Accepting request 562495 from GNOME:Factory

OBS-URL: https://build.opensuse.org/request/show/562495
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gdk-pixbuf?expand=0&rev=67

gdk-pixbuf-bgo779012-ico-overflow.patch

@@ -0,0 +1,46 @@
+From dec9ca22d70c0f0d4492333b4e8147afb038afd2 Mon Sep 17 00:00:00 2001
+From: Dhiru Kholia <dhiru.kholia@gmail.com>
+Date: Thu, 30 Nov 2017 02:36:26 +0100
+Subject: [PATCH] ico: Fix potential integer overflow
+
+Which relies on undefined behaviour. Instead of checking for an
+overflowed integer after the fact, check whether the addition would
+be possible at all.
+
+Fixes: CVE-2017-6312
+
+https://bugzilla.gnome.org/show_bug.cgi?id=779012
+---
+ gdk-pixbuf/io-ico.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/gdk-pixbuf/io-ico.c b/gdk-pixbuf/io-ico.c
+index 8729a0fb9..a86725751 100644
+--- a/gdk-pixbuf/io-ico.c
++++ b/gdk-pixbuf/io-ico.c
+@@ -333,10 +333,8 @@ static void DecodeHeader(guchar *Data, gint Bytes,
+ 	for (l = State->entries; l != NULL; l = g_list_next (l)) {
+ 		entry = l->data;
+ 
+-		/* We know how many bytes are in the "header" part. */
+-		State->HeaderSize = entry->DIBoffset + INFOHEADER_SIZE;
+-
+-		if (State->HeaderSize < 0) {
++		/* Avoid invoking undefined behavior in the State->HeaderSize calculation below */
++		if (entry->DIBoffset > G_MAXINT - INFOHEADER_SIZE) {
+ 			g_set_error (error,
+ 			             GDK_PIXBUF_ERROR,
+ 			             GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+@@ -344,6 +342,9 @@ static void DecodeHeader(guchar *Data, gint Bytes,
+ 			return;
+ 		}
+ 
++		/* We know how many bytes are in the "header" part. */
++		State->HeaderSize = entry->DIBoffset + INFOHEADER_SIZE;
++
+ 		if (State->HeaderSize>State->BytesInHeaderBuf) {
+ 			guchar *tmp=g_try_realloc(State->HeaderBuf,State->HeaderSize);
+ 			if (!tmp) {
+-- 
+2.15.1
+

gdk-pixbuf-gif-negative-array-indexes.patch

@@ -0,0 +1,37 @@
+From 23e2a7c4b7794220ecd77389b3976c0767fc839d Mon Sep 17 00:00:00 2001
+From: Tobias Mueller <muelli@cryptobitch.de>
+Date: Wed, 14 Dec 2016 08:03:16 +0100
+Subject: [PATCH] gif: Prevent access to negative array indexes
+
+It seems that a pathological gif file can cause a negative array index
+to be read.  UBSAN reported this:
+io-gif.c:509:44: runtime error: index -2 out of bounds for type 'guchar [280]'
+io-gif.c:510:44: runtime error: index -1 out of bounds for type 'guchar [280]'
+
+https://bugzilla.gnome.org/show_bug.cgi?id=778584
+---
+ gdk-pixbuf/io-gif.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/gdk-pixbuf/io-gif.c b/gdk-pixbuf/io-gif.c
+index ef1001779..acbd1f3be 100644
+--- a/gdk-pixbuf/io-gif.c
++++ b/gdk-pixbuf/io-gif.c
+@@ -508,6 +508,14 @@ gif_lzw_fill_buffer (GifContext *context)
+ 		return -2;
+ 	}
+ 
++	if (context->code_last_byte < 2) {
++		g_set_error_literal (context->error,
++				     GDK_PIXBUF_ERROR,
++				     GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
++				     _("Bad code encountered"));
++		return -2;
++	}
++
+ 	context->block_buf[0] = context->block_buf[context->code_last_byte - 2];
+ 	context->block_buf[1] = context->block_buf[context->code_last_byte - 1];
+ 
+-- 
+2.15.1
+

