rpms/wxGTK/EL-5 wxGTK-2.8.10-CVE-2009-2369.patch, NONE, 1.1 wxGTK.spec, 1.35, 1.36

[Dan Horák]

Author: sharkcz

Update of /cvs/pkgs/rpms/wxGTK/EL-5
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv8335

Modified Files:
	wxGTK.spec 
Added Files:
	wxGTK-2.8.10-CVE-2009-2369.patch 
Log Message:
* Wed Jul 15 2009 Dan Horák <dan[at]danny.cz> - 2.8.9-2
- add fix for CVE-2009-2369 (#511279)


wxGTK-2.8.10-CVE-2009-2369.patch:

--- NEW FILE wxGTK-2.8.10-CVE-2009-2369.patch ---
Index: src/common/imagpng.cpp
===================================================================
--- src/common/imagpng.cpp	(revision 60874)
+++ src/common/imagpng.cpp	(revision 60875)
@@ -568,18 +568,16 @@
     if (!image->Ok())
         goto error;
 
-    lines = (unsigned char **)malloc( (size_t)(height * sizeof(unsigned char *)) );
+    // initialize all line pointers to NULL to ensure that they can be safely
+    // free()d if an error occurs before all of them could be allocated
+    lines = (unsigned char **)calloc(height, sizeof(unsigned char *));
     if ( !lines )
         goto error;
 
     for (i = 0; i < height; i++)
     {
         if ((lines[i] = (unsigned char *)malloc( (size_t)(width * (sizeof(unsigned char) * 4)))) == NULL)
-        {
-            for ( unsigned int n = 0; n < i; n++ )
-                free( lines[n] );
             goto error;
-        }
     }
 
     png_read_image( png_ptr, lines );
Index: src/common/imagtiff.cpp
===================================================================
--- src/common/imagtiff.cpp	(revision 60875)
+++ src/common/imagtiff.cpp	(revision 60876)
@@ -261,7 +261,6 @@
     }
 
     uint32 w, h;
-    uint32 npixels;
     uint32 *raster;
 
     TIFFGetField( tif, TIFFTAG_IMAGEWIDTH, &w );
@@ -275,10 +274,21 @@
                            (samplesInfo[0] == EXTRASAMPLE_ASSOCALPHA ||
                             samplesInfo[0] == EXTRASAMPLE_UNASSALPHA));
 
-    npixels = w * h;
+    // guard against integer overflow during multiplication which could result
+    // in allocating a too small buffer and then overflowing it
+    const double bytesNeeded = w * h * sizeof(uint32);
+    if ( bytesNeeded >= 4294967295U /* UINT32_MAX */ )
+    {
+        if ( verbose )
+            wxLogError( _("TIFF: Image size is abnormally big.") );
 
-    raster = (uint32*) _TIFFmalloc( npixels * sizeof(uint32) );
+        TIFFClose(tif);
 
+        return false;
+    }
+
+    raster = (uint32*) _TIFFmalloc( bytesNeeded );
+
     if (!raster)
     {
         if (verbose)
Index: src/common/imagtiff.cpp
===================================================================
--- src/common/imagtiff.cpp	(revision 60896)
+++ src/common/imagtiff.cpp	(revision 60897)
@@ -276,7 +276,7 @@
 
     // guard against integer overflow during multiplication which could result
     // in allocating a too small buffer and then overflowing it
-    const double bytesNeeded = w * h * sizeof(uint32);
+    const double bytesNeeded = (double)w * (double)h * sizeof(uint32);
     if ( bytesNeeded >= 4294967295U /* UINT32_MAX */ )
     {
         if ( verbose )


Index: wxGTK.spec
===================================================================
RCS file: /cvs/pkgs/rpms/wxGTK/EL-5/wxGTK.spec,v
retrieving revision 1.35
retrieving revision 1.36
diff -u -p -r1.35 -r1.36
--- wxGTK.spec	10 Nov 2008 18:23:29 -0000	1.35
+++ wxGTK.spec	15 Jul 2009 18:07:12 -0000	1.36
@@ -6,7 +6,7 @@
 
 Name:           wxGTK
 Version:        2.8.9
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        GTK2 port of the wxWidgets GUI library
 # The wxWindows licence is the LGPL with a specific exemption allowing
 # distribution of derived binaries under any terms. (This will eventually
@@ -16,6 +16,9 @@ Group:          System Environment/Libra
 URL:            http://www.wxwidgets.org/
 Source0:        http://dl.sf.net/wxwindows/%{name}-%{version}.tar.bz2
 
+# http://trac.wxwidgets.org/ticket/10993
+Patch0:         %{name}-2.8.10-CVE-2009-2369.patch
+
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 BuildRequires:  gtk2-devel, zlib-devel >= 1.1.4
@@ -121,6 +124,7 @@ libraries or the X Window System.
 
 %prep
 %setup -q
+%patch0 -p0 -b .CVE-2009-2369
 
 sed -i -e 's|/usr/lib\b|%{_libdir}|' wx-config.in configure
 
@@ -254,6 +258,7 @@ rm -rf $RPM_BUILD_ROOT
 %endif
 
 %files -n wxBase
+%defattr(-,root,root,-)
 %doc docs/changes.txt docs/gpl.txt docs/lgpl.txt docs/licence.txt
 %doc docs/licendoc.txt docs/preamble.txt docs/readme.txt
 %{_libdir}/libwx_baseu-*.so.*
@@ -262,6 +267,9 @@ rm -rf $RPM_BUILD_ROOT
 
 
 %changelog
+* Wed Jul 15 2009 Dan Horák <dan[at]danny.cz> - 2.8.9-2
+- add fix for CVE-2009-2369 (#511279)
+
 * Mon Sep 22 2008 Dan Horak <dan[at]danny.cz> - 2.8.9-1
 - update to 2.8.9