gdk-pixbuf: Security Advisory - gdk-pixbuf - CVE-2015-4491

pixops: Be more careful about integer overflow Integer overflow in the make_filter_table function in pixops/pixops.c in gdk-pixbuf before 2.31.5, as used in Mozilla Firefox before 40.0 and Firefox ESR 38.x before 38.2 on Linux, Google Chrome on Linux, and other products, allows remote attackers to execute arbitrary code or cause a denial of service (heap-based buffer overflow and application crash) via crafted bitmap dimensions that are mishandled during scaling. (From OE-Core master rev: e27f367d08becce9486f2890cb7382f3c8448246) (From OE-Core rev: 8e6da2d34ed6e3352e235c1723d6b4f425bd5932) Signed-off-by: Li Zhou <li.zhou@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Joshua Lock <joshua.lock@collabora.co.uk> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Li Zhou <li.zhou@windriver.com> 2015-08-18 11:45:41 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2015-09-01 21:19:45 +0100
commit: 0b1ea952adc45edc145ef687f9da62e350b8fd8b (patch)
tree: fbcb97d93a461a8d7fd3f4c8cfb086a469707615 /meta
parent: 541876e3e53707bb245a5a6f6f40747d27364da6 (diff)
download: poky-0b1ea952adc45edc145ef687f9da62e350b8fd8b.tar.gz
2 files changed, 90 insertions, 0 deletions
diff --git a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/0001-pixops-Be-more-careful-about-integer-overflow.patch b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/0001-pixops-Be-more-careful-about-integer-overflow.patch
new file mode 100644
index 0000000000..fe7c1d5017
--- /dev/null
+++ b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/0001-pixops-Be-more-careful-about-integer-overflow.patch
@@ -0,0 +1,89 @@
+From ffec86ed5010c5a2be14f47b33bcf4ed3169a199 Mon Sep 17 00:00:00 2001
+From: Matthias Clasen <mclasen@redhat.com>
+Date: Mon, 13 Jul 2015 00:33:40 -0400
+Subject: [PATCH] pixops: Be more careful about integer overflow
+Our loader code is supposed to handle out-of-memory and overflow
+situations gracefully, reporting errors instead of aborting. But
+if you load an image at a specific size, we also execute our
+scaling code, which was not careful enough about overflow in some
+places.
+This commit makes the scaling code silently return if it fails to
+allocate filter tables. This is the best we can do, since
+gdk_pixbuf_scale() is not taking a GError.
+https://bugzilla.gnome.org/show_bug.cgi?id=752297
+Upstream-Status: backport
+Signed-off-by: Li Zhou <li.zhou@windriver.com>
+---
+ gdk-pixbuf/pixops/pixops.c |   22 +++++++++++++++++-----
+ 1 file changed, 17 insertions(+), 5 deletions(-)
+diff --git a/gdk-pixbuf/pixops/pixops.c b/gdk-pixbuf/pixops/pixops.c
+index 29a1c14..ce51745 100644
+--- a/gdk-pixbuf/pixops/pixops.c
+++ b/gdk-pixbuf/pixops/pixops.c
+@@ -1272,7 +1272,16 @@ make_filter_table (PixopsFilter *filter)
+   int i_offset, j_offset;
+   int n_x = filter->x.n;
+   int n_y = filter->y.n;
+-  int *weights = g_new (int, SUBSAMPLE * SUBSAMPLE * n_x * n_y);
+  gsize n_weights;
+  int *weights;
+
+  n_weights = SUBSAMPLE * SUBSAMPLE * n_x * n_y;
+  if (n_weights / (SUBSAMPLE * SUBSAMPLE * n_x) != n_y)
+    return NULL; /* overflow, bail */
+
+  weights = g_try_new (int, n_weights);
+  if (!weights)
+    return NULL; /* overflow, bail */
+ 
+   for (i_offset=0; i_offset < SUBSAMPLE; i_offset++)
+     for (j_offset=0; j_offset < SUBSAMPLE; j_offset++)
+@@ -1347,8 +1356,11 @@ pixops_process (guchar         *dest_buf,
+   if (x_step == 0 || y_step == 0)
