[pkgsrc/trunk]: pkgsrc/audio/xmms plug integer overflows in skin handling (CV...

To: pkgsrc-changes-hg%NetBSD.org@localhost
Subject: [pkgsrc/trunk]: pkgsrc/audio/xmms plug integer overflows in skin handling (CV...
From: drochner <drochner%pkgsrc.org@localhost>
Date: Thu, 14 Oct 2021 04:46:09 +0000

details:   https://anonhg.NetBSD.org/pkgsrc/rev/aa90c7c1a937
branches:  trunk
changeset: 527532:aa90c7c1a937
user:      drochner <drochner%pkgsrc.org@localhost>
date:      Tue Apr 10 12:19:40 2007 +0000

description:
plug integer overflows in skin handling (CVE-2007-0653, CVE-2007-0654),
patch from Debian

diffstat:

 audio/xmms/Makefile         |   4 +-
 audio/xmms/distinfo         |   3 +-
 audio/xmms/patches/patch-aq |  46 +++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 50 insertions(+), 3 deletions(-)

diffs (77 lines):

diff -r 70d7d6574edd -r aa90c7c1a937 audio/xmms/Makefile
--- a/audio/xmms/Makefile       Tue Apr 10 11:42:01 2007 +0000
+++ b/audio/xmms/Makefile       Tue Apr 10 12:19:40 2007 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.64 2007/02/01 16:55:58 drochner Exp $
+# $NetBSD: Makefile,v 1.65 2007/04/10 12:19:40 drochner Exp $
 #
 
-PKGREVISION=           7
+PKGREVISION=           8
 
 .include "Makefile.common"
 
diff -r 70d7d6574edd -r aa90c7c1a937 audio/xmms/distinfo
--- a/audio/xmms/distinfo       Tue Apr 10 11:42:01 2007 +0000
+++ b/audio/xmms/distinfo       Tue Apr 10 12:19:40 2007 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.30 2007/03/08 15:01:50 rillig Exp $
+$NetBSD: distinfo,v 1.31 2007/04/10 12:19:40 drochner Exp $
 
 SHA1 (xmms-1.2.10.tar.bz2) = a3c3d3756d5263183c27b3c50a7f5404cba8bfaf
 RMD160 (xmms-1.2.10.tar.bz2) = 0360cbb8c326b3325bd8ebb3343c69a9788d7084
@@ -19,3 +19,4 @@
 SHA1 (patch-an) = 3abc68bd37018800dc70b151a5b419211a727a02
 SHA1 (patch-ao) = 2cadee08e6db7b802d1b700559705a8fe591f2dd
 SHA1 (patch-ap) = 101c54e2ce0e575893b8d3880ca54a021e89a8dd
+SHA1 (patch-aq) = 1b5e0b7a2f3e9c529deffad63f24a498b11d96f6
diff -r 70d7d6574edd -r aa90c7c1a937 audio/xmms/patches/patch-aq
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/audio/xmms/patches/patch-aq       Tue Apr 10 12:19:40 2007 +0000
@@ -0,0 +1,46 @@
+$NetBSD: patch-aq,v 1.3 2007/04/10 12:19:40 drochner Exp $
+
+--- ./xmms/bmp.c.orig  2002-02-12 00:15:56.000000000 +0100
++++ ./xmms/bmp.c
+@@ -19,6 +19,12 @@
+  */
+ #include "xmms.h"
+ 
++#if HAVE_STDINT_H
++#include <stdint.h>
++#elif !defined(UINT32_MAX)
++#define UINT32_MAX 0xffffffffU
++#endif
++
+ typedef struct tagRGBQUAD
+ {
+       guchar rgbBlue;
+@@ -184,7 +190,7 @@ GdkPixmap *read_bmp(gchar * filename)
+       }
+       else if (bitcount != 24 && bitcount != 16 && bitcount != 32)
+       {
+-              gint ncols, i;
++              guint32 ncols, i;
+ 
+               ncols = offset - headSize - 14;
+               if (headSize == 12)
+@@ -200,10 +206,18 @@ GdkPixmap *read_bmp(gchar * filename)
+               }
+       }
+       fseek(file, offset, SEEK_SET);
++      /* verify buffer size */
++      if (!h || !w ||
++          w > (((UINT32_MAX - 3) / 3) / h) ||
++          h > (((UINT32_MAX - 3) / 3) / w)) {
++              g_warning("read_bmp(): width(%u)*height(%u) too large", w, h);
++              fclose(file);
++              return NULL;
++      }
++      data = g_malloc0((w * 3 * h) + 3);      /* +3 is just for safety */
+       buffer = g_malloc(imgsize);
+       fread(buffer, imgsize, 1, file);
+       fclose(file);
+-      data = g_malloc0((w * 3 * h) + 3);      /* +3 is just for safety */
+ 
+       if (bitcount == 1)
+               read_1b_rgb(buffer, imgsize, data, w, h, rgb_quads);

Prev by Date: [pkgsrc/trunk]: pkgsrc/x11/xeyes Import xeyes-1.0.1.
Next by Date: [pkgsrc/trunk]: pkgsrc/x11/ico Import ico-1.0.1.
Previous by Thread: [pkgsrc/trunk]: pkgsrc/x11/xeyes Import xeyes-1.0.1.
Next by Thread: [pkgsrc/trunk]: pkgsrc/x11/ico Import ico-1.0.1.
Indexes:

Home | Main Index | Thread Index | Old Index