[gentoo-commits] gentoo-x86 commit in x11-libs/gdk-pixbuf/files: gdk-pixbuf-2.30.8-pixops-overflow.patch gdk-pixbuf-2.30.8-divide-by-zero.patch

Fri, 31 Jul 2015 17:53:09 -0700 

tetromino    15/08/01 00:52:50

  Added:                gdk-pixbuf-2.30.8-pixops-overflow.patch
                        gdk-pixbuf-2.30.8-divide-by-zero.patch
  Log:
  Fix integer overflow in pixops (bug #556314, thanks to Agostino Sarubbo). Fix 
gtk-doc installation (bug #549166, thanks to Rafał Mużyło).
  
  (Portage version: 2.2.20/cvs/Linux x86_64, signed Manifest commit with key 
0x18E5B6F2D8D5EC8D)

Revision  Changes    Path
1.1                  
x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.30.8-pixops-overflow.patch

file : 
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.30.8-pixops-overflow.patch?rev=1.1&view=markup
plain: 
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.30.8-pixops-overflow.patch?rev=1.1&content-type=text/plain

Index: gdk-pixbuf-2.30.8-pixops-overflow.patch
===================================================================
>From ffec86ed5010c5a2be14f47b33bcf4ed3169a199 Mon Sep 17 00:00:00 2001
From: Matthias Clasen <mcla...@redhat.com>
Date: Mon, 13 Jul 2015 00:33:40 -0400
Subject: [PATCH] pixops: Be more careful about integer overflow

Our loader code is supposed to handle out-of-memory and overflow
situations gracefully, reporting errors instead of aborting. But
if you load an image at a specific size, we also execute our
scaling code, which was not careful enough about overflow in some
places.

This commit makes the scaling code silently return if it fails to
allocate filter tables. This is the best we can do, since
gdk_pixbuf_scale() is not taking a GError.

https://bugzilla.gnome.org/show_bug.cgi?id=752297
---
 gdk-pixbuf/pixops/pixops.c | 22 +++++++++++++++++-----
 1 file changed, 17 insertions(+), 5 deletions(-)

diff --git a/gdk-pixbuf/pixops/pixops.c b/gdk-pixbuf/pixops/pixops.c
index 29a1c14..ce51745 100644
--- a/gdk-pixbuf/pixops/pixops.c
+++ b/gdk-pixbuf/pixops/pixops.c
@@ -1272,7 +1272,16 @@ make_filter_table (PixopsFilter *filter)
   int i_offset, j_offset;
   int n_x = filter->x.n;
   int n_y = filter->y.n;
-  int *weights = g_new (int, SUBSAMPLE * SUBSAMPLE * n_x * n_y);
+  gsize n_weights;
+  int *weights;
+
+  n_weights = SUBSAMPLE * SUBSAMPLE * n_x * n_y;
+  if (n_weights / (SUBSAMPLE * SUBSAMPLE * n_x) != n_y)
+    return NULL; /* overflow, bail */
+
+  weights = g_try_new (int, n_weights);
+  if (!weights)
+    return NULL; /* overflow, bail */
 
   for (i_offset=0; i_offset < SUBSAMPLE; i_offset++)
     for (j_offset=0; j_offset < SUBSAMPLE; j_offset++)
@@ -1347,8 +1356,11 @@ pixops_process (guchar         *dest_buf,
   if (x_step == 0 || y_step == 0)
     return; /* overflow, bail out */
 
-  line_bufs = g_new (guchar *, filter->y.n);
   filter_weights = make_filter_table (filter);
+  if (!filter_weights)
+    return; /* overflow, bail out */
+
+  line_bufs = g_new (guchar *, filter->y.n);
 
   check_shift = check_size ? get_check_shift (check_size) : 0;
 
@@ -1468,7 +1480,7 @@ tile_make_weights (PixopsFilterDimension *dim,
                   double                 scale)
 {
   int n = ceil (1 / scale + 1);
-  double *pixel_weights = g_new (double, SUBSAMPLE * n);
+  double *pixel_weights = g_malloc_n (sizeof (double) * SUBSAMPLE, n);
   int offset;
   int i;
 
@@ -1526,7 +1538,7 @@ bilinear_magnify_make_weights (PixopsFilterDimension *dim,
     }
 
   dim->n = n;
-  dim->weights = g_new (double, SUBSAMPLE * n);
+  dim->weights = g_malloc_n (sizeof (double) * SUBSAMPLE, n);
 
   pixel_weights = dim->weights;
 
@@ -1617,7 +1629,7 @@ bilinear_box_make_weights (PixopsFilterDimension *dim,
                           double                 scale)
 {
   int n = ceil (1/scale + 3.0);
-  double *pixel_weights = g_new (double, SUBSAMPLE * n);
+  double *pixel_weights = g_malloc_n (sizeof (double) * SUBSAMPLE, n);
   double w;
   int offset, i;
 
-- 
2.5.0




1.1                  
x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.30.8-divide-by-zero.patch

file : 
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.30.8-divide-by-zero.patch?rev=1.1&view=markup
plain: 
http://sources.gentoo.org/viewvc.cgi/gentoo-x86/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.30.8-divide-by-zero.patch?rev=1.1&content-type=text/plain

Index: gdk-pixbuf-2.30.8-divide-by-zero.patch
===================================================================
>From 74c418ba2e41ab9e2287420378a6192788b1fab6 Mon Sep 17 00:00:00 2001
From: Sarita Rawat <sarita.ra...@samsung.com>
Date: Fri, 5 Jun 2015 06:56:00 +0000
Subject: [PATCH] Avoid a possible divide-by-zero

Pointed out in

https://bugzilla.gnome.org/show_bug.cgi?id=750440
---
 gdk-pixbuf/gdk-pixbuf-loader.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gdk-pixbuf/gdk-pixbuf-loader.c b/gdk-pixbuf/gdk-pixbuf-loader.c
index 65845ed..668b703 100644
--- a/gdk-pixbuf/gdk-pixbuf-loader.c
+++ b/gdk-pixbuf/gdk-pixbuf-loader.c
@@ -330,7 +330,7 @@ gdk_pixbuf_loader_prepare (GdkPixbuf          *pixbuf,
         else
                 anim = gdk_pixbuf_non_anim_new (pixbuf);
   
-       if (priv->needs_scale) {
+       if (priv->needs_scale && width != 0 && height != 0) {
                priv->animation  = GDK_PIXBUF_ANIMATION 
(_gdk_pixbuf_scaled_anim_new (anim,
                                          (double) priv->width / width,
                                          (double) priv->height / height,
-- 
2.5.0

Reply via email to