+     return; /* overflow, bail out */
+ 
+-  line_bufs = g_new (guchar *, filter->y.n);
+   filter_weights = make_filter_table (filter);
+  if (!filter_weights)
+    return; /* overflow, bail out */
+
+  line_bufs = g_new (guchar *, filter->y.n);
+ 
+   check_shift = check_size ? get_check_shift (check_size) : 0;
+ 
+@@ -1468,7 +1480,7 @@ tile_make_weights (PixopsFilterDimension *dim,
+                   double                 scale)
+ {
+   int n = ceil (1 / scale + 1);
+-  double *pixel_weights = g_new (double, SUBSAMPLE * n);
+  double *pixel_weights = g_malloc_n (sizeof (double) * SUBSAMPLE, n);
+   int offset;
+   int i;
+ 
+@@ -1526,7 +1538,7 @@ bilinear_magnify_make_weights (PixopsFilterDimension *dim,
+     }
+ 
+   dim->n = n;
+-  dim->weights = g_new (double, SUBSAMPLE * n);
+  dim->weights = g_malloc_n (sizeof (double) * SUBSAMPLE, n);
+ 
+   pixel_weights = dim->weights;
+ 
+@@ -1617,7 +1629,7 @@ bilinear_box_make_weights (PixopsFilterDimension *dim,
+                           double                 scale)
+ {
+   int n = ceil (1/scale + 3.0);
+-  double *pixel_weights = g_new (double, SUBSAMPLE * n);
+  double *pixel_weights = g_malloc_n (sizeof (double) * SUBSAMPLE, n);
+   double w;
+   int offset, i;
+ 
+-- 
+1.7.9.5
diff --git a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.30.8.bb b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.30.8.bb
index a63d4546f6..07c2dcec16 100644
--- a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.30.8.bb
+++ b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.30.8.bb
@@ -18,6 +18,7 @@ SRC_URI = "${GNOME_MIRROR}/${BPN}/${MAJ_VER}/${BPN}-${PV}.tar.xz \
           file://extending-libinstall-dependencies.patch \
           file://run-ptest \
           file://fatal-loader.patch \
+           file://0001-pixops-Be-more-careful-about-integer-overflow.patch \
           "
 SRC_URI[md5sum] = "4fed0d54432f1b69fc6e66e608bd5542"
author	Li Zhou <li.zhou@windriver.com>	2015-08-18 11:45:41 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2015-09-01 21:19:45 +0100
commit	0b1ea952adc45edc145ef687f9da62e350b8fd8b (patch)
tree	fbcb97d93a461a8d7fd3f4c8cfb086a469707615 /meta
parent	541876e3e53707bb245a5a6f6f40747d27364da6 (diff)
download	poky-0b1ea952adc45edc145ef687f9da62e350b8fd8b.tar.gz

diff --git a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/0001-pixops-Be-more-careful-about-integer-overflow.patch b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/0001-pixops-Be-more-careful-about-integer-overflow.patch new file mode 100644 index 0000000000..fe7c1d5017 --- /dev/null +++ b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/0001-pixops-Be-more-careful-about-integer-overflow.patch
@@ -0,0 +1,89 @@
		1	From ffec86ed5010c5a2be14f47b33bcf4ed3169a199 Mon Sep 17 00:00:00 2001
		2	From: Matthias Clasen <mclasen@redhat.com>
		3	Date: Mon, 13 Jul 2015 00:33:40 -0400
		4	Subject: [PATCH] pixops: Be more careful about integer overflow
		5
		6	Our loader code is supposed to handle out-of-memory and overflow
		7	situations gracefully, reporting errors instead of aborting. But
		8	if you load an image at a specific size, we also execute our
		9	scaling code, which was not careful enough about overflow in some
		10	places.
		11
		12	This commit makes the scaling code silently return if it fails to
		13	allocate filter tables. This is the best we can do, since
		14	gdk_pixbuf_scale() is not taking a GError.
