Hello community,
here is the log from the commit of package gnash for openSUSE:Factory checked
in at 2012-03-16 13:14:05
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/gnash (Old)
and /work/SRC/openSUSE:Factory/.gnash.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "gnash", Maintainer is "ti...@suse.com"
Changes:
--------
--- /work/SRC/openSUSE:Factory/gnash/gnash.changes 2012-03-07
13:42:35.000000000 +0100
+++ /work/SRC/openSUSE:Factory/.gnash.new/gnash.changes 2012-03-16
13:14:09.000000000 +0100
@@ -1,0 +2,5 @@
+Thu Mar 15 14:46:13 CET 2012 - ti...@suse.de
+
+- VUL-0: gnash: integer overflow (CVE-2012-1175, bnc#752373)
+
+-------------------------------------------------------------------
New:
----
gnash-CVE-2012-1175.diff
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ gnash.spec ++++++
--- /var/tmp/diff_new_pack.SGt11S/_old 2012-03-16 13:14:10.000000000 +0100
+++ /var/tmp/diff_new_pack.SGt11S/_new 2012-03-16 13:14:10.000000000 +0100
@@ -54,6 +54,7 @@
Patch: gnash-0.8.5-build-fixes.diff
Patch1: gnash-fix-insecure-temp-files.diff
Patch2: gnash-CVE-2011-4328.diff
+Patch3: gnash-CVE-2012-1175.diff
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@@ -88,6 +89,7 @@
%patch -p1
%patch1 -p1
%patch2 -p1
+%patch3 -p1
%build
autoreconf -fi
++++++ gnash-CVE-2012-1175.diff ++++++
>From bb4dc77eecb6ed1b967e3ecbce3dac6c5e6f1527 Mon Sep 17 00:00:00 2001
From: Benjamin Wolsey <b...@benjaminwolsey.de>
Date: Sat, 10 Mar 2012 14:52:50 +0000
Subject: Fix crash in GnashImage.cpp
---
---
libbase/GnashImage.cpp | 23 +++++++++++++++++++++--
1 file changed, 21 insertions(+), 2 deletions(-)
--- a/libbase/GnashImage.cpp
+++ b/libbase/GnashImage.cpp
@@ -24,6 +24,7 @@
#include <memory> // for auto_ptr
#include <boost/scoped_array.hpp>
#include <boost/shared_ptr.hpp>
+#include <cassert>
#include "FileTypes.h"
#include "GnashImage.h"
@@ -42,6 +43,21 @@ namespace gnash
namespace {
void processAlpha(GnashImage::iterator imageData, size_t pixels);
+ bool checkValidSize(size_t width, size_t height, size_t channels) {
+
+ if (width == 0 || height == 0) return false;
+
+ assert(channels > 0);
+
+ boost::uint32_t maxSize = std::numeric_limits<boost::int32_t>::max();
+ if (width >= maxSize || height >= maxSize) return false;
+
+ maxSize /= channels;
+ maxSize /= width;
+ maxSize /= height;
+
+ return maxSize > 0;
+ }
}
GnashImage::GnashImage(iterator data, size_t width, size_t height,
@@ -53,6 +69,8 @@ GnashImage::GnashImage(iterator data, si
_height(height),
_data(data)
{
+ // Callers should check dimensions
+ assert(checkValidSize(_width, _height, channels()));
}
/// Create an image allocating a buffer of height*pitch bytes
@@ -64,8 +82,9 @@ GnashImage::GnashImage(size_t width, siz
_width(width),
_height(height)
{
- const size_t max = std::numeric_limits<boost::int32_t>::max();
- if (size() > max) {
+ // Constructed from external input, so restrict dimensions to avoid
+ // overflow in size calculations
+ if (!checkValidSize(_width, _height, channels())) {
throw std::bad_alloc();
}
_data.reset(new value_type[size()]);
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
