rpms/dia/FC-5 dia-0.94-CVE-2006-1550.patch, NONE, 1.1 dia.spec, 1.7, 1.8
Hans de Goede (jwrdegoede)
fedora-extras-commits at redhat.com
Fri Mar 31 21:52:11 UTC 2006
- Previous message (by thread): rpms/denyhosts/devel README.fedora, 1.4, 1.5 denyhosts.cron, 1.6, 1.7 denyhosts.spec, 1.31, 1.32
- Next message (by thread): rpms/xfce4-xkb-plugin/devel .cvsignore, 1.4, 1.5 sources, 1.4, 1.5 xfce4-xkb-plugin.spec, 1.5, 1.6
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: jwrdegoede
Update of /cvs/extras/rpms/dia/FC-5
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv25353
Modified Files:
dia.spec
Added Files:
dia-0.94-CVE-2006-1550.patch
Log Message:
* Fri Mar 31 2006 Hans de Goede <j.w.r.degoede at hhs.nl> 1:0.94-21
- Fix CVE-2006-1550 (bz 187556)
dia-0.94-CVE-2006-1550.patch:
--- NEW FILE dia-0.94-CVE-2006-1550.patch ---
--- dia-0.94/plug-ins/xfig/xfig-import.c.cve 2006-03-31 23:36:33.000000000 +0200
+++ dia-0.94/plug-ins/xfig/xfig-import.c 2006-03-31 23:36:40.000000000 +0200
@@ -441,11 +441,17 @@
static Color
fig_color(int color_index)
{
- if (color_index == -1)
+ if (color_index <= -1)
return color_black; /* Default color */
- if (color_index < FIG_MAX_DEFAULT_COLORS)
+ else if (color_index < FIG_MAX_DEFAULT_COLORS)
return fig_default_colors[color_index];
- else return fig_colors[color_index-FIG_MAX_DEFAULT_COLORS];
+ else if (color_index < FIG_MAX_USER_COLORS)
+ return fig_colors[color_index-FIG_MAX_DEFAULT_COLORS];
+ else {
+ message_error(_("Color index %d too high, only 512 colors allowed. Using black instead."),
+ color_index);
+ return color_black;
+ }
}
static Color
@@ -563,23 +569,25 @@
static int
fig_read_n_points(FILE *file, int n, Point **points) {
int i;
- Point *new_points;
-
- new_points = (Point*)g_malloc(sizeof(Point)*n);
+ GArray *points_list = g_array_sized_new(FALSE, FALSE, sizeof(Point), n);
for (i = 0; i < n; i++) {
int x,y;
+ Point p;
if (fscanf(file, " %d %d ", &x, &y) != 2) {
message_error(_("Error while reading %dth of %d points: %s\n"),
i, n, strerror(errno));
- free(new_points);
+ g_array_free(points_list, TRUE);
return FALSE;
}
- new_points[i].x = x/FIG_UNIT;
- new_points[i].y = y/FIG_UNIT;
+ p.x = x/FIG_UNIT;
+ p.y = y/FIG_UNIT;
+ g_array_append_val(points_list, p);
}
fscanf(file, "\n");
- *points = new_points;
+
+ *points = (Point *)points_list->data;
+ g_array_free(points_list, FALSE);
return TRUE;
}
@@ -683,7 +691,7 @@
return text_buf;
}
-static GList *depths[1000];
+static GList *depths[FIG_MAX_DEPTHS];
/* If there's something in the compound stack, we ignore the depth field,
as it will be determined by the group anyway */
@@ -693,6 +701,26 @@
level. Best we can do now. */
static int compound_depth;
+/** Add an object at a given depth. This function checks for depth limits
+ * and updates the compound depth if needed.
+ *
+ * @param newobj An object to add. If we're inside a compound, this
+ * doesn't really add the object.
