rpms/argyllcms/F-10 argyllcms-CVE-2009-0792.patch, NONE, 1.1 argyllcms.spec, 1.7, 1.8
Jon Ciesla
limb at fedoraproject.org
Wed Apr 8 14:40:38 UTC 2009
Author: limb
Update of /cvs/pkgs/rpms/argyllcms/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv20014/F-10
Modified Files:
argyllcms.spec
Added Files:
argyllcms-CVE-2009-0792.patch
Log Message:
CVE-2009-0792.
argyllcms-CVE-2009-0792.patch:
--- NEW FILE argyllcms-CVE-2009-0792.patch ---
--- icc/icc.c.orig 2009-04-08 08:38:40.000000000 -0400
+++ icc/icc.c 2009-04-08 08:54:08.000000000 -0400
@@ -3312,7 +3312,7 @@ static int icmCurve_lookup_fwd(
rv |= 1;
}
ix = (unsigned int)floor(val); /* Coordinate */
- if (ix > (p->size-2))
+ if (ix < 0 || ix > (p->size-2))
ix = (p->size-2);
w = val - (double)ix; /* weight */
val = p->data[ix];
@@ -3334,6 +3334,11 @@ static int icmTable_setup_bwd(
) {
unsigned int i;
+ if (size > INT_MAX - 2)
+ /* Although rt->size is unsigned long, the rt data
+ * structure uses int data types to store indices. */
+ return 2;
+
rt->size = size; /* Stash pointers to these away */
rt->data = data;
@@ -3352,7 +3357,7 @@ static int icmTable_setup_bwd(
rt->qscale = (double)rt->rsize/(rt->rmax - rt->rmin); /* Scale factor to quantize to */
/* Initialize the reverse lookup structures, and get overall min/max */
- if ((rt->rlists = (unsigned int **) icp->al->calloc(icp->al, 1, rt->rsize * sizeof(unsigned int *))) == NULL) {
+ if ((rt->rlists = (unsigned int **) icp->al->calloc(icp->al, rt->rsize, sizeof(int *))) == NULL) {
return 2;
}
@@ -3365,6 +3370,16 @@ static int icmTable_setup_bwd(
int t;
t = s; s = e; e = t;
}
+
+ /* s and e should both be in the range [0,rt->rsize]
+ * now, but let's not rely on floating point
+ * calculations -- double-check. */
+ if (s < 0)
+ s = 0;
+ if (e < 0)
+ e = 0;
+ if (s >= rt->rsize)
+ s = rt->rsize-1;
if (e >= rt->rsize)
e = rt->rsize-1;
@@ -3383,6 +3398,9 @@ static int icmTable_setup_bwd(
as = rt->rlists[j][0]; /* Allocate space for this list */
nf = rt->rlists[j][1]; /* Next free location in list */
if (nf >= as) { /* need to expand space */
+ if (as > INT_MAX / 2 / sizeof (int))
+ return 2;
+
as *= 2;
rt->rlists[j] = (unsigned int *) icp->al->realloc(icp->al,rt->rlists[j], sizeof(unsigned int) * as);
if (rt->rlists[j] == NULL) {
@@ -3434,7 +3452,7 @@ static int icmTable_lookup_bwd(
val = rsize_1;
ix = (int)floor(val); /* Coordinate */
- if (ix > (rt->size-2))
+ if (ix < 0 || ix > (rt->size-2))
ix = (rt->size-2);
if (rt->rlists[ix] != NULL) { /* There is a list of fwd candidates */
/* For each candidate forward range */
@@ -3461,6 +3479,7 @@ static int icmTable_lookup_bwd(
/* We have failed to find an exact value, so return the nearest value */
/* (This is slow !) */
val = fabs(ival - rt->data[0]);
+ /* rt->size is known to be < INT_MAX */
for (k = 0, i = 1; i < rt->size; i++) {
double er;
er = fabs(ival - rt->data[i]);
@@ -4704,7 +4723,7 @@ double *in /* Input array[inputChan] */
rv |= 1;
}
ix = (int)floor(val); /* Grid coordinate */
- if (ix > (p->inputEnt-2))
+ if (ix < 0 || ix > (p->inputEnt-2))
ix = (p->inputEnt-2);
w = val - (double)ix; /* weight */
val = table[ix];
@@ -4764,7 +4783,7 @@ double *in /* Input array[outputChan] *
rv |= 1;
}
x = (int)floor(val); /* Grid coordinate */
- if (x > clutPoints_2)
+ if (x < 0 || x > clutPoints_2)
x = clutPoints_2;
co[e] = val - (double)x; /* 1.0 - weight */
gp += x * p->dinc[e]; /* Add index offset for base of cube */
@@ -4838,7 +4857,7 @@ double *in /* Input array[outputChan] *
rv |= 1;
}
x = (int)floor(val); /* Grid coordinate */
- if (x > clutPoints_2)
+ if (x < 0 || x > clutPoints_2)
x = clutPoints_2;
co[e] = val - (double)x; /* 1.0 - weight */
gp += x * p->dinc[e]; /* Add index offset for base of cube */
