head 1.4; access; symbols pkgsrc-2013Q2:1.4.0.12 pkgsrc-2013Q2-base:1.4 pkgsrc-2012Q4:1.4.0.10 pkgsrc-2012Q4-base:1.4 pkgsrc-2011Q4:1.4.0.8 pkgsrc-2011Q4-base:1.4 pkgsrc-2011Q2:1.4.0.6 pkgsrc-2011Q2-base:1.4 pkgsrc-2009Q4:1.4.0.4 pkgsrc-2009Q4-base:1.4 pkgsrc-2008Q4:1.4.0.2 pkgsrc-2008Q4-base:1.4 pkgsrc-2008Q3:1.3.0.8 pkgsrc-2008Q3-base:1.3 cube-native-xorg:1.3.0.6 cube-native-xorg-base:1.3 pkgsrc-2008Q2:1.3.0.4 pkgsrc-2008Q2-base:1.3 cwrapper:1.3.0.2 pkgsrc-2008Q1:1.2.0.6 pkgsrc-2008Q1-base:1.2 pkgsrc-2007Q4:1.2.0.4 pkgsrc-2007Q4-base:1.2 pkgsrc-2007Q3:1.2.0.2 pkgsrc-2007Q3-base:1.2 pkgsrc-2007Q2:1.1.0.8 pkgsrc-2007Q2-base:1.1 pkgsrc-2007Q1:1.1.0.6 pkgsrc-2007Q1-base:1.1 pkgsrc-2006Q4:1.1.0.4 pkgsrc-2006Q4-base:1.1 pkgsrc-2006Q3:1.1.0.2; locks; strict; comment @# @; 1.4 date 2008.10.30.11.26.26; author tron; state dead; branches; next 1.3; 1.3 date 2008.06.02.10.05.50; author drochner; state Exp; branches 1.3.8.1; next 1.2; 1.2 date 2007.09.18.19.18.12; author drochner; state dead; branches 1.2.6.1; next 1.1; 1.1 date 2006.11.24.12.46.12; author drochner; state Exp; branches 1.1.2.1; next ; 1.3.8.1 date 2008.10.31.12.00.46; author rtr; state dead; branches; next ; 1.2.6.1 date 2008.06.03.11.21.04; author ghen; state Exp; branches; next ; 1.1.2.1 date 2006.11.24.12.46.12; author ghen; state dead; branches; next 1.1.2.2; 1.1.2.2 date 2006.11.29.17.16.35; author ghen; state Exp; branches; next ; desc @@ 1.4 log @Update "imlib" package to version 1.4.2. Changes since version 1.4.0: - Various bugfixes and security updates This update addresses SA32354. @ text @$NetBSD: patch-cf,v 1.3 2008/06/02 10:05:50 drochner Exp $ --- src/modules/loaders/loader_xpm.c.orig 2008-06-02 11:44:35.000000000 +0200 +++ src/modules/loaders/loader_xpm.c @@@@ -284,7 +284,7 @@@@ load(ImlibImage * im, ImlibProgressFunct if (line[k] != ' ') { s[0] = 0; - sscanf(&line[k], "%65535s", s); + sscanf(&line[k], "%255s", s); slen = strlen(s); k += slen; if (!strcmp(s, "c")) @ 1.3 log @add a patch from redhat bugzilla (#449073) to fix the xpm half of CVE-2008-2426, the pnm half was fixed in pkgsrc in 2006 bump PKGREVISION @ text @d1 1 a1 1 $NetBSD$ @ 1.3.8.1 log @pullup ticket #2562 - requested by tron imlib2: update package for security fix revisions pulled up: pkgsrc/graphics/imlib2/Makefile 1.47 pkgsrc/graphics/imlib2/distinfo 1.22 pkgsrc/graphics/imlib2/patches/patch-ca r0 pkgsrc/graphics/imlib2/patches/patch-ce r0 pkgsrc/graphics/imlib2/patches/patch-cf r0 Module Name: pkgsrc Committed By: tron Date: Thu Oct 30 11:26:26 UTC 2008 Modified Files: pkgsrc/graphics/imlib2: Makefile distinfo Removed Files: pkgsrc/graphics/imlib2/patches: patch-ca patch-ce patch-cf Log Message: Update "imlib" package to version 1.4.2. Changes since version 1.4.0: - Various bugfixes and security updates This update addresses SA32354. @ text @d1 1 a1 1 $NetBSD: patch-cf,v 1.3 2008/06/02 10:05:50 drochner Exp $ @ 1.2 log @update to 1.4.0 changes: security fixes, and a few crashes fixed @ text @d1 1 a1 1 $NetBSD: patch-cf,v 1.1 2006/11/24 12:46:12 drochner Exp $ d3 11 a13 78 --- src/modules/loaders/loader_tga.c.orig 2006-09-06 13:34:49.000000000 +0200 +++ src/modules/loaders/loader_tga.c @@@@ -319,6 +319,7 @@@@ load(ImlibImage * im, ImlibProgressFunct { unsigned long datasize; unsigned char *bufptr; + unsigned char *bufend; DATA32 *dataptr; int y; @@@@ -347,6 +348,9 @@@@ load(ImlibImage * im, ImlibProgressFunct /* bufptr is the next byte to be read from the buffer */ bufptr = filedata; + /* bufend is one past the last byte to be read from the buffer */ + bufend = filedata + datasize; + /* dataptr is the next 32-bit pixel to be filled in */ dataptr = im->data; @@@@ -364,7 +368,9 @@@@ load(ImlibImage * im, ImlibProgressFunct else dataptr = im->data + (y * im->w); - for (x = 0; x < im->w; x++) /* for each pixel in the row */ + for (x = 0; + x < im->w && bufptr+bpp/8 < bufend; + x++) /* for each pixel in the row */ { switch (bpp) { @@@@ -418,8 +424,8 @@@@ load(ImlibImage * im, ImlibProgressFunct unsigned char curbyte, red, green, blue, alpha; DATA32 *final_pixel = dataptr + im->w * im->h; - /* loop until we've got all the pixels */ - while (dataptr < final_pixel) + /* loop until we've got all the pixels or run out of input */ + while (dataptr < final_pixel && bufptr+1+bpp/8 < bufend) { int count; @@@@ -437,7 +443,7 @@@@ load(ImlibImage * im, ImlibProgressFunct green = *bufptr++; red = *bufptr++; alpha = *bufptr++; - for (i = 0; i < count; i++) + for (i = 0; i < count && dataptr < final_pixel; i++) { WRITE_RGBA(dataptr, red, green, blue, alpha); dataptr++; @@@@ -448,7 +454,7 @@@@ load(ImlibImage * im, ImlibProgressFunct blue = *bufptr++; green = *bufptr++; red = *bufptr++; - for (i = 0; i < count; i++) + for (i = 0; i < count && dataptr < final_pixel; i++) { WRITE_RGBA(dataptr, red, green, blue, (char)0xff); @@@@ -458,7 +464,7 @@@@ load(ImlibImage * im, ImlibProgressFunct case 8: alpha = *bufptr++; - for (i = 0; i < count; i++) + for (i = 0; i < count && dataptr < final_pixel; i++) { WRITE_RGBA(dataptr, alpha, alpha, alpha, (char)0xff); @@@@ -473,7 +479,7 @@@@ load(ImlibImage * im, ImlibProgressFunct { int i; - for (i = 0; i < count; i++) + for (i = 0; i < count && dataptr < final_pixel; i++) { switch (bpp) { @ 1.2.6.1 log @Pullup ticket 2411 - requested by drochner security fix for imlib2 - pkgsrc/graphics/imlib2/Makefile 1.46 - pkgsrc/graphics/imlib2/distinfo 1.21 - pkgsrc/graphics/imlib2/patches/patch-cf 1.3 Module Name: pkgsrc Committed By: drochner Date: Mon Jun 2 10:05:50 UTC 2008 Modified Files: pkgsrc/graphics/imlib2: Makefile distinfo Added Files: pkgsrc/graphics/imlib2/patches: patch-cf Log Message: add a patch from redhat bugzilla (#449073) to fix the xpm half of CVE-2008-2426, the pnm half was fixed in pkgsrc in 2006 bump PKGREVISION @ text @d1 1 a1 1 $NetBSD$ d3 78 a80 11 --- src/modules/loaders/loader_xpm.c.orig 2008-06-02 11:44:35.000000000 +0200 +++ src/modules/loaders/loader_xpm.c @@@@ -284,7 +284,7 @@@@ load(ImlibImage * im, ImlibProgressFunct if (line[k] != ' ') { s[0] = 0; - sscanf(&line[k], "%65535s", s); + sscanf(&line[k], "%255s", s); slen = strlen(s); k += slen; if (!strcmp(s, "c")) @ 1.1 log @fix some insufficient validation of graphics files, patches from Ubuntu (CVE-2006-4806, CVE-2006-4807, CVE-2006-4808, CVE-2006-4809) update to 1.3.0 (no changelog available) @ text @d1 1 a1 1 $NetBSD$ @ 1.1.2.1 log @file patch-cf was added on branch pkgsrc-2006Q3 on 2006-11-24 12:46:12 +0000 @ text @d1 80 @ 1.1.2.2 log @Pullup ticket 1926 - requested by drochner security update for imlib2 - pkgsrc/graphics/imlib2/Makefile 1.41 - pkgsrc/graphics/imlib2/PLIST 1.8 - pkgsrc/graphics/imlib2/distinfo 1.17 - pkgsrc/graphics/imlib2/patches/patch-aa removed - pkgsrc/graphics/imlib2/patches/patch-ba removed - pkgsrc/graphics/imlib2/patches/patch-bb