		15
		16	https://bugzilla.gnome.org/show_bug.cgi?id=752297
		17
		18	Upstream-Status: backport
		19
		20	Signed-off-by: Li Zhou <li.zhou@windriver.com>
		21	---
		22	gdk-pixbuf/pixops/pixops.c \| 22 +++++++++++++++++-----
		23	1 file changed, 17 insertions(+), 5 deletions(-)
		24
		25	diff --git a/gdk-pixbuf/pixops/pixops.c b/gdk-pixbuf/pixops/pixops.c
		26	index 29a1c14..ce51745 100644
		27	--- a/gdk-pixbuf/pixops/pixops.c
		28	+++ b/gdk-pixbuf/pixops/pixops.c
		29	@@ -1272,7 +1272,16 @@ make_filter_table (PixopsFilter *filter)
		30	int i_offset, j_offset;
		31	int n_x = filter->x.n;
		32	int n_y = filter->y.n;
		33	- int weights = g_new (int, SUBSAMPLE SUBSAMPLE * n_x * n_y);
		34	+ gsize n_weights;
		35	+ int *weights;
		36	+
		37	+ n_weights = SUBSAMPLE * SUBSAMPLE * n_x * n_y;
		38	+ if (n_weights / (SUBSAMPLE * SUBSAMPLE * n_x) != n_y)
		39	+ return NULL; /* overflow, bail */
		40	+
		41	+ weights = g_try_new (int, n_weights);
		42	+ if (!weights)
		43	+ return NULL; /* overflow, bail */
		44
		45	for (i_offset=0; i_offset < SUBSAMPLE; i_offset++)
		46	for (j_offset=0; j_offset < SUBSAMPLE; j_offset++)
		47	@@ -1347,8 +1356,11 @@ pixops_process (guchar *dest_buf,
		48	if (x_step == 0 \|\| y_step == 0)
		49	return; /* overflow, bail out */
		50
		51	- line_bufs = g_new (guchar *, filter->y.n);
		52	filter_weights = make_filter_table (filter);
		53	+ if (!filter_weights)
		54	+ return; /* overflow, bail out */
		55	+
		56	+ line_bufs = g_new (guchar *, filter->y.n);
		57
		58	check_shift = check_size ? get_check_shift (check_size) : 0;
		59
		60	@@ -1468,7 +1480,7 @@ tile_make_weights (PixopsFilterDimension *dim,
		61	double scale)
		62	{
		63	int n = ceil (1 / scale + 1);
		64	- double pixel_weights = g_new (double, SUBSAMPLE n);
		65	+ double pixel_weights = g_malloc_n (sizeof (double) SUBSAMPLE, n);
		66	int offset;
		67	int i;
		68
		69	@@ -1526,7 +1538,7 @@ bilinear_magnify_make_weights (PixopsFilterDimension *dim,
		70	}
		71
		72	dim->n = n;
		73	- dim->weights = g_new (double, SUBSAMPLE * n);
		74	+ dim->weights = g_malloc_n (sizeof (double) * SUBSAMPLE, n);
		75
		76	pixel_weights = dim->weights;
		77
		78	@@ -1617,7 +1629,7 @@ bilinear_box_make_weights (PixopsFilterDimension *dim,
		79	double scale)
		80	{
		81	int n = ceil (1/scale + 3.0);
		82	- double pixel_weights = g_new (double, SUBSAMPLE n);
		83	+ double pixel_weights = g_malloc_n (sizeof (double) SUBSAMPLE, n);
		84	double w;
		85	int offset, i;
		86
		87	--
		88	1.7.9.5
		89


diff --git a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.30.8.bb b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.30.8.bb index a63d4546f6..07c2dcec16 100644 --- a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.30.8.bb +++ b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.30.8.bb
@@ -18,6 +18,7 @@ SRC_URI = "${GNOME_MIRROR}/${BPN}/${MAJ_VER}/${BPN}-${PV}.tar.xz \
18	file://extending-libinstall-dependencies.patch \	18	file://extending-libinstall-dependencies.patch \
19	file://run-ptest \	19	file://run-ptest \
20	file://fatal-loader.patch \	20	file://fatal-loader.patch \
		21	file://0001-pixops-Be-more-careful-about-integer-overflow.patch \
21	"	22	"
22		23
23	SRC_URI[md5sum] = "4fed0d54432f1b69fc6e66e608bd5542"	24	SRC_URI[md5sum] = "4fed0d54432f1b69fc6e66e608bd5542"