Accepting request 667600 from home:jmoellers:branches:multimedia:libs

OBS-URL: https://build.opensuse.org/request/show/667600 OBS-URL: https://build.opensuse.org/package/show/multimedia:libs/libcaca?expand=0&rev=48
2019-01-21 13:37:29 +00:00 · 2019-01-21 13:37:29 +00:00 · 5553c4c7ce
commit 5553c4c7ce
parent be09a9a7cb
4 changed files with 67 additions and 0 deletions
--- a/Bug1120502-add_cast_to_prevent_overflow.patch
+++ b/Bug1120502-add_cast_to_prevent_overflow.patch
@ -0,0 +1,35 @@
+Author: Josef Möllers <jmoellers@suse.de>
+Index: libcaca-da28e9684ef445ac8d42745644336b8a75c01855/caca/dither.c
+===================================================================
+--- libcaca-da28e9684ef445ac8d42745644336b8a75c01855.orig/caca/dither.c
+++ libcaca-da28e9684ef445ac8d42745644336b8a75c01855/caca/dither.c
+@@ -991,10 +991,10 @@ int caca_dither_bitmap(caca_canvas_t *cv
+         /* First get RGB */
+         if(d->antialias)
+         {
+-            fromx = (x - x1) * w / deltax;
+-            fromy = (y - y1) * h / deltay;
+-            tox = (x - x1 + 1) * w / deltax;
+-            toy = (y - y1 + 1) * h / deltay;
+            fromx = (uint64_t)(x - x1) * w / deltax;
+            fromy = (uint64_t)(y - y1) * h / deltay;
+            tox = (uint64_t)(x - x1 + 1) * w / deltax;
+            toy = (uint64_t)(y - y1 + 1) * h / deltay;
+ 
+             /* We want at least one pixel */
+             if(tox == fromx) tox++;
+@@ -1017,10 +1017,10 @@ int caca_dither_bitmap(caca_canvas_t *cv
+         }
+         else
+         {
+-            fromx = (x - x1) * w / deltax;
+-            fromy = (y - y1) * h / deltay;
+-            tox = (x - x1 + 1) * w / deltax;
+-            toy = (y - y1 + 1) * h / deltay;
+            fromx = (uint64_t)(x - x1) * w / deltax;
+            fromy = (uint64_t)(y - y1) * h / deltay;
+            tox = (uint64_t)(x - x1 + 1) * w / deltax;
+            toy = (uint64_t)(y - y1 + 1) * h / deltay;
+ 
+             /* tox and toy can overflow the canvas, but they cannot overflow
+              * when averaged with fromx and fromy because these are guaranteed
--- a/libcaca-variable-type.patch
+++ b/libcaca-variable-type.patch
@ -1,3 +1,4 @@
+Author: Josef Möllers <jmoellers@suse.de>
 Index: libcaca-da28e9684ef445ac8d42745644336b8a75c01855/src/common-image.h
 ===================================================================
 --- libcaca-da28e9684ef445ac8d42745644336b8a75c01855.orig/src/common-image.h
@ -11,3 +12,16 @@ Index: libcaca-da28e9684ef445ac8d42745644336b8a75c01855/src/common-image.h
     struct caca_dither *dither;
     void *priv;
 };
+Index: libcaca-da28e9684ef445ac8d42745644336b8a75c01855/caca/dither.c
+===================================================================
+--- libcaca-da28e9684ef445ac8d42745644336b8a75c01855.orig/caca/dither.c
+++ libcaca-da28e9684ef445ac8d42745644336b8a75c01855/caca/dither.c
+@@ -116,7 +116,7 @@ enum color_mode
+ struct caca_dither
+ {
+     int bpp, has_palette, has_alpha;
+-    int w, h, pitch;
+    size_t w, h, pitch;
+     int rmask, gmask, bmask, amask;
+     int rright, gright, bright, aright;
+     int rleft, gleft, bleft, aleft;
--- a/libcaca.changes
+++ b/libcaca.changes
@ -1,3 +1,19 @@
+-------------------------------------------------------------------
+Mon Jan 21 13:01:52 UTC 2019 - josef.moellers@suse.com
+
+- Cast intermediate results to 64 bits to prevent overflow of
+  calculations with 32-bit quentities.
+  [CVE-2018-20544, bsc#1120502,
+   Bug1120502-add_cast_to_prevent_overflow.patch]
+
+-------------------------------------------------------------------
+Mon Jan 21 12:39:30 UTC 2019 - josef.moellers@suse.com
+
+- Fix the size of width and height to be of size_t rather than
+  int in struct caca_dither. Re-using existing patch.
+  [CVE-2018-20546, bsc#1120503, CVE-2018-20547,
+   bsc#1120504, libcaca-variable-type.patch]
+
 -------------------------------------------------------------------
 Tue Jan 15 15:03:38 UTC 2019 - josef.moellers@suse.com

--- a/libcaca.spec
+++ b/libcaca.spec
@ -36,6 +36,7 @@ Patch7:         libcaca-0.99.beta16-missing-GLU.patch
 Patch9:         caca-no-build-date.patch
 Patch10:        libcaca-ncurses6.patch
 Patch11:        libcaca-variable-type.patch
+Patch12:        Bug1120502-add_cast_to_prevent_overflow.patch
 BuildRequires:  doxygen
 BuildRequires:  fdupes
 BuildRequires:  freeglut-devel
@ -138,6 +139,7 @@ drawing, triangle filling and sprite blitting.
 %patch1
 %patch10 -p1
 %patch11 -p1
+%patch12 -p1
 RUBY="ruby-`echo %{rb_ver} | sed 's|\.[^\.]*$||'`"
 find . -type f -exec sed -i "s|ruby-1.9|$RUBY|" \{\} \;
 pushd python