removed - pkgsrc/graphics/imlib2/patches/patch-bc removed - pkgsrc/graphics/imlib2/patches/patch-bd removed - pkgsrc/graphics/imlib2/patches/patch-ca 1.1 - pkgsrc/graphics/imlib2/patches/patch-cb 1.1 - pkgsrc/graphics/imlib2/patches/patch-cc 1.1 - pkgsrc/graphics/imlib2/patches/patch-cd 1.1 - pkgsrc/graphics/imlib2/patches/patch-ce 1.1 - pkgsrc/graphics/imlib2/patches/patch-cf 1.1 - pkgsrc/graphics/imlib2/patches/patch-cg 1.1 Module Name: pkgsrc Committed By: drochner Date: Fri Nov 24 12:46:12 UTC 2006 Modified Files: pkgsrc/graphics/imlib2: Makefile PLIST distinfo Added Files: pkgsrc/graphics/imlib2/patches: patch-ca patch-cb patch-cc patch-cd patch-ce patch-cf patch-cg Removed Files: pkgsrc/graphics/imlib2/patches: patch-ba patch-bb patch-bc patch-bd Log Message: fix some insufficient validation of graphics files, patches from Ubuntu (CVE-2006-4806, CVE-2006-4807, CVE-2006-4808, CVE-2006-4809) update to 1.3.0 (no changelog available) --- Module Name: pkgsrc Committed By: drochner Date: Wed Nov 29 15:37:09 UTC 2006 Removed Files: pkgsrc/graphics/imlib2/patches: patch-aa Log Message: remove stale patchfile, pointed out by Kouichirou Hiratsuka @ text @a0 80 $NetBSD: patch-cf,v 1.1.2.1 2006/11/29 17:16:35 ghen Exp $ --- src/modules/loaders/loader_tga.c.orig 2006-09-06 13:34:49.000000000 +0200 +++ src/modules/loaders/loader_tga.c @@@@ -319,6 +319,7 @@@@ load(ImlibImage * im, ImlibProgressFunct { unsigned long datasize; unsigned char *bufptr; + unsigned char *bufend; DATA32 *dataptr; int y; @@@@ -347,6 +348,9 @@@@ load(ImlibImage * im, ImlibProgressFunct /* bufptr is the next byte to be read from the buffer */ bufptr = filedata; + /* bufend is one past the last byte to be read from the buffer */ + bufend = filedata + datasize; + /* dataptr is the next 32-bit pixel to be filled in */ dataptr = im->data; @@@@ -364,7 +368,9 @@@@ load(ImlibImage * im, ImlibProgressFunct else dataptr = im->data + (y * im->w); - for (x = 0; x < im->w; x++) /* for each pixel in the row */ + for (x = 0; + x < im->w && bufptr+bpp/8 < bufend; + x++) /* for each pixel in the row */ { switch (bpp) { @@@@ -418,8 +424,8 @@@@ load(ImlibImage * im, ImlibProgressFunct unsigned char curbyte, red, green, blue, alpha; DATA32 *final_pixel = dataptr + im->w * im->h; - /* loop until we've got all the pixels */ - while (dataptr < final_pixel) + /* loop until we've got all the pixels or run out of input */ + while (dataptr < final_pixel && bufptr+1+bpp/8 < bufend) { int count; @@@@ -437,7 +443,7 @@@@ load(ImlibImage * im, ImlibProgressFunct green = *bufptr++; red = *bufptr++; alpha = *bufptr++; - for (i = 0; i < count; i++) + for (i = 0; i < count && dataptr < final_pixel; i++) { WRITE_RGBA(dataptr, red, green, blue, alpha); dataptr++; @@@@ -448,7 +454,7 @@@@ load(ImlibImage * im, ImlibProgressFunct blue = *bufptr++; green = *bufptr++; red = *bufptr++; - for (i = 0; i < count; i++) + for (i = 0; i < count && dataptr < final_pixel; i++) { WRITE_RGBA(dataptr, red, green, blue, (char)0xff); @@@@ -458,7 +464,7 @@@@ load(ImlibImage * im, ImlibProgressFunct case 8: alpha = *bufptr++; - for (i = 0; i < count; i++) + for (i = 0; i < count && dataptr < final_pixel; i++) { WRITE_RGBA(dataptr, alpha, alpha, alpha, (char)0xff); @@@@ -473,7 +479,7 @@@@ load(ImlibImage * im, ImlibProgressFunct { int i; - for (i = 0; i < count; i++) + for (i = 0; i < count && dataptr < final_pixel; i++) { switch (bpp) { @