+ * @param depth A depth as in the Fig format, max 999
+ */
+static void
+add_at_depth(DiaObject *newobj, int depth) {
+ if (depth < 0 || depth >= FIG_MAX_DEPTHS) {
+ message_error(_("Depth %d of of range, only 0-%d allowed.\n"),
+ depth, FIG_MAX_DEPTHS-1);
+ depth = FIG_MAX_DEPTHS - 1;
+ }
+ if (compound_stack == NULL)
+ depths[depth] = g_list_append(depths[depth], newobj);
+ else
+ if (compound_depth > depth) compound_depth = depth;
+}
+
static DiaObject *
fig_read_ellipse(FILE *file, DiagramData *dia) {
int sub_type;
@@ -749,10 +777,7 @@
/* Angle -- can't rotate yet */
/* Depth field */
- if (compound_stack == NULL)
- depths[depth] = g_list_append(depths[depth], newobj);
- else
- if (compound_depth > depth) compound_depth = depth;
+ add_at_depth(newobj, depth);
return newobj;
}
@@ -885,10 +910,7 @@
/* Cap style */
/* Depth field */
- if (compound_stack == NULL)
- depths[depth] = g_list_append(depths[depth], newobj);
- else
- if (compound_depth > depth) compound_depth = depth;
+ add_at_depth(newobj, depth);
exit:
prop_list_free(props);
g_free(forward_arrow_info);
@@ -1111,10 +1133,7 @@
/* Cap style */
/* Depth field */
- if (compound_stack == NULL)
- depths[depth] = g_list_append(depths[depth], newobj);
- else
- if (compound_depth > depth) compound_depth = depth;
+ add_at_depth(newobj, depth);
exit:
prop_list_free(props);
g_free(forward_arrow_info);
@@ -1202,10 +1221,7 @@
/* Cap style */
/* Depth field */
- if (compound_stack == NULL)
- depths[depth] = g_list_append(depths[depth], newobj);
- else
- if (compound_depth > depth) compound_depth = depth;
+ add_at_depth(newobj, depth);
exit:
g_free(forward_arrow_info);
@@ -1298,10 +1314,7 @@
newobj->ops->set_props(newobj, props);
/* Depth field */
- if (compound_stack == NULL)
- depths[depth] = g_list_append(depths[depth], newobj);
- else
- if (compound_depth > depth) compound_depth = depth;
+ add_at_depth(newobj, depth);
exit:
if (text_buf != NULL) free(text_buf);
@@ -1347,6 +1360,12 @@
return FALSE;
}
+ if (colornumber < 32 || colornumber > FIG_MAX_USER_COLORS) {
+ message_error(_("Color number %d out of range 0..%d. Discarding color.\n"),
+ colornumber, FIG_MAX_USER_COLORS);
+ return FALSE;
+ }
+
color.red = ((colorvalues & 0x00ff0000)>>16) / 255.0;
color.green = ((colorvalues & 0x0000ff00)>>8) / 255.0;
color.blue = (colorvalues & 0x000000ff) / 255.0;
@@ -1393,7 +1412,7 @@
}
/* Group extends don't really matter */
if (compound_stack == NULL)
- compound_depth = 999;
+ compound_depth = FIG_MAX_DEPTHS - 1;
compound_stack = g_slist_append(compound_stack, NULL);
return TRUE;
break;
@@ -1551,7 +1570,7 @@
for (i = 0; i < FIG_MAX_USER_COLORS; i++) {
fig_colors[i] = color_black;
}
- for (i = 0; i < 1000; i++) {
+ for (i = 0; i < FIG_MAX_DEPTHS; i++) {
depths[i] = NULL;
}
@@ -1606,7 +1625,7 @@
} while (TRUE);
/* Now we can reorder for the depth fields */
- for (i = 0; i < 1000; i++) {
+ for (i = 0; i < FIG_MAX_DEPTHS; i++) {
if (depths[i] != NULL)
layer_add_objects_first(dia->active_layer, depths[i]);
}
--- dia-0.94/plug-ins/xfig/xfig.h.cve 2006-03-31 23:36:33.000000000 +0200
+++ dia-0.94/plug-ins/xfig/xfig.h 2006-03-31 23:36:40.000000000 +0200
@@ -6,6 +6,7 @@
#define FIG_MAX_DEFAULT_COLORS 32
#define FIG_MAX_USER_COLORS 512
+#define FIG_MAX_DEPTHS 1000
/* 1200 PPI */
#define FIG_UNIT 472.440944881889763779527559055118
/* 1/80 inch */
Index: dia.spec
===================================================================
RCS file: /cvs/extras/rpms/dia/FC-5/dia.spec,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- dia.spec 31 Mar 2006 18:58:02 -0000 1.7
+++ dia.spec 31 Mar 2006 21:52:11 -0000 1.8
@@ -5,7 +5,7 @@
Name: dia
Summary: A diagram drawing program.
Version: 0.94
-Release: 20
+Release: 21
Epoch: 1
Source: ftp://ftp.gnome.org/pub/GNOME/stable/sources/dia/%{name}-%{version}.tar.bz2
Group: Applications/Multimedia
@@ -34,6 +34,7 @@
Patch4: dia-0.94-fallbacktoxpmicons.patch
Patch5: dia-0.94-rh165337.patch
Patch6: dia-0.94-gnomeflags.patch
+Patch7: dia-0.94-CVE-2006-1550.patch
%description
The Dia drawing program is designed to be like the Windows(TM) Visio
@@ -53,6 +54,7 @@
%patch4 -p1 -b .fallbacktoxpmicons
%patch5 -p1 -b .rh165337
%patch6 -p1 -b .gnomeflags
+%patch7 -p1 -b .cve
%build
rm doc/*/dia.1
@@ -117,6 +119,9 @@
%{_datadir}/pixmaps/*
%changelog
+* Fri Mar 31 2006 Hans de Goede <j.w.r.degoede at hhs.nl> 1:0.94-21
+- Fix CVE-2006-1550 (bz 187556)
+
* Fri Mar 31 2006 Hans de Goede <j.w.r.degoede at hhs.nl> 1:0.94-20
- Taking over as new FE maintainer
- Rebuild for bz 185886
- Previous message (by thread): rpms/denyhosts/devel README.fedora, 1.4, 1.5 denyhosts.cron, 1.6, 1.7 denyhosts.spec, 1.31, 1.32
- Next message (by thread): rpms/xfce4-xkb-plugin/devel .cvsignore, 1.4, 1.5 sources, 1.4, 1.5 xfce4-xkb-plugin.spec, 1.5, 1.6
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list