gdk-pixbuf/io-jpeg.c
+++ b/gdk-pixbuf/io-jpeg.c
@@ -1051,6 +1051,7 @@ gdk_pixbuf__jpeg_image_load_increment (gpointer data,
if (!context->got_header) {
int rc;
gchar* comment;
+ gboolean has_alpha;
jpeg_save_markers (cinfo, JPEG_APP0+1, 0xffff);
jpeg_save_markers (cinfo, JPEG_APP0+2, 0xffff);
@@ -1089,10 +1090,24 @@ gdk_pixbuf__jpeg_image_load_increment (gpointer data,
}
}
jpeg_calc_output_dimensions (cinfo);
-
- context->pixbuf = gdk_pixbuf_new (GDK_COLORSPACE_RGB,
- cinfo->output_components == 4 ? TRUE : FALSE,
- 8,
+
+ if (cinfo->output_components == 3) {
+ has_alpha = FALSE;
+ } else if (cinfo->output_components == 4) {
+ has_alpha = TRUE;
+ } else {
+ g_set_error (error,
+ GDK_PIXBUF_ERROR,
+ GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+ _("Unsupported number of color components (%d)"),
+ cinfo->output_components);
+ retval = FALSE;
+ goto out;
+ }
+
+ context->pixbuf = gdk_pixbuf_new (GDK_COLORSPACE_RGB,
+ has_alpha,
+ 8,
cinfo->output_width,
cinfo->output_height);

62
gdk-pixbuf-cve-2017-2870-tiff-mul-overflow.patch
View File

@ -1,62 +0,0 @@
commit 31a6cff3dfc6944aad4612a9668b8ad39122e48b
Author: Ludovico de Nittis <aasonykk@gmail.com>
Date: Sun Mar 19 16:11:13 2017 +0100
tiff: Check for integer overflows in multiplication
The checks currently in use are not sufficient, because they depend on
undefined behaviour:
rowstride = width * 4;
if (rowstride / 4 != width) { /* overflow */
If the multiplication has already overflowed, the compiler may decide
to optimize the if out and thus we do not handle the erroneous case.
Rearrange the checks to avoid the undefined behaviour.
Note that gcc doesn't seem to be impacted, though a defined behaviour is
obviously preferred.
CVE-2017-2870
https://bugzilla.gnome.org/show_bug.cgi?id=780269
diff --git a/gdk-pixbuf/io-tiff.c b/gdk-pixbuf/io-tiff.c
index fb5d55095..7d055cfa8 100644
--- a/gdk-pixbuf/io-tiff.c
+++ b/gdk-pixbuf/io-tiff.c
@@ -124,18 +124,18 @@ tiff_image_parse (TIFF *tiff, TiffContext *context, GError **error)
_("Width or height of TIFF image is zero"));
return NULL;
}
-
- rowstride = width * 4;
- if (rowstride / 4 != width) { /* overflow */
+
+ if (width > G_MAXINT / 4) { /* overflow */
g_set_error_literal (error,
GDK_PIXBUF_ERROR,
GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
_("Dimensions of TIFF image too large"));
return NULL;
}
-
- bytes = height * rowstride;
- if (bytes / rowstride != height) { /* overflow */
+
+ rowstride = width * 4;
+
+ if (height > G_MAXINT / rowstride) { /* overflow */
g_set_error_literal (error,
GDK_PIXBUF_ERROR,
GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
@@ -143,6 +143,8 @@ tiff_image_parse (TIFF *tiff, TiffContext *context, GError **error)
return NULL;
}
+ bytes = height * rowstride;
+
if (context && context->size_func) {
gint w = width;
gint h = height;

14
gdk-pixbuf.changes
View File

@ -1,3 +1,17 @@
-------------------------------------------------------------------
Tue Jul 18 17:10:16 UTC 2017 - zaitor@opensuse.org
- Update to version 2.36.7:
+ Add tests for recent bug fixes.
+ ico, bmp, tiff: avoid integer overflows (bgo#776040,
bgo#776694, bgo#780269).
+ jpeg: error out if wrong # of channels (bgo#784866).
+ Misc.bugfixes (bgo#784583).
+ Support mimetypes: image/wmf, image/emf.
+ Updated translations.
- Drop gdk-pixbuf-cve-2017-2862-jpeg-channels.patch and
gdk-pixbuf-cve-2017-2870-tiff-mul-overflow.patch: Fixed upstream.
------------------------------------------------------------------- -------------------------------------------------------------------
Sun Jul 16 20:57:27 CEST 2017 - hpj@suse.com Sun Jul 16 20:57:27 CEST 2017 - hpj@suse.com

8
gdk-pixbuf.spec
View File

@ -20,7 +20,7 @@
%define gdk_pixbuf_binary_version 2.10.0 %define gdk_pixbuf_binary_version 2.10.0
Name: gdk-pixbuf Name: gdk-pixbuf
Version: 2.36.6 Version: 2.36.7
Release: 0 Release: 0
Summary: An image loading library Summary: An image loading library
License: LGPL-2.1+ License: LGPL-2.1+
@ -32,10 +32,6 @@ Source2: README.SUSE
Source99: baselibs.conf Source99: baselibs.conf
# PATCH-FIX-UPSTREAM u_contrib-gdk-pixbuf-xlib-Fix-rgb888amsb.patch boo#929462 bsc#1010497 bgo#775896 mstaudt@suse.com -- Fix RGBA conversion for big endian X11 environments # PATCH-FIX-UPSTREAM u_contrib-gdk-pixbuf-xlib-Fix-rgb888amsb.patch boo#929462 bsc#1010497 bgo#775896 mstaudt@suse.com -- Fix RGBA conversion for big endian X11 environments
Patch0: u_contrib-gdk-pixbuf-xlib-Fix-rgb888amsb.patch Patch0: u_contrib-gdk-pixbuf-xlib-Fix-rgb888amsb.patch
# PATCH-FIX-UPSTREAM gdk-pixbuf-cve-2017-2862-jpeg-channels.patch bsc#1048289 bgo#784866 CVE-2017-2862 hpj@suse.com -- fix heap overwrite when JPEG channels is not 3 or 4.
Patch1: gdk-pixbuf-cve-2017-2862-jpeg-channels.patch
# PATCH-FIX-UPSTREAM gdk-pixbuf-cve-2017-2870-tiff-mul-overflow.patch bgo#780269 CVE-2017-2870 hpj@suse.com -- fix reliance on undefined behavior to handle integer overflows.
Patch2: gdk-pixbuf-cve-2017-2870-tiff-mul-overflow.patch
BuildRequires: libjasper-devel BuildRequires: libjasper-devel
BuildRequires: libjpeg-devel BuildRequires: libjpeg-devel
BuildRequires: libtiff-devel BuildRequires: libtiff-devel
@ -121,8 +117,6 @@ This package contains development files for gdk-pixbuf.
translation-update-upstream translation-update-upstream
%endif %endif
%patch0 -p1 %patch0 -p1
%patch1 -p1
%patch2 -p1
%if "%_lib" == "lib64" %if "%_lib" == "lib64"
cp -a %{S:2} . cp -a %{S:2} .
%endif %endif