rpms/xemacs/F-10 xemacs-21.5.28-image-overflow.patch, NONE, 1.1 xemacs-21.5.28-3d-athena.patch, 1.1, 1.2 xemacs-21.5.28-destdir.patch, 1.1, 1.2 xemacs.spec, 1.43, 1.44
Jerry James
jjames at fedoraproject.org
Mon Aug 24 21:10:47 UTC 2009
- Previous message (by thread): rpms/kernel/devel kernel.spec, 1.1294.2.56, 1.1294.2.57 xen.pvops.post.patch, 1.1.2.23, 1.1.2.24
- Next message (by thread): rpms/xemacs/F-11 xemacs-21.5.29-image-overflow.patch, NONE, 1.1 xemacs-21.5.29-no-xft.patch, NONE, 1.1 xemacs-21.5.25-mk-nochk-features.patch, 1.1, 1.2 xemacs-21.5.25-x-paths.patch, 1.1, 1.2 xemacs-21.5.28-courier-default.patch, 1.2, 1.3 xemacs.spec, 1.48, 1.49
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: jjames
Update of /cvs/pkgs/rpms/xemacs/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv4746
Modified Files:
xemacs-21.5.28-3d-athena.patch xemacs-21.5.28-destdir.patch
xemacs.spec
Added Files:
xemacs-21.5.28-image-overflow.patch
Log Message:
* Mon Aug 24 2009 Jerry James <loganjerry at gmail.com> - 21.5.28-10
- Fix image overflow bug (CVE-2009-2688).
- Add dependency on xorg-x11-fonts-misc (#478370, Carl Brune).
- Rebase patches to eliminate fuzz/offsets.
xemacs-21.5.28-image-overflow.patch:
glyphs-eimage.c | 24 ++++++++++++++++++++----
1 file changed, 20 insertions(+), 4 deletions(-)
--- NEW FILE xemacs-21.5.28-image-overflow.patch ---
--- xemacs-21.5.28/src/glyphs-eimage.c 2007-02-21 03:49:33.000000000 -0700
+++ xemacs-21.5.28/src/glyphs-eimage.c 2009-08-24 14:59:29.422973833 -0600
@@ -401,6 +401,7 @@
*/
{
+ UINT_64_BIT pixels_sq;
int jpeg_gray = 0; /* if we're dealing with a grayscale */
/* Step 4: set parameters for decompression. */
@@ -423,7 +424,10 @@
jpeg_start_decompress (&cinfo);
/* Step 6: Read in the data and put into EImage format (8bit RGB triples)*/
-
+ pixels_sq =
+ (UINT_64_BIT) cinfo.output_width * (UINT_64_BIT) cinfo.output_height;
+ if (pixels_sq > ((size_t) -1) / 3)
+ signal_image_error ("JPEG image too large to instantiate", instantiator);
unwind.eimage =
xnew_binbytes (cinfo.output_width * cinfo.output_height * 3);
if (!unwind.eimage)
@@ -669,6 +673,7 @@
{
ColorMapObject *cmo = unwind.giffile->SColorMap;
int i, j, row, pass, interlace, slice;
+ UINT_64_BIT pixels_sq;
Binbyte *eip;
/* interlaced gifs have rows in this order:
0, 8, 16, ..., 4, 12, 20, ..., 2, 6, 10, ..., 1, 3, 5, ... */
@@ -677,6 +682,9 @@
height = unwind.giffile->SHeight;
width = unwind.giffile->SWidth;
+ pixels_sq = (UINT_64_BIT) width * (UINT_64_BIT) height;
+ if (pixels_sq > ((size_t) -1) / (3 * unwind.giffile->ImageCount))
+ signal_image_error ("GIF image too large to instantiate", instantiator);
unwind.eimage =
xnew_binbytes (width * height * 3 * unwind.giffile->ImageCount);
if (!unwind.eimage)
@@ -940,11 +948,15 @@
{
int y;
Binbyte **row_pointers;
+ UINT_64_BIT pixels_sq;
height = info_ptr->height;
width = info_ptr->width;
+ pixels_sq = (UINT_64_BIT) width * (UINT_64_BIT) height;
+ if (pixels_sq > ((size_t) -1) / 3)
+ signal_image_error ("PNG image too large to instantiate", instantiator);
/* Wow, allocate all the memory. Truly, exciting. */
- unwind.eimage = xnew_array_and_zero (Binbyte, width * height * 3);
+ unwind.eimage = xnew_array_and_zero (Binbyte, (size_t) (pixels_sq * 3));
/* libpng expects that the image buffer passed in contains a
picture to draw on top of if the png has any transparencies.
