Darcsweb-Url:
http://darcs.frugalware.org/darcsweb/darcsweb.cgi?r=frugalware-0.5;a=darcs_commitdiff;h=20061109172940-dd049-48475fa7368345c7e1dfc54ac97a0baf4eb3841e.gz;
[imlib2-1.2.2-2siwenna1-i686
voroskoi <[EMAIL PROTECTED]>**20061109172940
secfix relbump, closes #1425
] {
addfile ./source/xlib/imlib2/loader_overflows.patch
hunk ./source/xlib/imlib2/FrugalBuild 1
-# Last Modified: Sun, 19 Mar 2006 12:30:38 +0100
hunk ./source/xlib/imlib2/FrugalBuild 6
-pkgrel=1
+pkgrel=2siwenna1
hunk ./source/xlib/imlib2/FrugalBuild 13
-source=(http://heanet.dl.sourceforge.net/sourceforge/enlightenment/$pkgname-$pkgver.tar.gz)
-sha1sums=('c358aed94f2faf0fb2afcae905c56e8a54c1d763')
+source=(http://heanet.dl.sourceforge.net/sourceforge/enlightenment/$pkgname-$pkgver.tar.gz
loader_overflows.patch)
hunk ./source/xlib/imlib2/FrugalBuild 27
+sha1sums=('c358aed94f2faf0fb2afcae905c56e8a54c1d763' \
+ '96e062ee7f3ccd7e5720c8d60a43e7e800126da8')
hunk ./source/xlib/imlib2/FrugalBuild 30
-# optimalization OK
+# optimization OK
hunk ./source/xlib/imlib2/loader_overflows.patch 1
+diff -Nur imlib2-1.2.1/src/modules/loaders/loader_argb.c
imlib2-1.2.1.new/src/modules/loaders/loader_argb.c
+--- imlib2-1.2.1/src/modules/loaders/loader_argb.c 2004-12-13
19:50:46.000000000 -0800
++++ imlib2-1.2.1.new/src/modules/loaders/loader_argb.c 2006-11-03
12:00:55.434893245 -0800
+@@ -23,7 +23,7 @@
+ load(ImlibImage * im, ImlibProgressFunction progress,
+ char progress_granularity, char immediate_load)
+ {
+- int w, h, alpha;
++ int w=0, h=0, alpha=0;
+ FILE *f;
+
+ if (im->data)
+@@ -36,13 +36,15 @@
+ {
+ char buf[256], buf2[256];
+
++ memset(buf, 0, sizeof(buf));
++ memset(buf2, 0, sizeof(buf));
+ if (!fgets(buf, 255, f))
+ {
+ fclose(f);
+ return 0;
+ }
+ sscanf(buf, "%s %i %i %i", buf2, &w, &h, &alpha);
+- if (strcmp(buf2, "ARGB"))
++ if (strcmp(buf2, "ARGB") || w < 1 || h < 1 || w > 16383 || h > 16383)
+ {
+ fclose(f);
+ return 0;
+diff -Nur imlib2-1.2.1/src/modules/loaders/loader_jpeg.c
imlib2-1.2.1.new/src/modules/loaders/loader_jpeg.c
+--- imlib2-1.2.1/src/modules/loaders/loader_jpeg.c 2004-12-13
19:50:46.000000000 -0800
++++ imlib2-1.2.1.new/src/modules/loaders/loader_jpeg.c 2006-11-03
12:00:55.434893245 -0800
+@@ -95,6 +95,13 @@
+ UNSET_FLAG(im->flags, F_HAS_ALPHA);
+ im->format = strdup("jpeg");
+ }
++ if (w < 1 || h < 1 || w > 16383 || h > 16383)
++ {
++ im->w = im->h = 0;
++ jpeg_destroy_decompress(&cinfo);
++ fclose(f);
++ return 0;
++ }
+ if (((!im->data) && (im->loader)) || (immediate_load) || (progress))
+ {
+ DATA8 *ptr, *line[16], *data;
+diff -Nur imlib2-1.2.1/src/modules/loaders/loader_lbm.c
imlib2-1.2.1.new/src/modules/loaders/loader_lbm.c
+--- imlib2-1.2.1/src/modules/loaders/loader_lbm.c 2004-11-01
01:45:31.000000000 -0800
++++ imlib2-1.2.1.new/src/modules/loaders/loader_lbm.c 2006-11-03
12:00:55.434893245 -0800
+@@ -421,7 +421,7 @@
