From 992a4cfd10e70d388bf8329f17624376b6120b17 Mon Sep 17 00:00:00 2001 From: Hitendra Prajapati Date: Tue, 9 Aug 2022 09:40:00 +0530 Subject: Revert "gdk-pixbuf: CVE-2021-46829 a heap-based buffer overflow" CVE will be fixed in subsequent stable release update This reverts commit 978bc910ac326e34ec4f99c4645a80ed09c65407. Signed-off-by: Richard Purdie --- .../gdk-pixbuf/gdk-pixbuf/CVE-2021-46829.patch | 61 ---------------------- meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.6.bb | 1 - 2 files changed, 62 deletions(-) delete mode 100644 meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2021-46829.patch (limited to 'meta/recipes-gnome') diff --git a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2021-46829.patch b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2021-46829.patch deleted file mode 100644 index 82ceae6348..0000000000 --- a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2021-46829.patch +++ /dev/null @@ -1,61 +0,0 @@ -From dc296a24862c2bcfbfbd642abbb4826ec282f0a1 Mon Sep 17 00:00:00 2001 -From: Hitendra Prajapati -Date: Mon, 8 Aug 2022 17:28:21 +0530 -Subject: [PATCH] CVE-2021-46829 - -Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/5398f04d772f7f8baf5265715696ed88db0f0512] -CVE: CVE-2021-46829 -Signed-off-by: Hitendra Prajapati ---- - gdk-pixbuf/io-gif-animation.c | 21 +++++++++++++-------- - 1 file changed, 13 insertions(+), 8 deletions(-) - -diff --git a/gdk-pixbuf/io-gif-animation.c b/gdk-pixbuf/io-gif-animation.c -index 8335cdd..71d9265 100644 ---- a/gdk-pixbuf/io-gif-animation.c -+++ b/gdk-pixbuf/io-gif-animation.c -@@ -369,7 +369,7 @@ composite_frame (GdkPixbufGifAnim *anim, GdkPixbufFrame *frame) - for (i = 0; i < n_indexes; i++) { - guint8 index = index_buffer[i]; - guint x, y; -- int offset; -+ gsize offset; - - if (index == frame->transparent_index) - continue; -@@ -379,11 +379,13 @@ composite_frame (GdkPixbufGifAnim *anim, GdkPixbufFrame *frame) - if (x >= anim->width || y >= anim->height) - continue; - -- offset = y * gdk_pixbuf_get_rowstride (anim->last_frame_data) + x * 4; -- pixels[offset + 0] = frame->color_map[index * 3 + 0]; -- pixels[offset + 1] = frame->color_map[index * 3 + 1]; -- pixels[offset + 2] = frame->color_map[index * 3 + 2]; -- pixels[offset + 3] = 255; -+ if (g_size_checked_mul (&offset, gdk_pixbuf_get_rowstride (anim->last_frame_data), y) && -+ g_size_checked_add (&offset, offset, x * 4)) { -+ pixels[offset + 0] = frame->color_map[index * 3 + 0]; -+ pixels[offset + 1] = frame->color_map[index * 3 + 1]; -+ pixels[offset + 2] = frame->color_map[index * 3 + 2]; -+ pixels[offset + 3] = 255; -+ } - } - - out: -@@ -448,8 +450,11 @@ gdk_pixbuf_gif_anim_iter_get_pixbuf (GdkPixbufAnimationIter *anim_iter) - x_end = MIN (anim->last_frame->x_offset + anim->last_frame->width, anim->width); - y_end = MIN (anim->last_frame->y_offset + anim->last_frame->height, anim->height); - for (y = anim->last_frame->y_offset; y < y_end; y++) { -- guchar *line = pixels + y * gdk_pixbuf_get_rowstride (anim->last_frame_data) + anim->last_frame->x_offset * 4; -- memset (line, 0, (x_end - anim->last_frame->x_offset) * 4); -+ gsize offset; -+ if (g_size_checked_mul (&offset, gdk_pixbuf_get_rowstride (anim->last_frame_data), y) && -+ g_size_checked_add (&offset, offset, anim->last_frame->x_offset * 4)) { -+ memset (pixels + offset, 0, (x_end - anim->last_frame->x_offset) * 4); -+ } - } - break; - case GDK_PIXBUF_FRAME_REVERT: --- -2.25.1 - diff --git a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.6.bb b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.6.bb index b5ff29b5e3..55c16e4d66 100644 --- a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.6.bb +++ b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.42.6.bb @@ -21,7 +21,6 @@ SRC_URI = "${GNOME_MIRROR}/${BPN}/${MAJ_VER}/${BPN}-${PV}.tar.xz \ file://run-ptest \ file://fatal-loader.patch \ file://0001-Add-use_prebuilt_tools-option.patch \ - file://CVE-2021-46829.patch \ " SRC_URI[sha256sum] = "c4a6b75b7ed8f58ca48da830b9fa00ed96d668d3ab4b1f723dcf902f78bde77f" -- cgit v1.2.3-54-g00ecf