[pkgsrc/trunk]: pkgsrc/editors/xemacs Fix CVE-2009-2688, via <https://bugzill...

To: pkgsrc-changes-hg%NetBSD.org@localhost
Subject: [pkgsrc/trunk]: pkgsrc/editors/xemacs Fix CVE-2009-2688, via <https://bugzill...
From: hauke <hauke%pkgsrc.org@localhost>
Date: Thu, 14 Oct 2021 12:18:50 +0000
details:   https://anonhg.NetBSD.org/pkgsrc/rev/c07e9534ec60
branches:  trunk
changeset: 603046:c07e9534ec60
user:      hauke <hauke%pkgsrc.org@localhost>
date:      Fri Apr 27 13:53:46 2012 +0000

description:
Fix CVE-2009-2688, via <https://bugzilla.redhat.com/show_bug.cgi?id=511994>

diffstat:

 editors/xemacs/Makefile                          |    4 +-
 editors/xemacs/distinfo                          |    5 +-
 editors/xemacs/patches/patch-aj                  |   45 --------
 editors/xemacs/patches/patch-src_glyphs-eimage.c |  123 +++++++++++++++++++++++
 editors/xemacs/patches/patch-src_lisp.h          |   18 +++
 5 files changed, 146 insertions(+), 49 deletions(-)

diffs (232 lines):

diff -r 07014d8e69b8 -r c07e9534ec60 editors/xemacs/Makefile
--- a/editors/xemacs/Makefile   Fri Apr 27 12:31:32 2012 +0000
+++ b/editors/xemacs/Makefile   Fri Apr 27 13:53:46 2012 +0000
@@ -1,10 +1,10 @@
-# $NetBSD: Makefile,v 1.102 2012/04/25 11:56:42 hauke Exp $
+# $NetBSD: Makefile,v 1.103 2012/04/27 13:53:46 hauke Exp $
 
 PKGNAME?=      ${DISTNAME}
 COMMENT?=      XEmacs text editor version 21
 
 DISTNAME=      xemacs-21.4.22
-PKGREVISION=   6
+PKGREVISION=   7
 CATEGORIES=    editors
 MASTER_SITES=  ${MASTER_SITE_XEMACS:=${DISTNAME:C/[.][^.]*$//}/}
 
diff -r 07014d8e69b8 -r c07e9534ec60 editors/xemacs/distinfo
--- a/editors/xemacs/distinfo   Fri Apr 27 12:31:32 2012 +0000
+++ b/editors/xemacs/distinfo   Fri Apr 27 13:53:46 2012 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.16 2011/01/19 16:04:00 tnn Exp $
+$NetBSD: distinfo,v 1.17 2012/04/27 13:53:46 hauke Exp $
 
