SECURITY FIX: sdl-image

Fri, 28 Mar 2008 10:46:11 -0700 

hi,

this fixes two buffer overflows in IMG_gif.c and IMG_lbm.c.
ok?

cheers,
jasper

-- 
"The good life is one inspired by love and guided by knowledge."
         -- Bertrand Russel


SECURITY FIX for http://secunia.com/advisories/28640/

Patches were taken from libsdl's svn.

Index: Makefile
===================================================================
RCS file: /cvs/ports/devel/sdl-image/Makefile,v
retrieving revision 1.26
diff -u -r1.26 Makefile
--- Makefile    14 Oct 2007 08:22:17 -0000      1.26
+++ Makefile    28 Mar 2008 17:41:39 -0000
@@ -2,7 +2,7 @@
 
 COMMENT=       SDL image library
 DISTNAME=      SDL_image-1.2.4
-PKGNAME=       ${DISTNAME:L:S/_/-/}p3
+PKGNAME=       ${DISTNAME:L:S/_/-/}p4
 SHARED_LIBS=   SDL_image 2.0
 CATEGORIES=    devel graphics
 MASTER_SITES=  ftp://ftp.fr.freebsd.org/pub/FreeBSD/distfiles/ \
Index: patches/patch-IMG_gif_c
===================================================================
RCS file: patches/patch-IMG_gif_c
diff -N patches/patch-IMG_gif_c
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ patches/patch-IMG_gif_c     28 Mar 2008 17:41:39 -0000
@@ -0,0 +1,14 @@
+$OpenBSD$
+--- IMG_gif.c.orig     Fri Mar 28 18:36:08 2008
++++ IMG_gif.c  Fri Mar 28 18:36:54 2008
+@@ -406,6 +406,10 @@ LWZReadByte(SDL_RWops *src, int flag, int input_code_s
+     static int stack[(1 << (MAX_LWZ_BITS)) * 2], *sp;
+     register int i;
+ 
++    /* Fixed buffer overflow found by Michael Skladnikiewicz */
++    if (input_code_size > MAX_LWZ_BITS)
++        return -1;
++
+     if (flag) {
+       set_code_size = input_code_size;
+       code_size = set_code_size + 1;
Index: patches/patch-IMG_lbm_c
===================================================================
RCS file: patches/patch-IMG_lbm_c
diff -N patches/patch-IMG_lbm_c
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ patches/patch-IMG_lbm_c     28 Mar 2008 17:41:39 -0000
@@ -0,0 +1,29 @@
+$OpenBSD$
+--- IMG_lbm.c.orig     Fri Mar 28 18:37:11 2008
++++ IMG_lbm.c  Fri Mar 28 18:39:09 2008
+@@ -30,6 +30,7 @@
+    EHB and HAM (specific Amiga graphic chip modes) support added by Marc Le 
Douarain
+    (http://www.multimania.com/mavati) in December 2003.
+    Stencil and colorkey fixes by David Raulo (david.raulo AT free DOT fr) in 
February 2004.
++   Buffer overflow fix in RLE decompression by David Raulo in January 2008.
+ */
+ 
+ #include <stdio.h>
+@@ -321,7 +322,7 @@ SDL_Surface *IMG_LoadLBM_RW( SDL_RWops *src )
+                                               count ^= 0xFF;
+                                               count += 2; /* now it */
+ 
+-                                              if ( !SDL_RWread( src, &color, 
1, 1 ) )
++                                              if ( ( count > remainingbytes ) 
|| !SDL_RWread( src, &color, 1, 1 ) )
+                                               {
+                                                  error="error reading BODY 
chunk";
+                                                       goto done;
+@@ -332,7 +333,7 @@ SDL_Surface *IMG_LoadLBM_RW( SDL_RWops *src )
+                                       {
+                                               ++count;
+ 
+-                                              if ( !SDL_RWread( src, ptr, 
count, 1 ) )
++                                              if ( ( count > remainingbytes ) 
|| !SDL_RWread( src, ptr, count, 1 ) )
+                                               {
+                                                  error="error reading BODY 
chunk";
+                                                       goto done;

Reply via email to