Accepting request 143763 from GNOME:Apps

(forwarded request 143057 from vuntz) OBS-URL: https://build.opensuse.org/request/show/143763 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gimp?expand=0&rev=81
2012-12-03 08:34:31 +00:00 · 2012-12-03 08:34:31 +00:00 · 998d7a3345
commit 998d7a3345
parent cba36666fa
3 changed files with 182 additions and 0 deletions
--- a/gimp-CVE-2012-5576.patch
+++ b/gimp-CVE-2012-5576.patch
@ -0,0 +1,173 @@
 From 0b35f6a082a0b3c372c568ea6bde39a4796acde2 Mon Sep 17 00:00:00 2001
 From: Michael Natterer <mitch@gimp.org>
 Date: Wed, 07 Nov 2012 23:16:31 +0000
 Subject: Bug 687392 - Memory corruption vulnerability when reading XWD files
 Applied and enhanced patch from andres which makes file-xwd detect
 this kind of file corruption and abort loading with an error message.
 ---
 diff --git a/plug-ins/common/file-xwd.c b/plug-ins/common/file-xwd.c
 index 4e8a95e..f91d757 100644
 --- a/plug-ins/common/file-xwd.c
 +++ b/plug-ins/common/file-xwd.c
@@ -186,11 +186,13 @@ static gint32 load_xwd_f2_d16_b16 (const gchar *,
 static gint32 load_xwd_f2_d24_b32 (const gchar *,
                                    FILE *,
                                    L_XWDFILEHEADER *,
 -                                   L_XWDCOLOR *);
 +                                   L_XWDCOLOR *,
 +                                   GError **);
 static gint32 load_xwd_f1_d24_b1  (const gchar *,
                                    FILE *,
                                    L_XWDFILEHEADER *,
 -                                   L_XWDCOLOR *);
 +                                   L_XWDCOLOR *,
 +                                   GError **);
 static L_CARD32 read_card32  (FILE *,
                               gint *);
@@ -540,7 +542,8 @@ load_image (const gchar  *filename,
     case 1:    /* Single plane pixmap */
       if ((depth <= 24) && (bpp == 1))
         {
 -          image_ID = load_xwd_f1_d24_b1 (filename, ifp, &xwdhdr, xwdcolmap);
 +          image_ID = load_xwd_f1_d24_b1 (filename, ifp, &xwdhdr, xwdcolmap,
 +                                         error);
         }
       break;
@@ -559,7 +562,8 @@ load_image (const gchar  *filename,
         }
       else if ((depth <= 24) && ((bpp == 24) || (bpp == 32)))
         {
 -          image_ID = load_xwd_f2_d24_b32 (filename, ifp, &xwdhdr, xwdcolmap);
 +          image_ID = load_xwd_f2_d24_b32 (filename, ifp, &xwdhdr, xwdcolmap,
 +                                          error);
         }
       break;
     }
@@ -570,7 +574,7 @@ load_image (const gchar  *filename,
   if (xwdcolmap)
     g_free (xwdcolmap);
 -  if (image_ID == -1)
 +  if (image_ID == -1 && ! (error && *error))
     g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
                  _("XWD-file %s has format %d, depth %d and bits per pixel %d. "
                    "Currently this is not supported."),
@@ -1624,10 +1628,11 @@ load_xwd_f2_d16_b16 (const gchar     *filename,
 /* Load XWD with pixmap_format 2, pixmap_depth up to 24, bits_per_pixel 24/32 */
 static gint32
 -load_xwd_f2_d24_b32 (const gchar     *filename,
 -                     FILE            *ifp,
 -                     L_XWDFILEHEADER *xwdhdr,
 -                     L_XWDCOLOR      *xwdcolmap)
 +load_xwd_f2_d24_b32 (const gchar      *filename,
 +                     FILE             *ifp,
 +                     L_XWDFILEHEADER  *xwdhdr,
 +                     L_XWDCOLOR       *xwdcolmap,
 +                     GError          **error)
 {
   register guchar *dest, lsbyte_first;
   gint             width, height, linepad, i, j, c0, c1, c2, c3;
@@ -1652,12 +1657,6 @@ load_xwd_f2_d24_b32 (const gchar     *filename,
   width  = xwdhdr->l_pixmap_width;
   height = xwdhdr->l_pixmap_height;
 -  image_ID = create_new_image (filename, width, height, GIMP_RGB,
 -                               &layer_ID, &drawable, &pixel_rgn);
 -
 -  tile_height = gimp_tile_height ();
 -  data = g_malloc (tile_height * width * 3);
 -
   redmask   = xwdhdr->l_red_mask;
   greenmask = xwdhdr->l_green_mask;
   bluemask  = xwdhdr->l_blue_mask;
@@ -1685,6 +1684,22 @@ load_xwd_f2_d24_b32 (const gchar     *filename,
   maxblue = 0; while (bluemask >> (blueshift + maxblue)) maxblue++;
   maxblue = (1 << maxblue) - 1;
 +  if (maxred   > sizeof (redmap)   ||