 SHA1 (xemacs/xemacs-21.4.22.tar.gz) = 24ed9b13d80c53c06bba60c7bb68387f692b7373
 RMD160 (xemacs/xemacs-21.4.22.tar.gz) = f7d71d3607c3301760df8f7ae5a93d1d37df56ba
@@ -12,6 +12,7 @@
 SHA1 (patch-ag) = 0ccbead4be5da92e73a15432ff1b063da13cf0b4
 SHA1 (patch-ah) = 9a02b989a6d45cdfead22ea703acceca722cf313
 SHA1 (patch-ai) = ea752473a56d20907201763966ecdeaaeffac84a
-SHA1 (patch-aj) = 8e8eaaa0eece7a5ee09a7645ae05db35efa081bb
 SHA1 (patch-ak) = bfbd285a1cc7d4e93a2fc884e03492dec9302e55
 SHA1 (patch-al) = 247826009110453a868525e711e084b7dee49664
+SHA1 (patch-src_glyphs-eimage.c) = f013013d467d32dfac63287dd5a565153855a751
+SHA1 (patch-src_lisp.h) = 7b4c7984cfbfe1e3a30aac2009f777b8d95c013c
diff -r 07014d8e69b8 -r c07e9534ec60 editors/xemacs/patches/patch-aj
--- a/editors/xemacs/patches/patch-aj   Fri Apr 27 12:31:32 2012 +0000
+++ /dev/null   Thu Jan 01 00:00:00 1970 +0000
@@ -1,45 +0,0 @@
-$NetBSD: patch-aj,v 1.3 2011/01/19 16:04:01 tnn Exp $
-
---- src/glyphs-eimage.c.orig   2007-08-20 19:52:28.000000000 +0000
-+++ src/glyphs-eimage.c
-@@ -937,8 +937,8 @@ png_instantiate (Lisp_Object image_insta
-   {
-     int y;
-     unsigned char **row_pointers;
--    height = info_ptr->height;
--    width = info_ptr->width;
-+    height = png_get_image_height(png_ptr, info_ptr);
-+    width = png_get_image_width(png_ptr, info_ptr);
- 
-     /* Wow, allocate all the memory.  Truly, exciting. */
-     unwind.eimage = xnew_array_and_zero (unsigned char, width * height * 3);
-@@ -990,22 +990,22 @@ png_instantiate (Lisp_Object image_insta
-     /* Now that we're using EImage, ask for 8bit RGB triples for any type
-        of image*/
-     /* convert palette images to full RGB */
--    if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
-+    if (png_get_color_type(png_ptr, info_ptr) == PNG_COLOR_TYPE_PALETTE)
-       png_set_expand (png_ptr);
-     /* send grayscale images to RGB too */
--    if (info_ptr->color_type == PNG_COLOR_TYPE_GRAY ||
--        info_ptr->color_type == PNG_COLOR_TYPE_GRAY_ALPHA)
-+    if (png_get_color_type(png_ptr, info_ptr) == PNG_COLOR_TYPE_GRAY ||
-+        png_get_color_type(png_ptr, info_ptr) == PNG_COLOR_TYPE_GRAY_ALPHA)
-       png_set_gray_to_rgb (png_ptr);
-     /* we can't handle alpha values */
--    if (info_ptr->color_type & PNG_COLOR_MASK_ALPHA)
-+    if (png_get_color_type(png_ptr, info_ptr) & PNG_COLOR_MASK_ALPHA)
-       png_set_strip_alpha (png_ptr);
-     /* tell libpng to strip 16 bit depth files down to 8 bits */
--    if (info_ptr->bit_depth == 16)
-+    if (png_get_bit_depth(png_ptr, info_ptr) == 16)
-       png_set_strip_16 (png_ptr);
-     /* if the image is < 8 bits, pad it out */
--    if (info_ptr->bit_depth < 8)
-+    if (png_get_bit_depth(png_ptr, info_ptr) < 8)
-       {
--      if (info_ptr->color_type == PNG_COLOR_TYPE_GRAY)
-+      if (png_get_color_type(png_ptr, info_ptr) == PNG_COLOR_TYPE_GRAY)
-         png_set_expand (png_ptr);
-       else
-         png_set_packing (png_ptr);
diff -r 07014d8e69b8 -r c07e9534ec60 editors/xemacs/patches/patch-src_glyphs-eimage.c
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/editors/xemacs/patches/patch-src_glyphs-eimage.c  Fri Apr 27 13:53:46 2012 +0000
@@ -0,0 +1,123 @@
+$NetBSD: patch-src_glyphs-eimage.c,v 1.1 2012/04/27 13:53:46 hauke Exp $
+