This could be a good place to pass that in... */
@@ -1291,6 +1303,7 @@
uint32 *raster;
Binbyte *ep;
+ UINT_64_BIT pixels_sq;
assert (!NILP (data));
@@ -1313,12 +1326,15 @@
TIFFGetField (unwind.tiff, TIFFTAG_IMAGEWIDTH, &width);
TIFFGetField (unwind.tiff, TIFFTAG_IMAGELENGTH, &height);
- unwind.eimage = xnew_binbytes (width * height * 3);
+ pixels_sq = (UINT_64_BIT) width * (UINT_64_BIT) height;
+ if (pixels_sq >= 1 << 29)
+ signal_image_error ("TIFF image too large to instantiate", instantiator);
+ unwind.eimage = xnew_binbytes ((size_t) pixels_sq * 3);
/* #### This is little more than proof-of-concept/function testing.
It needs to be reimplemented via scanline reads for both memory
compactness. */
- raster = (uint32*) _TIFFmalloc (width * height * sizeof (uint32));
+ raster = (uint32*) _TIFFmalloc ((tsize_t) (pixels_sq * sizeof (uint32)));
if (raster != NULL)
{
int i, j;
xemacs-21.5.28-3d-athena.patch:
configure.ac | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
Index: xemacs-21.5.28-3d-athena.patch
===================================================================
RCS file: /cvs/pkgs/rpms/xemacs/F-10/xemacs-21.5.28-3d-athena.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2
--- xemacs-21.5.28-3d-athena.patch 6 Jul 2008 21:14:09 -0000 1.1
+++ xemacs-21.5.28-3d-athena.patch 24 Aug 2009 21:10:46 -0000 1.2
@@ -1,6 +1,6 @@
--- a/configure.ac Sat Mar 15 12:21:11 2008 +0100
+++ b/configure.ac Fri Apr 04 10:48:58 2008 -0700
-@@ -4241,17 +4241,17 @@ if test "$with_x11" = "yes" -a "$detect_
+@@ -4221,17 +4221,17 @@ if test "$with_x11" = "yes" -a "$detect_
AC_CHECK_LIB($athena_variant, XawScrollbarSetThumb,
[
dnl Must not be a 3d library...
xemacs-21.5.28-destdir.patch:
Makefile.in.in | 72 ++++++++++++++++++++-----------------
dynodump/Makefile.in.in | 2 +
etc/tests/external-widget/Makefile | 2 +
lib-src/Makefile.in.in | 12 +++---
lwlib/Makefile.in.in | 2 +
man/Makefile | 2 +
modules/base64/Makefile | 2 +
modules/common/Makefile.common | 4 +-
modules/zlib/Makefile | 2 +
netinstall/Makefile.in.in | 4 +-
src/Makefile.in.in | 16 ++++----
tests/tooltalk/Makefile | 2 +
12 files changed, 75 insertions(+), 47 deletions(-)
Index: xemacs-21.5.28-destdir.patch
===================================================================
RCS file: /cvs/pkgs/rpms/xemacs/F-10/xemacs-21.5.28-destdir.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2
--- xemacs-21.5.28-destdir.patch 6 Jun 2007 21:26:20 -0000 1.1
+++ xemacs-21.5.28-destdir.patch 24 Aug 2009 21:10:47 -0000 1.2
@@ -186,7 +186,7 @@ diff -ru xemacs-21.5.24.orig/lib-src/Mak
## For performance and consistency, no built-in rules
.SUFFIXES:
.SUFFIXES: .c .h .o
-@@ -244,26 +246,26 @@
+@@ -245,26 +247,26 @@
## just run them directly from lib-src.
${archlibdir}: all
@echo; echo "Installing utilities run internally by XEmacs."