+
+ im->w = L2RWORD(ilbm.bmhd.data);
+ im->h = L2RWORD(ilbm.bmhd.data + 2);
+- if (im->w <= 0 || im->h <= 0) ok = 0;
++ if (im->w <= 0 || im->h <= 0 || im->w > 16383 || im->h > 16383) ok =
0;
+
+ ilbm.depth = ilbm.bmhd.data[8];
+ if (ilbm.depth < 1 || (ilbm.depth > 8 && ilbm.depth != 24 &&
ilbm.depth != 32)) ok = 0; /* Only 1 to 8, 24, or 32 planes. */
+@@ -453,6 +453,7 @@
+ }
+ }
+ if (!full || !ok) {
++ im->w = im->h = 0;
+ freeilbm(&ilbm);
+ return ok;
+ }
+@@ -467,12 +468,13 @@
+ cancel = 0;
+ plane[0] = NULL;
+
++ n = ilbm.depth;
++ if (ilbm.mask == 1) n++;
++
+ im->data = malloc(im->w * im->h * sizeof(DATA32));
+- if (im->data) {
+- n = ilbm.depth;
+- if (ilbm.mask == 1) n++;
++ plane[0] = malloc(((im->w + 15) / 16) * 2 * n);
++ if (im->data && plane[0]) {
+
+- plane[0] = malloc(((im->w + 15) / 16) * 2 * n);
+ for (i = 1; i < n; i++) plane[i] = plane[i - 1] + ((im->w + 15) / 16)
* 2;
+
+ z = ((im->w + 15) / 16) * 2 * n;
+@@ -511,6 +513,7 @@
+ * the memory for im->data.
+ *----------*/
+ if (!ok) {
++ im->w = im->h = 0;
+ if (im->data) free(im->data);
+ im->data = NULL;
+ }
+diff -Nur imlib2-1.2.1/src/modules/loaders/loader_png.c
imlib2-1.2.1.new/src/modules/loaders/loader_png.c
+--- imlib2-1.2.1/src/modules/loaders/loader_png.c 2004-12-13
19:50:46.000000000 -0800
++++ imlib2-1.2.1.new/src/modules/loaders/loader_png.c 2006-11-03
12:00:55.434893245 -0800
+@@ -83,6 +83,13 @@
+ png_get_IHDR(png_ptr, info_ptr, (png_uint_32 *) (&w32),
+ (png_uint_32 *) (&h32), &bit_depth, &color_type,
+ &interlace_type, NULL, NULL);
++ if (w32 < 1 || h32 < 1 || w32 > 16383 || h32 > 16383)
++ {
++ png_read_end(png_ptr, info_ptr);
++ png_destroy_read_struct(&png_ptr, &info_ptr, (png_infopp) NULL);
++ fclose(f);
++ return 0;
++ }
+ im->w = (int)w32;
+ im->h = (int)h32;
+ if (color_type == PNG_COLOR_TYPE_PALETTE)
+diff -Nur imlib2-1.2.1/src/modules/loaders/loader_pnm.c
imlib2-1.2.1.new/src/modules/loaders/loader_pnm.c
+--- imlib2-1.2.1/src/modules/loaders/loader_pnm.c 2004-12-27
13:05:31.000000000 -0800
++++ imlib2-1.2.1.new/src/modules/loaders/loader_pnm.c 2006-11-03
12:00:55.438893449 -0800
+@@ -80,7 +80,7 @@
+ int i = 0;
+
+ /* read numbers */
+- while (c != EOF && !isspace(c))
++ while (c != EOF && i+1 < sizeof(buf) && !isspace(c))
+ {
+ buf[i++] = c;
+ c = fgetc(f);
+diff -Nur imlib2-1.2.1/src/modules/loaders/loader_tga.c
imlib2-1.2.1.new/src/modules/loaders/loader_tga.c
+--- imlib2-1.2.1/src/modules/loaders/loader_tga.c 2004-12-27
13:05:32.000000000 -0800
++++ imlib2-1.2.1.new/src/modules/loaders/loader_tga.c 2006-11-03
12:00:55.438893449 -0800
+@@ -319,6 +319,7 @@
+ {
+ unsigned long datasize;
+ unsigned char *bufptr;
++ unsigned char *bufend;
+ DATA32 *dataptr;
+
+ int y, pl = 0;
+@@ -348,6 +349,9 @@
+ /* bufptr is the next byte to be read from the buffer */
+ bufptr = filedata;
+
++ /* bufend is one past the last byte to be read from the buffer */