+Fix CVE-2009-2688, via <https://bugzilla.redhat.com/show_bug.cgi?id=511994>
+
+Adapt to new libpng 1.5 interfaces
+
+--- src/glyphs-eimage.c.orig   2007-08-20 19:52:28.000000000 +0000
++++ src/glyphs-eimage.c
+@@ -407,6 +407,7 @@ jpeg_instantiate (Lisp_Object image_inst
+    */
+ 
+   {
++    UINT_64_BIT pixels_sq;
+     int jpeg_gray = 0;                /* if we're dealing with a grayscale */
+     /* Step 4: set parameters for decompression.   */
+ 
+@@ -429,7 +430,10 @@ jpeg_instantiate (Lisp_Object image_inst
+     jpeg_start_decompress (&cinfo);
+ 
+     /* Step 6: Read in the data and put into EImage format (8bit RGB triples)*/
+-
++    pixels_sq =
++      (UINT_64_BIT) cinfo.output_width * (UINT_64_BIT) cinfo.output_height;
++    if (pixels_sq > ((size_t) -1) / 3)
++      signal_image_error ("JPEG image too large to instantiate", instantiator);
+     unwind.eimage = (unsigned char*) xmalloc (cinfo.output_width * cinfo.output_height * 3);
+     if (!unwind.eimage)
+       signal_image_error("Unable to allocate enough memory for image", instantiator);
+@@ -671,6 +675,7 @@ gif_instantiate (Lisp_Object image_insta
+   {
+     ColorMapObject *cmo = unwind.giffile->SColorMap;
+     int i, j, row, pass, interlace, slice;
++    UINT_64_BIT pixels_sq;
+     unsigned char *eip;
+     /* interlaced gifs have rows in this order:
+        0, 8, 16, ..., 4, 12, 20, ..., 2, 6, 10, ..., 1, 3, 5, ...  */
+@@ -679,6 +684,9 @@ gif_instantiate (Lisp_Object image_insta
+ 
+     height = unwind.giffile->SHeight;
+     width = unwind.giffile->SWidth;
++    pixels_sq = (UINT_64_BIT) width * (UINT_64_BIT) height;
++    if (pixels_sq > ((size_t) -1) / (3 * unwind.giffile->ImageCount))
++      signal_image_error ("GIF image too large to instantiate", instantiator);
+     unwind.eimage = (unsigned char*)
+       xmalloc (width * height * 3 * unwind.giffile->ImageCount);
+     if (!unwind.eimage)
+@@ -937,11 +945,15 @@ png_instantiate (Lisp_Object image_insta
+   {
+     int y;
+     unsigned char **row_pointers;
+-    height = info_ptr->height;
+-    width = info_ptr->width;
+-
++    UINT_64_BIT pixels_sq;
++    height = png_get_image_height(png_ptr, info_ptr);
++    width = png_get_image_width(png_ptr, info_ptr);
++
++    pixels_sq = (UINT_64_BIT) width * (UINT_64_BIT) height;
++    if (pixels_sq > ((size_t) -1) / 3)
++      signal_image_error ("PNG image too large to instantiate", instantiator);
+     /* Wow, allocate all the memory.  Truly, exciting. */
+-    unwind.eimage = xnew_array_and_zero (unsigned char, width * height * 3);
++    unwind.eimage = xnew_array_and_zero (unsigned char, pixels_sq * 3);
+     /* libpng expects that the image buffer passed in contains a
+        picture to draw on top of if the png has any transparencies.
+        This could be a good place to pass that in... */
+@@ -990,22 +1002,22 @@ png_instantiate (Lisp_Object image_insta
+     /* Now that we're using EImage, ask for 8bit RGB triples for any type
+        of image*/
+     /* convert palette images to full RGB */
+-    if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE)
++    if (png_get_color_type(png_ptr, info_ptr) == PNG_COLOR_TYPE_PALETTE)
+       png_set_expand (png_ptr);
+     /* send grayscale images to RGB too */
+-    if (info_ptr->color_type == PNG_COLOR_TYPE_GRAY ||