 +      maxgreen > sizeof (greenmap) ||
 +      maxblue  > sizeof (bluemap))
 +    {
 +      g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
 +                   _("XWD-file %s is corrupt."),
 +                   gimp_filename_to_utf8 (filename));
 +      return -1;
 +    }
 +
 +  image_ID = create_new_image (filename, width, height, GIMP_RGB,
 +                               &layer_ID, &drawable, &pixel_rgn);
 +
 +  tile_height = gimp_tile_height ();
 +  data = g_malloc (tile_height * width * 3);
 +
   /* Set map-arrays for red, green, blue */
   for (red = 0; red <= maxred; red++)
     redmap[red] = (red * 255) / maxred;
@@ -1825,10 +1840,11 @@ load_xwd_f2_d24_b32 (const gchar     *filename,
 /* Load XWD with pixmap_format 1, pixmap_depth up to 24, bits_per_pixel 1 */
 static gint32
 -load_xwd_f1_d24_b1 (const gchar     *filename,
 -                    FILE            *ifp,
 -                    L_XWDFILEHEADER *xwdhdr,
 -                    L_XWDCOLOR      *xwdcolmap)
 +load_xwd_f1_d24_b1 (const gchar      *filename,
 +                    FILE             *ifp,
 +                    L_XWDFILEHEADER  *xwdhdr,
 +                    L_XWDCOLOR       *xwdcolmap,
 +                    GError          **error)
 {
   register guchar *dest, outmask, inmask, do_reverse;
   gint             width, height, i, j, plane, fromright;
@@ -1863,13 +1879,6 @@ load_xwd_f1_d24_b1 (const gchar     *filename,
   indexed         = (xwdhdr->l_pixmap_depth <= 8);
   bytes_per_pixel = (indexed ? 1 : 3);
 -  image_ID = create_new_image (filename, width, height,
 -                               indexed ? GIMP_INDEXED : GIMP_RGB,
 -                               &layer_ID, &drawable, &pixel_rgn);
 -
 -  tile_height = gimp_tile_height ();
 -  data = g_malloc (tile_height * width * bytes_per_pixel);
 -
   for (j = 0; j < 256; j++)   /* Create an array for reversing bits */
     {
       inmask = 0;
@@ -1913,6 +1922,16 @@ load_xwd_f1_d24_b1 (const gchar     *filename,
       maxblue = 0; while (bluemask >> (blueshift + maxblue)) maxblue++;
       maxblue = (1 << maxblue) - 1;
 +      if (maxred   > sizeof (redmap)   ||
 +          maxgreen > sizeof (greenmap) ||
 +          maxblue  > sizeof (bluemap))
 +        {
 +          g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
 +                       _("XWD-file %s is corrupt."),
 +                       gimp_filename_to_utf8 (filename));
 +          return -1;
 +        }
 +
       /* Set map-arrays for red, green, blue */
       for (red = 0; red <= maxred; red++)
         redmap[red] = (red * 255) / maxred;
@@ -1922,6 +1941,13 @@ load_xwd_f1_d24_b1 (const gchar     *filename,
         bluemap[blue] = (blue * 255) / maxblue;
     }
 +  image_ID = create_new_image (filename, width, height,
 +                               indexed ? GIMP_INDEXED : GIMP_RGB,
 +                               &layer_ID, &drawable, &pixel_rgn);
 +
 +  tile_height = gimp_tile_height ();
 +  data = g_malloc (tile_height * width * bytes_per_pixel);
 +
   ncols = xwdhdr->l_colormap_entries;
   if (xwdhdr->l_ncolors < ncols)
     ncols = xwdhdr->l_ncolors;
 --
 cgit v0.9.0.2
--- a/gimp.changes
+++ b/gimp.changes
@ -1,3 +1,9 @@
 -------------------------------------------------------------------
 Tue Nov 27 11:11:04 UTC 2012 - dimstar@opensuse.org
 - Add gimp-CVE-2012-5576.patch: fix memory corruption vulnerability
  when reading XWD files (bnc#791372, bgo#687392, CVE-2012-5576).
 -------------------------------------------------------------------
 Wed Aug 29 11:43:22 UTC 2012 - dimstar@opensuse.org
--- a/gimp.spec
+++ b/gimp.spec
@ -31,6 +31,8 @@ Source1:        macros.gimp
 # openSUSE palette file
 Source2:        openSUSE.gpl
 Source99:       baselibs.conf
 # PATCH-FIX-UPSTREAM gimp-CVE-2012-5576.patch bnc#791372 bgo#687392 CVE-2012-5576 dimstar@opensuse.org -- Memory corruption vulnerability when reading XWD files, taken from git.
 Patch0:         gimp-CVE-2012-5576.patch
 BuildRequires:  aalib-devel
 BuildRequires:  alsa-devel >= 1.0.0
 BuildRequires:  babl-devel >= 0.1.10
@ -233,6 +235,7 @@ This package contains the help browser for the GIMP.
 %lang_package
 %prep
 %setup -q
 %patch0 -p1
 translation-update-upstream
 translation-update-upstream po-libgimp gimp20-libgimp
 translation-update-upstream po-python gimp20-python