summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLi Zhou <li.zhou@windriver.com>2015-08-18 11:45:41 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2015-08-19 18:05:37 +0100
commit050629cd64f71e85b90392a857824544e8a8926a (patch)
tree0f9d3f8b5c82325ae3f7815af26ca1da2b22b430
parent09ad7ca4cf9bb334a9eb5ec24b103b337569d440 (diff)
downloadpoky-050629cd64f71e85b90392a857824544e8a8926a.tar.gz
gdk-pixbuf: Security Advisory - gdk-pixbuf - CVE-2015-4491
pixops: Be more careful about integer overflow Integer overflow in the make_filter_table function in pixops/pixops.c in gdk-pixbuf before 2.31.5, as used in Mozilla Firefox before 40.0 and Firefox ESR 38.x before 38.2 on Linux, Google Chrome on Linux, and other products, allows remote attackers to execute arbitrary code or cause a denial of service (heap-based buffer overflow and application crash) via crafted bitmap dimensions that are mishandled during scaling. (From OE-Core rev: e27f367d08becce9486f2890cb7382f3c8448246) Signed-off-by: Li Zhou <li.zhou@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/0001-pixops-Be-more-careful-about-integer-overflow.patch89
-rw-r--r--meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.30.8.bb1
2 files changed, 90 insertions, 0 deletions
diff --git a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/0001-pixops-Be-more-careful-about-integer-overflow.patch b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/0001-pixops-Be-more-careful-about-integer-overflow.patch
new file mode 100644
index 0000000000..fe7c1d5017
--- /dev/null
+++ b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/0001-pixops-Be-more-careful-about-integer-overflow.patch
@@ -0,0 +1,89 @@
1From ffec86ed5010c5a2be14f47b33bcf4ed3169a199 Mon Sep 17 00:00:00 2001
2From: Matthias Clasen <mclasen@redhat.com>
3Date: Mon, 13 Jul 2015 00:33:40 -0400
4Subject: [PATCH] pixops: Be more careful about integer overflow
5
6Our loader code is supposed to handle out-of-memory and overflow
7situations gracefully, reporting errors instead of aborting. But
8if you load an image at a specific size, we also execute our
9scaling code, which was not careful enough about overflow in some
10places.
11
12This commit makes the scaling code silently return if it fails to
13allocate filter tables. This is the best we can do, since
14gdk_pixbuf_scale() is not taking a GError.
15
16https://bugzilla.gnome.org/show_bug.cgi?id=752297
17
18Upstream-Status: backport
19
20Signed-off-by: Li Zhou <li.zhou@windriver.com>
21---
22 gdk-pixbuf/pixops/pixops.c | 22 +++++++++++++++++-----
23 1 file changed, 17 insertions(+), 5 deletions(-)
24
25diff --git a/gdk-pixbuf/pixops/pixops.c b/gdk-pixbuf/pixops/pixops.c
26index 29a1c14..ce51745 100644
27--- a/gdk-pixbuf/pixops/pixops.c
28+++ b/gdk-pixbuf/pixops/pixops.c
29@@ -1272,7 +1272,16 @@ make_filter_table (PixopsFilter *filter)
30 int i_offset, j_offset;
31 int n_x = filter->x.n;
32 int n_y = filter->y.n;
33- int *weights = g_new (int, SUBSAMPLE * SUBSAMPLE * n_x * n_y);
34+ gsize n_weights;
35+ int *weights;
36+
37+ n_weights = SUBSAMPLE * SUBSAMPLE * n_x * n_y;
38+ if (n_weights / (SUBSAMPLE * SUBSAMPLE * n_x) != n_y)
39+ return NULL; /* overflow, bail */
40+
41+ weights = g_try_new (int, n_weights);
42+ if (!weights)
43+ return NULL; /* overflow, bail */
44
45 for (i_offset=0; i_offset < SUBSAMPLE; i_offset++)
46 for (j_offset=0; j_offset < SUBSAMPLE; j_offset++)
47@@ -1347,8 +1356,11 @@ pixops_process (guchar *dest_buf,
48 if (x_step == 0 || y_step == 0)
49 return; /* overflow, bail out */
50
51- line_bufs = g_new (guchar *, filter->y.n);
52 filter_weights = make_filter_table (filter);
53+ if (!filter_weights)
54+ return; /* overflow, bail out */
55+
56+ line_bufs = g_new (guchar *, filter->y.n);
57
58 check_shift = check_size ? get_check_shift (check_size) : 0;
59
60@@ -1468,7 +1480,7 @@ tile_make_weights (PixopsFilterDimension *dim,
61 double scale)
62 {
63 int n = ceil (1 / scale + 1);
64- double *pixel_weights = g_new (double, SUBSAMPLE * n);
65+ double *pixel_weights = g_malloc_n (sizeof (double) * SUBSAMPLE, n);
66 int offset;
67 int i;
68
69@@ -1526,7 +1538,7 @@ bilinear_magnify_make_weights (PixopsFilterDimension *dim,
70 }
71
72 dim->n = n;
73- dim->weights = g_new (double, SUBSAMPLE * n);
74+ dim->weights = g_malloc_n (sizeof (double) * SUBSAMPLE, n);
75
76 pixel_weights = dim->weights;
77
78@@ -1617,7 +1629,7 @@ bilinear_box_make_weights (PixopsFilterDimension *dim,
79 double scale)
80 {
81 int n = ceil (1/scale + 3.0);
82- double *pixel_weights = g_new (double, SUBSAMPLE * n);
83+ double *pixel_weights = g_malloc_n (sizeof (double) * SUBSAMPLE, n);
84 double w;
85 int offset, i;
86
87--
881.7.9.5
89
diff --git a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.30.8.bb b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.30.8.bb
index a63d4546f6..07c2dcec16 100644
--- a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.30.8.bb
+++ b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.30.8.bb
@@ -18,6 +18,7 @@ SRC_URI = "${GNOME_MIRROR}/${BPN}/${MAJ_VER}/${BPN}-${PV}.tar.xz \
18 file://extending-libinstall-dependencies.patch \ 18 file://extending-libinstall-dependencies.patch \
19 file://run-ptest \ 19 file://run-ptest \
20 file://fatal-loader.patch \ 20 file://fatal-loader.patch \
21 file://0001-pixops-Be-more-careful-about-integer-overflow.patch \
21 " 22 "
22 23
23SRC_URI[md5sum] = "4fed0d54432f1b69fc6e66e608bd5542" 24SRC_URI[md5sum] = "4fed0d54432f1b69fc6e66e608bd5542"