+-        info_ptr->color_type == PNG_COLOR_TYPE_GRAY_ALPHA)
++    if (png_get_color_type(png_ptr, info_ptr) == PNG_COLOR_TYPE_GRAY ||
++        png_get_color_type(png_ptr, info_ptr) == PNG_COLOR_TYPE_GRAY_ALPHA)
+       png_set_gray_to_rgb (png_ptr);
+     /* we can't handle alpha values */
+-    if (info_ptr->color_type & PNG_COLOR_MASK_ALPHA)
++    if (png_get_color_type(png_ptr, info_ptr) & PNG_COLOR_MASK_ALPHA)
+       png_set_strip_alpha (png_ptr);
+     /* tell libpng to strip 16 bit depth files down to 8 bits */
+-    if (info_ptr->bit_depth == 16)
++    if (png_get_bit_depth(png_ptr, info_ptr) == 16)
+       png_set_strip_16 (png_ptr);
+     /* if the image is < 8 bits, pad it out */
+-    if (info_ptr->bit_depth < 8)
++    if (png_get_bit_depth(png_ptr, info_ptr) < 8)
+       {
+-      if (info_ptr->color_type == PNG_COLOR_TYPE_GRAY)
++      if (png_get_color_type(png_ptr, info_ptr) == PNG_COLOR_TYPE_GRAY)
+         png_set_expand (png_ptr);
+       else
+         png_set_packing (png_ptr);
+@@ -1268,6 +1280,7 @@ tiff_instantiate (Lisp_Object image_inst
+ 
+     uint32 *raster;
+     unsigned char *ep;
++    UINT_64_BIT pixels_sq;
+ 
+     assert (!NILP (data));
+ 
+@@ -1290,12 +1303,16 @@ tiff_instantiate (Lisp_Object image_inst
+ 
+     TIFFGetField (unwind.tiff, TIFFTAG_IMAGEWIDTH, &width);
+     TIFFGetField (unwind.tiff, TIFFTAG_IMAGELENGTH, &height);
+-    unwind.eimage = (unsigned char *) xmalloc (width * height * 3);
++    pixels_sq = (UINT_64_BIT) width * (UINT_64_BIT) height;
++    if (pixels_sq >= 1 << 29)
++      signal_image_error ("TIFF image too large to instantiate", instantiator);
++    unwind.eimage = (unsigned char *) xmalloc (pixels_sq * 3);
++
+ 
+     /* #### This is little more than proof-of-concept/function testing.
+        It needs to be reimplemented via scanline reads for both memory
+        compactness. */
+-    raster = (uint32*) _TIFFmalloc (width * height * sizeof (uint32));
++    raster = (uint32*) _TIFFmalloc ((tsize_t) (pixels_sq * sizeof (uint32)));
+     if (raster != NULL)
+       {
+       int i,j;
diff -r 07014d8e69b8 -r c07e9534ec60 editors/xemacs/patches/patch-src_lisp.h
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/editors/xemacs/patches/patch-src_lisp.h   Fri Apr 27 13:53:46 2012 +0000
@@ -0,0 +1,18 @@
+$NetBSD: patch-src_lisp.h,v 1.1 2012/04/27 13:53:46 hauke Exp $
+
+Fix CVE-2009-2688, via <https://bugzilla.redhat.com/show_bug.cgi?id=511994>
+
+--- src/lisp.h.orig    2005-02-01 03:55:02.000000000 +0000
++++ src/lisp.h
+@@ -265,6 +265,11 @@ void assert_failed (const char *, int, c
+ /*#define REGISTER register*/
+ /*#endif*/
+ 
++#if SIZEOF_LONG == 8
++#define UINT_64_BIT unsigned long
++#elif SIZEOF_LONG_LONG == 8
++#define UINT_64_BIT unsigned long long
++#endif
+ 
+ /* EMACS_INT is the underlying integral type into which a Lisp_Object must fit.
+    In particular, it must be large enough to contain a pointer.
Prev by Date: [pkgsrc/trunk]: pkgsrc/x11/mlterm Add xft2 option (disabled by default).
Next by Date: [pkgsrc/trunk]: pkgsrc Add tex-asyfig{,-doc}.
Previous by Thread: [pkgsrc/trunk]: pkgsrc/x11/mlterm Add xft2 option (disabled by default).
Next by Thread: [pkgsrc/trunk]: pkgsrc Add tex-asyfig{,-doc}.
Indexes:
Home | Main Index | Thread Index | Old Index