head 1.2; access; symbols pkgsrc-2015Q3:1.1.0.48 pkgsrc-2015Q3-base:1.1 pkgsrc-2015Q2:1.1.0.46 pkgsrc-2015Q2-base:1.1 pkgsrc-2015Q1:1.1.0.44 pkgsrc-2015Q1-base:1.1 pkgsrc-2014Q4:1.1.0.42 pkgsrc-2014Q4-base:1.1 pkgsrc-2014Q3:1.1.0.40 pkgsrc-2014Q3-base:1.1 pkgsrc-2014Q2:1.1.0.38 pkgsrc-2014Q2-base:1.1 pkgsrc-2014Q1:1.1.0.36 pkgsrc-2014Q1-base:1.1 pkgsrc-2013Q4:1.1.0.34 pkgsrc-2013Q4-base:1.1 pkgsrc-2013Q3:1.1.0.32 pkgsrc-2013Q3-base:1.1 pkgsrc-2013Q2:1.1.0.30 pkgsrc-2013Q2-base:1.1 pkgsrc-2013Q1:1.1.0.28 pkgsrc-2013Q1-base:1.1 pkgsrc-2012Q4:1.1.0.26 pkgsrc-2012Q4-base:1.1 pkgsrc-2012Q3:1.1.0.24 pkgsrc-2012Q3-base:1.1 pkgsrc-2012Q2:1.1.0.22 pkgsrc-2012Q2-base:1.1 pkgsrc-2012Q1:1.1.0.20 pkgsrc-2012Q1-base:1.1 pkgsrc-2011Q4:1.1.0.18 pkgsrc-2011Q4-base:1.1 pkgsrc-2011Q3:1.1.0.16 pkgsrc-2011Q3-base:1.1 pkgsrc-2011Q2:1.1.0.14 pkgsrc-2011Q2-base:1.1 pkgsrc-2011Q1:1.1.0.12 pkgsrc-2011Q1-base:1.1 pkgsrc-2010Q4:1.1.0.10 pkgsrc-2010Q4-base:1.1 pkgsrc-2010Q3:1.1.0.8 pkgsrc-2010Q3-base:1.1 pkgsrc-2010Q2:1.1.0.6 pkgsrc-2010Q2-base:1.1 pkgsrc-2010Q1:1.1.0.4 pkgsrc-2010Q1-base:1.1 pkgsrc-2009Q4:1.1.0.2; locks; strict; comment @# @; 1.2 date 2015.10.24.19.24.10; author joerg; state dead; branches; next 1.1; commitid oRJnQ9Y05Xi5CoGy; 1.1 date 2010.02.16.17.35.34; author taca; state Exp; branches 1.1.2.1; next ; 1.1.2.1 date 2010.02.16.17.35.34; author spz; state dead; branches; next 1.1.2.2; 1.1.2.2 date 2010.02.28.13.34.22; author spz; state Exp; branches; next ; desc @@ 1.2 log @Retire wxGTK26. @ text @$NetBSD: patch-ag,v 1.1 2010/02/16 17:35:34 taca Exp $ deal with CVE-2009-2369. --- src/common/imagtiff.cpp.orig 2006-03-21 23:42:10.000000000 +0000 +++ src/common/imagtiff.cpp @@@@ -232,15 +232,25 @@@@ bool wxTIFFHandler::LoadFile( wxImage *i } uint32 w, h; - uint32 npixels; uint32 *raster; TIFFGetField( tif, TIFFTAG_IMAGEWIDTH, &w ); TIFFGetField( tif, TIFFTAG_IMAGELENGTH, &h ); - npixels = w * h; + // guard against integer overflow during multiplication which could result + // in allocating a too small buffer and then overflowing it + const double bytesNeeded = (double)w * (double)h * sizeof(uint32); + if ( bytesNeeded >= 4294967295U /* UINT32_MAX */ ) + { + if ( verbose ) + wxLogError( _("TIFF: Image size is abnormally big.") ); + + TIFFClose(tif); + + return false; + } - raster = (uint32*) _TIFFmalloc( npixels * sizeof(uint32) ); + raster = (uint32*) _TIFFmalloc( bytesNeeded ); if (!raster) { @ 1.1 log @Add patches for CVE-2009-2369 and CVE-2009-2625. Bump PKGREVISION. @ text @d1 1 a1 1 $NetBSD$ @ 1.1.2.1 log @file patch-ag was added on branch pkgsrc-2009Q4 on 2010-02-28 13:34:22 +0000 @ text @d1 35 @ 1.1.2.2 log @Pullup ticket 3028 - requested by taca security patch Revisions pulled up: - pkgsrc/x11/wxGTK26/Makefile 1.5 - pkgsrc/x11/wxGTK26/distinfo 1.4 Files added: pkgsrc/x11/wxGTK26/patches/patch-ae pkgsrc/x11/wxGTK26/patches/patch-af pkgsrc/x11/wxGTK26/patches/patch-ag pkgsrc/x11/wxGTK26/patches/patch-ah -------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Tue Feb 16 17:35:34 UTC 2010 Modified Files: pkgsrc/x11/wxGTK26: Makefile distinfo Added Files: pkgsrc/x11/wxGTK26/patches: patch-ae patch-af patch-ag patch-ah Log Message: Add patches for CVE-2009-2369 and CVE-2009-2625. Bump PKGREVISION. To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 pkgsrc/x11/wxGTK26/Makefile cvs rdiff -u -r1.3 -r1.4 pkgsrc/x11/wxGTK26/distinfo cvs rdiff -u -r0 -r1.1 pkgsrc/x11/wxGTK26/patches/patch-ae \ pkgsrc/x11/wxGTK26/patches/patch-af pkgsrc/x11/wxGTK26/patches/patch-ag \ pkgsrc/x11/wxGTK26/patches/patch-ah @ text @a0 35 $NetBSD: patch-ag,v 1.1 2010/02/16 17:35:34 taca Exp $ deal with CVE-2009-2369. --- src/common/imagtiff.cpp.orig 2006-03-21 23:42:10.000000000 +0000 +++ src/common/imagtiff.cpp @@@@ -232,15 +232,25 @@@@ bool wxTIFFHandler::LoadFile( wxImage *i } uint32 w, h; - uint32 npixels; uint32 *raster; TIFFGetField( tif, TIFFTAG_IMAGEWIDTH, &w ); TIFFGetField( tif, TIFFTAG_IMAGELENGTH, &h ); - npixels = w * h; + // guard against integer overflow during multiplication which could result + // in allocating a too small buffer and then overflowing it + const double bytesNeeded = (double)w * (double)h * sizeof(uint32); + if ( bytesNeeded >= 4294967295U /* UINT32_MAX */ ) + { + if ( verbose ) + wxLogError( _("TIFF: Image size is abnormally big.") ); + + TIFFClose(tif); + + return false; + } - raster = (uint32*) _TIFFmalloc( npixels * sizeof(uint32) ); + raster = (uint32*) _TIFFmalloc( bytesNeeded ); if (!raster) { @