++ bufend = filedata + datasize;
++
+ /* dataptr is the next 32-bit pixel to be filled in */
+ dataptr = im->data;
+
+@@ -365,7 +369,9 @@
+ else
+ dataptr = im->data + (y * im->w);
+
+- for (x = 0; x < im->w; x++) /* for each pixel in the row
*/
++ for (x = 0;
++ x < im->w && bufptr+bpp/8 < bufend;
++ x++) /* for each pixel in the row */
+ {
+ switch (bpp)
+ {
+@@ -422,8 +428,8 @@
+ unsigned char curbyte, red, green, blue, alpha;
+ DATA32 *final_pixel = dataptr + im->w * im->h;
+
+- /* loop until we've got all the pixels */
+- while (dataptr < final_pixel)
++ /* loop until we've got all the pixels or run out of input */
++ while (dataptr < final_pixel && bufptr+1+bpp/8 < bufend)
+ {
+ int count;
+
+@@ -441,7 +447,7 @@
+ green = *bufptr++;
+ red = *bufptr++;
+ alpha = *bufptr++;
+- for (i = 0; i < count; i++)
++ for (i = 0; i < count && dataptr < final_pixel;
i++)
+ {
+ WRITE_RGBA(dataptr, red, green, blue,
alpha);
+ dataptr++;
+@@ -452,7 +458,7 @@
+ blue = *bufptr++;
+ green = *bufptr++;
+ red = *bufptr++;
+- for (i = 0; i < count; i++)
++ for (i = 0; i < count && dataptr < final_pixel;
i++)
+ {
+ WRITE_RGBA(dataptr, red, green, blue,
+ (char)0xff);
+@@ -462,7 +468,7 @@
+
+ case 8:
+ alpha = *bufptr++;
+- for (i = 0; i < count; i++)
++ for (i = 0; i < count && dataptr < final_pixel;
i++)
+ {
+ WRITE_RGBA(dataptr, alpha, alpha, alpha,
+ (char)0xff);
+@@ -477,7 +483,7 @@
+ {
+ int i;
+
+- for (i = 0; i < count; i++)
++ for (i = 0; i < count && dataptr < final_pixel; i++)
+ {
+ switch (bpp)
+ {
+diff -Nur imlib2-1.2.1/src/modules/loaders/loader_tiff.c
imlib2-1.2.1.new/src/modules/loaders/loader_tiff.c
+--- imlib2-1.2.1/src/modules/loaders/loader_tiff.c 2004-12-13
19:50:46.000000000 -0800
++++ imlib2-1.2.1.new/src/modules/loaders/loader_tiff.c 2006-11-03
12:01:29.544630496 -0800
+@@ -75,7 +75,7 @@
+ raster(TIFFRGBAImage_Extra * img, uint32 * rast,
+ uint32 x, uint32 y, uint32 w, uint32 h)
+ {
+- uint32 image_width, image_height;
++ int image_width, image_height;
+ uint32 *pixel, pixel_value;
+ int i, j, dy, rast_offset;
+ DATA32 *buffer_pixel, *buffer = img->image->data;
+@@ -192,8 +192,16 @@
+ }
+
+ rgba_image.image = im;
+- im->w = width = rgba_image.rgba.width;
+- im->h = height = rgba_image.rgba.height;
++ width = rgba_image.rgba.width;
++ height = rgba_image.rgba.height;
++ if (width < 1 || height < 1 || width >= 16384 || height >= 16384)
++ {
++ TIFFRGBAImageEnd((TIFFRGBAImage *) & rgba_image);
++ TIFFClose(tif);
++ return 0;
++ }
++ im->w = width;
++ im->h = height;
+ rgba_image.num_pixels = num_pixels = width * height;
+ if (rgba_image.rgba.alpha != EXTRASAMPLE_UNSPECIFIED)
+ SET_FLAG(im->flags, F_HAS_ALPHA);
}
_______________________________________________
Frugalware-darcs mailing list
Frugalware-darcs@frugalware.org
http://frugalware.org/mailman/listinfo/frugalware-darcs