gdk-pixbuf-gif-uninitialized-variable.patch

@@ -0,0 +1,46 @@
+From c1fd9f5d6592c0183c54efc806b3ca6871e1f496 Mon Sep 17 00:00:00 2001
+From: Tobias Mueller <muelli@cryptobitch.de>
+Date: Fri, 10 Nov 2017 18:51:21 +0100
+Subject: [PATCH] gif: Initialise code_last_byte to not cause undefined
+ behaviour
+
+Currently, code_last_byte is set only after it has been used, i.e.
+
+    context->block_buf[0] = context->block_buf[context->code_last_byte - 2];
+
+comes before anything has touched context->code_last_byte yet.
+Except for the initialisation.
+context->code_last_byte is set a few lines later, though.
+And nowhere else, except for the initialisation which sets it
+to 0.  That will inevitably lead to context->block_buf[-2] which is
+undefined behaviour.
+
+We hence set the code_last_byte to 2 in order to not make that
+array index invalid.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=778584
+---
+ gdk-pixbuf/io-gif.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/gdk-pixbuf/io-gif.c b/gdk-pixbuf/io-gif.c
+index acbd1f3be..61821bdf9 100644
+--- a/gdk-pixbuf/io-gif.c
++++ b/gdk-pixbuf/io-gif.c
+@@ -1165,7 +1165,12 @@ gif_prepare_lzw (GifContext *context)
+ 	context->lzw_fresh = TRUE;
+ 	context->code_curbit = 0;
+ 	context->code_lastbit = 0;
+-	context->code_last_byte = 0;
++	/* During initialistion (in gif_lzw_fill_buffer) we substract 2 from
++	 * this value to peek into a buffer.
++	 * In order to not get a negative array index later, we set the value
++	 * to that magic 2 now.
++	 */
++	context->code_last_byte = 2;
+ 	context->code_done = FALSE;
+ 
+         g_assert (context->lzw_clear_code <= 
+-- 
+2.15.1
+

gdk-pixbuf-icns-handle-short-blocklen.patch

@@ -0,0 +1,30 @@
+From 210b16399a492d05efb209615a143920b24251f4 Mon Sep 17 00:00:00 2001
+From: Bastien Nocera <hadess@hadess.net>
+Date: Tue, 5 Dec 2017 11:51:02 +0100
+Subject: [PATCH] icns: Protect against too short blocklen (CVE-2017-6313)
+
+The blocklen needs to be at least header sized to be valid, otherwise we
+can underflow picture data or mask data lengths.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=779016
+---
+ gdk-pixbuf/io-icns.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/gdk-pixbuf/io-icns.c b/gdk-pixbuf/io-icns.c
+index a432e463f..41732b153 100644
+--- a/gdk-pixbuf/io-icns.c
++++ b/gdk-pixbuf/io-icns.c
+@@ -95,7 +95,8 @@ load_resources (unsigned size, IN gpointer data, gsize datalen,
+       blocklen = GUINT32_FROM_BE (header->size);
+ 
+       /* Check that blocklen isn't garbage */
+-      if (blocklen > icnslen - (current - bytes))
++      if (blocklen > icnslen - (current - bytes) ||
++	  blocklen < sizeof (IcnsBlockHeader))
+         return FALSE;
+ 
+       switch (size)
+-- 
+2.15.1
+

