rpm/kimageformats
SHA256
1
0
Fork 0
forked from pool/kimageformats
Code Pull Requests Activity

- Add patch to fix buffer overflows (boo#1123281):

Browse Source 
* 0001-Fix-various-OOB-reads-and-writes-in-kimg_tga-and-kim.patch

OBS-URL: https://build.opensuse.org/package/show/KDE:Frameworks5/kimageformats?expand=0&rev=161
This commit is contained in:
Fabian Vogt 2019-01-28 13:30:51 +00:00 committed by Git OBS Bridge
parent 2e3e08bca1
commit 863dc72219
3 changed files with 120 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

111
0001-Fix-various-OOB-reads-and-writes-in-kimg_tga-and-kim.patch Normal file
View File

@ -0,0 +1,111 @@
From 20b6fef093ab276a532d015a192e62d7219c939a Mon Sep 17 00:00:00 2001
From: Fabian Vogt <fabian@ritter-vogt.de>
Date: Sun, 20 Jan 2019 12:51:02 +0100
Subject: [PATCH] Fix various OOB reads and writes in kimg_tga and kimg_xcf
Test Plan: No crash anymore.
Reviewers: aacid
Subscribers: kde-frameworks-devel
Tags: #frameworks
Differential Revision: https://phabricator.kde.org/D18574
---
src/imageformats/tga.cpp | 27 +++++++++++++++++++++++----
src/imageformats/xcf.cpp | 3 ++-
2 files changed, 25 insertions(+), 5 deletions(-)
diff --git a/src/imageformats/tga.cpp b/src/imageformats/tga.cpp
index 3a22b45..9217bed 100644
--- a/src/imageformats/tga.cpp
+++ b/src/imageformats/tga.cpp
@@ -189,7 +189,7 @@ static bool LoadTGA(QDataStream &s, const TgaHeader &tga, QImage &img)
}
uint pixel_size = (tga.pixel_size / 8);
- uint size = tga.width * tga.height * pixel_size;
+ qint64 size = qint64(tga.width) * qint64(tga.height) * pixel_size;
if (size < 1) {
// qDebug() << "This TGA file is broken with size " << size;
@@ -204,20 +204,34 @@ static bool LoadTGA(QDataStream &s, const TgaHeader &tga, QImage &img)
}
// Allocate image.
- uchar *const image = new uchar[size];
+ uchar *const image = reinterpret_cast<uchar*>(malloc(size));
+ if (!image) {
+ return false;
+ }
+
+ bool valid = true;
if (info.rle) {
// Decode image.
char *dst = (char *)image;
- int num = size;
+ qint64 num = size;
while (num > 0) {
+ if (s.atEnd()) {
+ valid = false;
+ break;
+ }
+
// Get packet header.
uchar c;
s >> c;
uint count = (c & 0x7f) + 1;
num -= count * pixel_size;
+ if (num < 0) {
+ valid = false;
+ break;
+ }
if (c & 0x80) {
// RLE pixels.
@@ -240,6 +254,11 @@ static bool LoadTGA(QDataStream &s, const TgaHeader &tga, QImage &img)
s.readRawData((char *)image, size);
}
+ if (!valid) {
+ free(image);
+ return false;
+ }
+
// Convert image to internal format.
int y_start, y_step, y_end;
if (tga.flags & TGA_ORIGIN_UPPER) {
@@ -294,7 +313,7 @@ static bool LoadTGA(QDataStream &s, const TgaHeader &tga, QImage &img)
}
// Free image.
- delete [] image;
+ free(image);
return true;
}
diff --git a/src/imageformats/xcf.cpp b/src/imageformats/xcf.cpp
index 758b65e..824d67a 100644
--- a/src/imageformats/xcf.cpp
+++ b/src/imageformats/xcf.cpp
@@ -489,11 +489,12 @@ bool XCFImageFormat::loadProperty(QDataStream &xcf_io, PropType &type, QByteArra
quint32 ncolors;
xcf_io >> ncolors;
+ size = 3 * ncolors + 4;
+
if (size > 65535 || size < 4) {
return false;
}
- size = 3 * ncolors + 4;
data = new char[size];
// since we already read "ncolors" from the stream, we put that data back
--
2.20.1

6
kimageformats.changes
View File

@ -1,3 +1,9 @@
-------------------------------------------------------------------
Mon Jan 28 13:30:26 UTC 2019 - Fabian Vogt <fabian@ritter-vogt.de>
- Add patch to fix buffer overflows (boo#1123281):
* 0001-Fix-various-OOB-reads-and-writes-in-kimg_tga-and-kim.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Wed Jan 23 17:47:54 UTC 2019 - Fabian Vogt <fabian@ritter-vogt.de> Wed Jan 23 17:47:54 UTC 2019 - Fabian Vogt <fabian@ritter-vogt.de>

4
kimageformats.spec
View File

@ -30,6 +30,8 @@ Group: System/GUI/KDE
URL: https://www.kde.org URL: https://www.kde.org
Source: http://download.kde.org/stable/frameworks/%{_tar_path}/%{name}-%{version}.tar.xz Source: http://download.kde.org/stable/frameworks/%{_tar_path}/%{name}-%{version}.tar.xz
Source1: baselibs.conf Source1: baselibs.conf
# PATCH-FIX-UPSTREAM
Patch001: 0001-Fix-various-OOB-reads-and-writes-in-kimg_tga-and-kim.patch
BuildRequires: cmake >= 3.0 BuildRequires: cmake >= 3.0
BuildRequires: extra-cmake-modules >= %{_kf5_bugfix_version} BuildRequires: extra-cmake-modules >= %{_kf5_bugfix_version}
BuildRequires: fdupes BuildRequires: fdupes
@ -62,7 +64,7 @@ it invokes ghostscript for conversion, it should only be used in trusted
environments. environments.
%prep %prep
%setup -q %autosetup -p1
%build %build
%cmake_kf5 -d build %cmake_kf5 -d build