head 1.2; access; symbols pkgsrc-2019Q2:1.1.0.118 pkgsrc-2019Q2-base:1.1 pkgsrc-2019Q1:1.1.0.116 pkgsrc-2019Q1-base:1.1 pkgsrc-2018Q4:1.1.0.114 pkgsrc-2018Q4-base:1.1 pkgsrc-2018Q3:1.1.0.112 pkgsrc-2018Q3-base:1.1 pkgsrc-2018Q2:1.1.0.110 pkgsrc-2018Q2-base:1.1 pkgsrc-2018Q1:1.1.0.108 pkgsrc-2018Q1-base:1.1 pkgsrc-2017Q4:1.1.0.106 pkgsrc-2017Q4-base:1.1 pkgsrc-2017Q3:1.1.0.104 pkgsrc-2017Q3-base:1.1 pkgsrc-2017Q2:1.1.0.100 pkgsrc-2017Q2-base:1.1 pkgsrc-2017Q1:1.1.0.98 pkgsrc-2017Q1-base:1.1 pkgsrc-2016Q4:1.1.0.96 pkgsrc-2016Q4-base:1.1 pkgsrc-2016Q3:1.1.0.94 pkgsrc-2016Q3-base:1.1 pkgsrc-2016Q2:1.1.0.92 pkgsrc-2016Q2-base:1.1 pkgsrc-2016Q1:1.1.0.90 pkgsrc-2016Q1-base:1.1 pkgsrc-2015Q4:1.1.0.88 pkgsrc-2015Q4-base:1.1 pkgsrc-2015Q3:1.1.0.86 pkgsrc-2015Q3-base:1.1 pkgsrc-2015Q2:1.1.0.84 pkgsrc-2015Q2-base:1.1 pkgsrc-2015Q1:1.1.0.82 pkgsrc-2015Q1-base:1.1 pkgsrc-2014Q4:1.1.0.80 pkgsrc-2014Q4-base:1.1 pkgsrc-2014Q3:1.1.0.78 pkgsrc-2014Q3-base:1.1 pkgsrc-2014Q2:1.1.0.76 pkgsrc-2014Q2-base:1.1 pkgsrc-2014Q1:1.1.0.74 pkgsrc-2014Q1-base:1.1 pkgsrc-2013Q4:1.1.0.72 pkgsrc-2013Q4-base:1.1 pkgsrc-2013Q3:1.1.0.70 pkgsrc-2013Q3-base:1.1 pkgsrc-2013Q2:1.1.0.68 pkgsrc-2013Q2-base:1.1 pkgsrc-2013Q1:1.1.0.66 pkgsrc-2013Q1-base:1.1 pkgsrc-2012Q4:1.1.0.64 pkgsrc-2012Q4-base:1.1 pkgsrc-2012Q3:1.1.0.62 pkgsrc-2012Q3-base:1.1 pkgsrc-2012Q2:1.1.0.60 pkgsrc-2012Q2-base:1.1 pkgsrc-2012Q1:1.1.0.58 pkgsrc-2012Q1-base:1.1 pkgsrc-2011Q4:1.1.0.56 pkgsrc-2011Q4-base:1.1 pkgsrc-2011Q3:1.1.0.54 pkgsrc-2011Q3-base:1.1 pkgsrc-2011Q2:1.1.0.52 pkgsrc-2011Q2-base:1.1 pkgsrc-2011Q1:1.1.0.50 pkgsrc-2011Q1-base:1.1 pkgsrc-2010Q4:1.1.0.48 pkgsrc-2010Q4-base:1.1 pkgsrc-2010Q3:1.1.0.46 pkgsrc-2010Q3-base:1.1 pkgsrc-2010Q2:1.1.0.44 pkgsrc-2010Q2-base:1.1 pkgsrc-2010Q1:1.1.0.42 pkgsrc-2010Q1-base:1.1 pkgsrc-2009Q4:1.1.0.40 pkgsrc-2009Q4-base:1.1 pkgsrc-2009Q3:1.1.0.38 pkgsrc-2009Q3-base:1.1 pkgsrc-2009Q2:1.1.0.36 pkgsrc-2009Q2-base:1.1 pkgsrc-2009Q1:1.1.0.34 pkgsrc-2009Q1-base:1.1 pkgsrc-2008Q4:1.1.0.32 pkgsrc-2008Q4-base:1.1 pkgsrc-2008Q3:1.1.0.30 pkgsrc-2008Q3-base:1.1 cube-native-xorg:1.1.0.28 cube-native-xorg-base:1.1 pkgsrc-2008Q2:1.1.0.26 pkgsrc-2008Q2-base:1.1 cwrapper:1.1.0.24 pkgsrc-2008Q1:1.1.0.22 pkgsrc-2008Q1-base:1.1 pkgsrc-2007Q4:1.1.0.20 pkgsrc-2007Q4-base:1.1 pkgsrc-2007Q3:1.1.0.18 pkgsrc-2007Q3-base:1.1 pkgsrc-2007Q2:1.1.0.16 pkgsrc-2007Q2-base:1.1 pkgsrc-2007Q1:1.1.0.14 pkgsrc-2007Q1-base:1.1 pkgsrc-2006Q4:1.1.0.12 pkgsrc-2006Q4-base:1.1 pkgsrc-2006Q3:1.1.0.10 pkgsrc-2006Q3-base:1.1 pkgsrc-2006Q2:1.1.0.8 pkgsrc-2006Q2-base:1.1 pkgsrc-2006Q1:1.1.0.6 pkgsrc-2006Q1-base:1.1 pkgsrc-2005Q4:1.1.0.4 pkgsrc-2005Q4-base:1.1 pkgsrc-2005Q3:1.1.0.2; locks; strict; comment @# @; 1.2 date 2019.07.21.10.34.52; author wiz; state dead; branches; next 1.1; commitid 714SadchRqVILTvB; 1.1 date 2005.11.26.09.40.49; author salo; state Exp; branches 1.1.2.1; next ; 1.1.2.1 date 2005.11.26.09.40.49; author snj; state dead; branches; next 1.1.2.2; 1.1.2.2 date 2005.11.27.21.14.26; author