gdk-pixbuf-tiff-overflow.patch

@@ -0,0 +1,38 @@
+From 1e513abdb55529f888233d3c96b27352d83aad5f Mon Sep 17 00:00:00 2001
+From: Bastien Nocera <hadess@hadess.net>
+Date: Tue, 5 Dec 2017 10:26:49 +0100
+Subject: [PATCH] tiff: Avoid overflowing buffer size computation
+
+Use g_uint_checked_mul() to avoid overflowing the guint used for buffer
+size calculation.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=779020
+---
+ gdk-pixbuf/io-tiff.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/gdk-pixbuf/io-tiff.c b/gdk-pixbuf/io-tiff.c
+index 7ca0a565a..49fe60eee 100644
+--- a/gdk-pixbuf/io-tiff.c
++++ b/gdk-pixbuf/io-tiff.c
+@@ -529,8 +529,15 @@ make_available_at_least (TiffContext *context, guint needed)
+         need_alloc = context->used + needed;
+         if (need_alloc > context->allocated) {
+                 guint new_size = 1;
+-                while (new_size < need_alloc)
+-                        new_size *= 2;
++                while (new_size < need_alloc) {
++                        if (!g_uint_checked_mul (&new_size, new_size, 2)) {
++                                new_size = 0;
++                                break;
++                        }
++                }
++
++                if (new_size == 0)
++                        return FALSE;
+ 
+                 new_buffer = g_try_realloc (context->buffer, new_size);
+                 if (new_buffer) {
+-- 
+2.15.1
+

gdk-pixbuf.changes

@@ -1,3 +1,17 @@
+-------------------------------------------------------------------
+Fri Jan  5 17:38:55 UTC 2018 - mgorse@suse.com
+
+- Add gdk-pixbuf-bgo779012-ico-overflow.patch: fix a potential
+  integer overflow (boo#1027026 CVE-2017-6312).
+- Add gdk-pixbuf-gif-negative-array-indexes.patch and
+  gdk-pixbuf-gif-uninitialized-variable.patch: protect against
+  access to negative array indexes (BGO#778584).
+- Add gdk-pixbuf-tiff-overflow.patch: avoid overflow during size
+  computation (bgo#779020).
+- Add gdk-pixbuf-icns-handle-short-blocklen.patch: protect against
+  short block length when reading icns (boo#1027024
+  CVE-2017-6313).
+
 -------------------------------------------------------------------
 Tue Oct  3 21:36:15 UTC 2017 - luc14n0@linuxmail.org
 

gdk-pixbuf.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package gdk-pixbuf
 #
-# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -30,6 +30,16 @@ Source1:        macros.gdk-pixbuf
 Source2:        README.SUSE
 Source3:        gdk-pixbuf-rpmlintrc
 Source99:       baselibs.conf
+# PATCH-FIX-UPSTREAM gdk-pixbuf-bgo779012-ico-overflow.patch boo#1027026 mgorse@suse.com -- fix potential integer overflow (CVE-2017-6312).
+Patch0:         gdk-pixbuf-bgo779012-ico-overflow.patch
+# PATCH-FIX-UPSTREAM gdk-pixbuf-gif-negative-array-indexes.patch bgo#778584 mgorse@suse.com -- gif: prevent access to negative array indexes.
+Patch1:         gdk-pixbuf-gif-negative-array-indexes.patch
+# PATCH-FIX-UPSTREAM gdk-pixbuf-gif-uninitialized-variable.patch bgo#778584 mgorse@suse.com -- fix uninitialized variable.
+Patch2:         gdk-pixbuf-gif-uninitialized-variable.patch
+# PATCH-FIX-UPSTREAM gdk-pixbuf-tiff-overflow.patch bgo#779020 mgorse@suse.com -- avoid overflow during size computation.
+Patch3:         gdk-pixbuf-tiff-overflow.patch
+# PATCH-FIX-UPSTREAM gdk-pixbuf-icns-handle-short-blocklen.patch boo#1027024 bgo#779016 mgorse@suse.com -- icns: protect against too short blocklen (CVE-2017-6313).
+Patch4:         gdk-pixbuf-icns-handle-short-blocklen.patch
 BuildRequires:  docbook-xsl-stylesheets
 BuildRequires:  gtk-doc
 BuildRequires:  libjpeg-devel
@@ -119,6 +129,11 @@ This package contains the development files for gdk-pixbuf.
 %if !0%{?is_opensuse}
 translation-update-upstream
 %endif
+%patch0 -p1
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
 %if "%_lib" == "lib64"
 cp -a %{SOURCE2} .
 %endif