@@ -4957,7 +4976,7 @@ double *in /* Input array[outputChan] *
rv |= 1;
}
x = (int)floor(val); /* Grid coordinate */
- if (x > clutPoints_2)
+ if (x < 0 || x > clutPoints_2)
x = clutPoints_2;
co[e] = val - (double)x; /* 1.0 - weight */
gp += x * p->dinc[e]; /* Add index offset for base of cube */
@@ -5070,7 +5089,7 @@ double *in /* Input array[outputChan] *
rv |= 1;
}
ix = (int)floor(val); /* Grid coordinate */
- if (ix > (p->outputEnt-2))
+ if (ix < 0 || ix > (p->outputEnt-2))
ix = (p->outputEnt-2);
w = val - (double)ix; /* weight */
val = table[ix];
@@ -7887,7 +7906,7 @@ static int icmTextDescription_allocate(
if (p->size != p->_size) {
if (p->desc != NULL)
icp->al->free(icp->al, p->desc);
- if ((p->desc = (char *) icp->al->malloc(icp->al, p->size * sizeof(char))) == NULL) {
+ if ((p->desc = (char *) icp->al->calloc(icp->al, p->size, sizeof(char))) == NULL) {
sprintf(icp->err,"icmTextDescription_alloc: malloc() of Ascii description failed");
return icp->errc = 2;
}
@@ -9061,7 +9080,7 @@ static int icmUcrBg_allocate(
if (p->size != p->_size) {
if (p->string != NULL)
icp->al->free(icp->al, p->string);
- if ((p->string = (char *) icp->al->malloc(icp->al, p->size * sizeof(char))) == NULL) {
+ if ((p->string = (char *) icp->al->calloc(icp->al, p->size, sizeof(char))) == NULL) {
sprintf(icp->err,"icmUcrBg_allocate: malloc() of string data failed");
return icp->errc = 2;
}
@@ -9515,7 +9534,7 @@ static double icmVideoCardGamma_lookup(
else if (val0 > inputEnt_1)
val0 = inputEnt_1;
ix = (int)floor(val0); /* Coordinate */
- if (ix > (p->u.table.entryCount-2))
+ if (ix < 0 || ix > (p->u.table.entryCount-2))
ix = (p->u.table.entryCount-2);
w = val0 - (double)ix; /* weight */
if (p->u.table.entrySize == 1) {
@@ -10061,7 +10080,7 @@ static int icmCrdInfo_allocate(
if (p->ppsize != p->_ppsize) {
if (p->ppname != NULL)
icp->al->free(icp->al, p->ppname);
- if ((p->ppname = (char *) icp->al->malloc(icp->al, p->ppsize * sizeof(char))) == NULL) {
+ if ((p->ppname = (char *) icp->al->calloc(icp->al, p->ppsize, sizeof(char))) == NULL) {
sprintf(icp->err,"icmCrdInfo_alloc: malloc() of string data failed");
return icp->errc = 2;
}
@@ -10071,7 +10090,7 @@ static int icmCrdInfo_allocate(
if (p->crdsize[t] != p->_crdsize[t]) {
if (p->crdname[t] != NULL)
icp->al->free(icp->al, p->crdname[t]);
- if ((p->crdname[t] = (char *) icp->al->malloc(icp->al, p->crdsize[t] * sizeof(char))) == NULL) {
+ if ((p->crdname[t] = (char *) icp->al->calloc(icp->al, p->crdsize[t], sizeof(char))) == NULL) {
sprintf(icp->err,"icmCrdInfo_alloc: malloc() of CRD%d name string failed",t);
return icp->errc = 2;
}
Index: argyllcms.spec
===================================================================
RCS file: /cvs/pkgs/rpms/argyllcms/F-10/argyllcms.spec,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- argyllcms.spec 23 Mar 2009 16:46:51 -0000 1.7
+++ argyllcms.spec 8 Apr 2009 14:40:08 -0000 1.8
@@ -5,7 +5,7 @@
Name: argyllcms
Version: 1.0.3
-Release: 3%{?alphatag}%{?dist}
+Release: 4%{?alphatag}%{?dist}
Summary: ICC compatible color management system
Group: User Interface/X
@@ -19,6 +19,7 @@
# Patch applied for legal reasons
Patch4: %{name}-1.0.2-legal.patch
Patch5: argyllcms-CVE-2009-0583,0584.patch
+Patch6: argyllcms-CVE-2009-0792.patch
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
BuildRequires: libtiff-devel, libusb-devel
@@ -117,6 +118,9 @@
%changelog
+* Wed Apr 08 2009 Jon Ciesla <limb at jcomserv.net> - 1.0.3-4
+- Patch for ICC library CVE-2009-0792.
+
* Mon Mar 23 2009 Jon Ciesla <limb at jcomserv.net> - 1.0.3-3
- Patch for ICC library CVE-2009-{0583, 0584} by Tim Waugh.
More information about the fedora-extras-commits
mailing list