snj; state Exp; branches; next ; desc @@ 1.2 log @gdk-pixbuf: remove The software hasn't been updated since 2002 and is probably full of security problems. Two packages were using it. (gpsdrive has a newer version in wip.) @ text @$NetBSD: patch-am,v 1.1 2005/11/26 09:40:49 salo Exp $ Security fixes for CVE-2005-2975, CVE-2005-2976 and CVE-2005-3186. --- gdk-pixbuf/io-xpm.c.orig 2001-03-01 21:16:28.000000000 +0100 +++ gdk-pixbuf/io-xpm.c 2005-11-26 10:22:24.000000000 +0100 @@@@ -243,8 +243,8 @@@@ xpm_extract_color (const gchar *buffer) break; else { if (numnames > 0) { - space -= 1; - strcat (color, " "); + strncat (color, " ", space); + space -= MIN (space, 1); } strncat (color, temp, space); @@@@ -281,7 +281,8 @@@@ file_buffer (enum buf_op op, gpointer ha /* Fall through to the xpm_read_string. */ case op_body: - xpm_read_string (h->infile, &h->buffer, &h->buffer_size); + if(!xpm_read_string (h->infile, &h->buffer, &h->buffer_size)) + return NULL; return h->buffer; default: @@@@ -317,13 +318,6 @@@@ mem_buffer (enum buf_op op, gpointer han return NULL; } -/* Destroy notification function for the pixbuf */ -static void -free_buffer (guchar *pixels, gpointer data) -{ - free (pixels); -} - static gboolean xpm_color_parse (const char *spec, XColor *color) { @@@@ -342,7 +336,8 @@@@ pixbuf_create_from_xpm (const gchar * (* gchar pixel_str[32]; GHashTable *color_hash; _XPMColor *colors, *color, *fallbackcolor; - guchar *pixels, *pixtmp; + guchar *pixtmp; + GdkPixbuf* pixbuf; fallbackcolor = NULL; @@@@ -352,17 +347,31 @@@@ pixbuf_create_from_xpm (const gchar * (* return NULL; } sscanf (buffer, "%d %d %d %d", &w, &h, &n_col, &cpp); - if (cpp >= 32) { + if (cpp <= 0 || cpp >= 32) { g_warning ("XPM has more than 31 chars per pixel."); return NULL; } + if (n_col <= 0 || n_col >= G_MAXINT / (cpp + 1) || + n_col >= G_MAXINT / sizeof (_XPMColor)) { + g_warning ("XPM file has invalid number of colors."); + return NULL; + } /* The hash is used for fast lookups of color from chars */ color_hash = g_hash_table_new (g_str_hash, g_str_equal); name_buf = g_new (gchar, n_col * (cpp + 1)); - colors = g_new (_XPMColor, n_col); - + if (!name_buf) { + g_warning ("Cannot allocate memory for loading XPM image."); + g_hash_table_destroy (color_hash); + return NULL; + } + colors = (_XPMColor *) g_malloc (sizeof (_XPMColor) * n_col); + if (!colors) { + g_warning ("Cannot allocate memory for loading XPM image."); + g_hash_table_destroy (color_hash); + return NULL; + } for (cnt = 0; cnt < n_col; cnt++) { gchar *color_name; @@@@ -397,12 +406,8 @@@@ pixbuf_create_from_xpm (const gchar * (* fallbackcolor = color; } - if (is_trans) - pixels = malloc (w * h * 4); - else - pixels = malloc (w * h * 3); - - if (!pixels) { + pixbuf = gdk_pixbuf_new(GDK_COLORSPACE_RGB, is_trans, 8, w, h); + if (!pixbuf) { g_hash_table_destroy (color_hash); g_free (colors); g_free (name_buf); @@@@ -410,7 +415,7 @@@@ pixbuf_create_from_xpm (const gchar * (* } wbytes = w * cpp; - pixtmp = pixels; + pixtmp = pixbuf->pixels; for (ycnt = 0; ycnt < h; ycnt++) { buffer = (*get_buf) (op_body, handle); @@@@ -443,9 +448,7 @@@@ pixbuf_create_from_xpm (const gchar * (* g_free (colors); g_free (name_buf); - return gdk_pixbuf_new_from_data (pixels, GDK_COLORSPACE_RGB, is_trans, 8, - w, h, is_trans ? (w * 4) : (w * 3), - free_buffer, NULL); + return pixbuf; } /* Shared library entry point for file loading */ @ 1.1 log @Security fixes for CVE-2005-2975, CVE-2005-2976 and CVE-2005-3186: "io-xpm.c in the gdk-pixbuf XPM image rendering library allows attackers to cause a denial of service (infinite loop) via a crafted XPM image with a large number of colors." "Integer overflow in io-xpm.c in gdk-pixbuf allows attackers to cause a denial of service (crash) or execute arbitrary code via an XPM file with large height, width, and colour values, a different vulnerability than CVE-2005-3186." "Integer overflow in the gdk-pixbuf XPM image rendering library allows attackers to execute arbitrary code via an XPM file with a number of colors that causes insufficient memory to be allocated, which leads to a heap-based buffer overflow." http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2975 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2976 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3186 @ text @d1 1 a1 1 $NetBSD$ @ 1.1.2.1 log @file patch-am was added on branch pkgsrc-2005Q3 on 2005-11-26 09:40:49 +0000 @ text @d1 121 @ 1.1.2.2 log @Pullup ticket 925 - requested by Lubomir Sedlacik security fix for gdk-pixbuf Revisions pulled up: - pkgsrc/graphics/gdk-pixbuf/Makefile 1.32 - pkgsrc/graphics/gdk-pixbuf/distinfo 1.19 - pkgsrc/graphics/gdk-pixbuf/patches/patch-am 1.1 Module Name: pkgsrc Committed By: salo Date: Sat Nov 26 09:40:50 UTC 2005 Modified Files: pkgsrc/graphics/gdk-pixbuf: Makefile distinfo Added Files: pkgsrc/graphics/gdk-pixbuf/patches: patch-am Log Message: Security fixes for CVE-2005-2975, CVE-2005-2976 and CVE-2005-3186: "io-xpm.c in the gdk-pixbuf XPM image rendering library allows attackers to cause a denial of service (infinite loop) via a crafted XPM image with a large number of colors." "Integer overflow in io-xpm.c in gdk-pixbuf allows attackers to cause a denial of service (crash) or execute arbitrary code via an XPM file with large height, width, and colour values, a different vulnerability than CVE-2005-3186." "Integer overflow in the gdk-pixbuf XPM image rendering library allows attackers to execute arbitrary code via an XPM file with a number of colors that causes insufficient memory to be allocated, which leads to a heap-based buffer overflow." http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2975 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2976 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3186 @ text @a0 121 $NetBSD: patch-am,v 1.1.2.1 2005/11/27 21:14:26 snj Exp $ Security fixes for CVE-2005-2975, CVE-2005-2976 and CVE-2005-3186. --- gdk-pixbuf/io-xpm.c.orig 2001-03-01 21:16:28.000000000 +0100 +++ gdk-pixbuf/io-xpm.c 2005-11-26 10:22:24.000000000 +0100 @@@@ -243,8 +243,8 @@@@ xpm_extract_color (const gchar *buffer) break; else { if (numnames > 0) { - space -= 1; - strcat (color, " "); + strncat (color, " ", space); + space -= MIN (space, 1); } strncat (color, temp, space); @@@@ -281,7 +281,8 @@@@ file_buffer (enum buf_op op, gpointer ha /* Fall through to the xpm_read_string. */ case op_body: - xpm_read_string (h->infile, &h->buffer, &h->buffer_size); + if(!xpm_read_string (h->infile, &h->buffer, &h->buffer_size)) + return NULL; return h->buffer; default: @@@@ -317,13 +318,6 @@@@ mem_buffer (enum buf_op op, gpointer han return NULL; } -/* Destroy notification function for the pixbuf */ -static void -free_buffer (guchar *pixels, gpointer data) -{ - free (pixels); -} - static gboolean xpm_color_parse (const char *spec, XColor *color) { @@@@ -342,7 +336,8 @@@@ pixbuf_create_from_xpm (const gchar * (* gchar pixel_str[32]; GHashTable *color_hash; _XPMColor *colors, *color, *fallbackcolor; - guchar *pixels, *pixtmp; + guchar *pixtmp; + GdkPixbuf* pixbuf; fallbackcolor = NULL; @@@@ -352,17 +347,31 @@@@ pixbuf_create_from_xpm (const gchar * (* return NULL; } sscanf (buffer, "%d %d %d %d", &w, &h, &n_col, &cpp); - if (cpp >= 32) { + if (cpp <= 0 || cpp >= 32) { g_warning ("XPM has more than 31 chars per pixel."); return NULL; } + if (n_col <= 0 || n_col >= G_MAXINT / (cpp + 1) || + n_col >= G_MAXINT / sizeof (_XPMColor)) { + g_warning ("XPM file has invalid number of colors."); + return NULL; + } /* The hash is used for fast lookups of color from chars */ color_hash = g_hash_table_new (g_str_hash, g_str_equal); name_buf = g_new (gchar, n_col * (cpp + 1)); - colors = g_new (_XPMColor, n_col); - + if (!name_buf) { + g_warning ("Cannot allocate memory for loading XPM image."); + g_hash_table_destroy (color_hash); + return NULL; + } + colors = (_XPMColor *) g_malloc (sizeof (_XPMColor) * n_col); + if (!colors) { + g_warning ("Cannot allocate memory for loading XPM image."); + g_hash_table_destroy (color_hash); + return NULL; + } for (cnt = 0; cnt < n_col; cnt++) { gchar *color_name; @@@@ -397,12 +406,8 @@@@ pixbuf_create_from_xpm (const gchar * (* fallbackcolor = color; } - if (is_trans) - pixels = malloc (w * h * 4); - else - pixels = malloc (w * h * 3); - - if (!pixels) { + pixbuf = gdk_pixbuf_new(GDK_COLORSPACE_RGB, is_trans, 8, w, h); + if (!pixbuf) { g_hash_table_destroy (color_hash); g_free (colors); g_free (name_buf); @@@@ -410,7 +415,7 @@@@ pixbuf_create_from_xpm (const gchar * (* } wbytes = w * cpp; - pixtmp = pixels; + pixtmp = pixbuf->pixels; for (ycnt = 0; ycnt < h; ycnt++) { buffer = (*get_buf) (op_body, handle); @@@@ -443,9 +448,7 @@@@ pixbuf_create_from_xpm (const gchar * (* g_free (colors); g_free (name_buf); - return gdk_pixbuf_new_from_data (pixels, GDK_COLORSPACE_RGB, is_trans, 8, - w, h, is_trans ? (w * 4) : (w * 3), - free_buffer, NULL); + return pixbuf; } /* Shared library entry point for file loading */ @