@@ -320,7 +320,7 @@ diff -ru xemacs-21.5.24.orig/src/Makefil
PROGNAME=@PROGNAME@
prefix=@prefix@
SRC=@srcdir@
-@@ -1068,7 +1070,7 @@
+@@ -1065,7 +1067,7 @@
#ifdef HAVE_SHLIB
MAKEPATH=../lib-src/make-path
install: $(PROGNAME)
@@ -329,7 +329,7 @@ diff -ru xemacs-21.5.24.orig/src/Makefil
- at echo "Copying include files for ellcc..."
- at hdir=`pwd`; \
cd $(SRC); hdrdir2=`pwd`; cd $$hdir; \
-@@ -1082,12 +1084,12 @@
+@@ -1079,12 +1081,12 @@
test -d s && hdrtars="$$hdrtars s/*"; \
test -d m && hdrtars="$$hdrtars m/*"; \
test -n "$$hdrtars" && (tar cf - $$hdrtars) | \
Index: xemacs.spec
===================================================================
RCS file: /cvs/pkgs/rpms/xemacs/F-10/xemacs.spec,v
retrieving revision 1.43
retrieving revision 1.44
diff -u -p -r1.43 -r1.44
--- xemacs.spec 20 Jul 2008 15:44:23 -0000 1.43
+++ xemacs.spec 24 Aug 2009 21:10:47 -0000 1.44
@@ -20,7 +20,7 @@
Name: xemacs
Version: 21.5.28
-Release: 9%{?dist}
+Release: 10%{?dist}
Summary: Different version of Emacs
Group: Applications/Editors
@@ -47,6 +47,7 @@ Patch9: %{name}-21.5.28-destdir.
Patch10: %{name}-21.5.28-revert-modified-245017.patch
Patch11: %{name}-21.5.28-autoconf262-449626.patch
Patch12: %{name}-21.5.28-3d-athena.patch
+Patch13: %{name}-21.5.28-image-overflow.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -91,6 +92,7 @@ Requires: xemacs-packages-base >=
Requires: %{name}-common = %{version}-%{release}
Requires: xorg-x11-fonts-ISO8859-1-75dpi
Requires: xorg-x11-fonts-ISO8859-1-100dpi
+Requires: xorg-x11-fonts-misc
Requires(post): coreutils
Provides: xemacs(bin) = %{version}-%{release}
@@ -205,6 +207,7 @@ touch -r aclocal.m4-stamp aclocal.m4
%patch10 -p0
%patch11 -p1
%patch12 -p1
+%patch13 -p1
sed -i -e 's/"lib"/"%{_lib}"/' lisp/setup-paths.el
@@ -545,6 +548,11 @@ fi
%changelog
+* Mon Aug 24 2009 Jerry James <loganjerry at gmail.com> - 21.5.28-10
+- Fix image overflow bug (CVE-2009-2688).
+- Add dependency on xorg-x11-fonts-misc (#478370, Carl Brune).
+- Rebase patches to eliminate fuzz/offsets.
+
* Sun Jul 20 2008 Ville Skyttä <ville.skytta at iki.fi> - 21.5.28-9
- Rebuild.
- Previous message (by thread): rpms/kernel/devel kernel.spec, 1.1294.2.56, 1.1294.2.57 xen.pvops.post.patch, 1.1.2.23, 1.1.2.24
- Next message (by thread): rpms/xemacs/F-11 xemacs-21.5.29-image-overflow.patch, NONE, 1.1 xemacs-21.5.29-no-xft.patch, NONE, 1.1 xemacs-21.5.25-mk-nochk-features.patch, 1.1, 1.2 xemacs-21.5.25-x-paths.patch, 1.1, 1.2 xemacs-21.5.28-courier-default.patch, 1.2, 1.3 xemacs.spec, 1.48, 1.49
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list