pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/graphics/freeimage Fix CVE-2015-0852 and CVE-2016-5684.



details:   https://anonhg.NetBSD.org/pkgsrc/rev/a99d12974072
branches:  trunk
changeset: 358760:a99d12974072
user:      snj <snj%pkgsrc.org@localhost>
date:      Mon Feb 20 08:00:42 2017 +0000

description:
Fix CVE-2015-0852 and CVE-2016-5684.

diffstat:

 graphics/freeimage/Makefile                                     |    3 +-
 graphics/freeimage/distinfo                                     |    4 +-
 graphics/freeimage/patches/patch-Source_FreeImage_PluginPCX.cpp |  220 ++++++++++
 graphics/freeimage/patches/patch-Source_FreeImage_PluginXPM.cpp |   33 +
 4 files changed, 258 insertions(+), 2 deletions(-)

diffs (290 lines):

diff -r 12cf833bcd06 -r a99d12974072 graphics/freeimage/Makefile
--- a/graphics/freeimage/Makefile       Mon Feb 20 05:53:42 2017 +0000
+++ b/graphics/freeimage/Makefile       Mon Feb 20 08:00:42 2017 +0000
@@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.2 2015/05/27 21:59:26 markd Exp $
+# $NetBSD: Makefile,v 1.3 2017/02/20 08:00:42 snj Exp $
 
 DISTNAME=      FreeImage3170
 PKGNAME=       freeimage-3.17.0
+PKGREVISION=   1
 CATEGORIES=    devel graphics
 MASTER_SITES=  ${MASTER_SITE_SOURCEFORGE:=freeimage/}
 EXTRACT_SUFX=  .zip
diff -r 12cf833bcd06 -r a99d12974072 graphics/freeimage/distinfo
--- a/graphics/freeimage/distinfo       Mon Feb 20 05:53:42 2017 +0000
+++ b/graphics/freeimage/distinfo       Mon Feb 20 08:00:42 2017 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.3 2015/11/03 21:33:57 agc Exp $
+$NetBSD: distinfo,v 1.4 2017/02/20 08:00:42 snj Exp $
 
 SHA1 (FreeImage3170.zip) = 6752c83798c2f81dee71a2e8bb11657068672669
 RMD160 (FreeImage3170.zip) = c4e87846098327ee346c49ae81b6036f6d9ab36d
@@ -6,4 +6,6 @@
 Size (FreeImage3170.zip) = 7020636 bytes
 SHA1 (patch-Makefile) = 719f3539d1e841761c8cf442634d71e792ea7231
 SHA1 (patch-Makefile.fip) = 3a8bdc29a2249b5cb9e30ccfcc25eb6be99755d9
+SHA1 (patch-Source_FreeImage_PluginPCX.cpp) = 26853626d1dc6a52804f946fd0576269de380512
+SHA1 (patch-Source_FreeImage_PluginXPM.cpp) = eac7be24c3d64593feebdb548df8a404db66c113
 SHA1 (patch-Source_LibOpenJPEG_opj__malloc.h) = 4ba7924e5ce04b98c9c249bc31df600b7fbdcde3
diff -r 12cf833bcd06 -r a99d12974072 graphics/freeimage/patches/patch-Source_FreeImage_PluginPCX.cpp
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/freeimage/patches/patch-Source_FreeImage_PluginPCX.cpp   Mon Feb 20 08:00:42 2017 +0000
@@ -0,0 +1,220 @@
+$NetBSD: patch-Source_FreeImage_PluginPCX.cpp,v 1.1 2017/02/20 08:00:42 snj Exp $
+
+Fix CVE-2015-0852.
+
+http://freeimage.cvs.sourceforge.net/viewvc/freeimage/FreeImage/Source/FreeImage/PluginPCX.cpp?r1=1.17&r2=1.18&pathrev=MAIN
+
+--- Source/FreeImage/PluginPCX.cpp.orig        2015-03-02 02:07:08.000000000 -0800
++++ Source/FreeImage/PluginPCX.cpp     2017-02-19 23:39:07.000000000 -0800
+@@ -30,7 +30,7 @@
+ //   Constants + headers
+ // ----------------------------------------------------------
+ 
+-#define IO_BUF_SIZE   2048
++#define PCX_IO_BUF_SIZE       2048
+ 
+ // ----------------------------------------------------------
+ 
+@@ -120,17 +120,17 @@ readline(FreeImageIO &io, fi_handle hand
+ 
+               while (length--) {
+                       if (count == 0) {
+-                              if (*ReadPos >= IO_BUF_SIZE - 1 ) {
+-                                      if (*ReadPos == IO_BUF_SIZE - 1) {
++                              if (*ReadPos >= PCX_IO_BUF_SIZE - 1 ) {
++                                      if (*ReadPos == PCX_IO_BUF_SIZE - 1) {
+                                               // we still have one BYTE, copy it to the start pos
+ 
+-                                              *ReadBuf = ReadBuf[IO_BUF_SIZE - 1];
++                                              *ReadBuf = ReadBuf[PCX_IO_BUF_SIZE - 1];
+ 
+-                                              io.read_proc(ReadBuf + 1, 1, IO_BUF_SIZE - 1, handle);
++                                              io.read_proc(ReadBuf + 1, 1, PCX_IO_BUF_SIZE - 1, handle);
+                                       } else {
+                                               // read the complete buffer
+ 
+-                                              io.read_proc(ReadBuf, 1, IO_BUF_SIZE, handle);
++                                              io.read_proc(ReadBuf, 1, PCX_IO_BUF_SIZE, handle);
+                                       }
+ 
+                                       *ReadPos = 0;
+@@ -346,19 +346,9 @@ Load(FreeImageIO *io, fi_handle handle, 
+       BOOL header_only = (flags & FIF_LOAD_NOPIXELS) == FIF_LOAD_NOPIXELS;
+ 
+       try {
+-              // check PCX identifier
+-
+-              long start_pos = io->tell_proc(handle);
+-              BOOL validated = pcx_validate(io, handle);              
+-              io->seek_proc(handle, start_pos, SEEK_SET);
+-              if(!validated) {
+-                      throw FI_MSG_ERROR_MAGIC_NUMBER;
+-              }
+-
+-              // process the header
+-
+               PCXHEADER header;
+ 
++              // process the header
+               if(io->read_proc(&header, sizeof(PCXHEADER), 1, handle) != 1) {
+                       throw FI_MSG_ERROR_PARSING;
+               }
+@@ -366,20 +356,38 @@ Load(FreeImageIO *io, fi_handle handle, 
+               SwapHeader(&header);
+ #endif
+ 
+-              // allocate a new DIB
++              // process the window
++              const WORD *window = header.window;     // left, upper, right,lower pixel coord.
++              const int left          = window[0];
++              const int top           = window[1];
++              const int right         = window[2];
++              const int bottom        = window[3];
+ 
+-              unsigned width = header.window[2] - header.window[0] + 1;
+-              unsigned height = header.window[3] - header.window[1] + 1;
+-              unsigned bitcount = header.bpp * header.planes;
++              // check image size
++              if((left >= right) || (top >= bottom)) {
++                      throw FI_MSG_ERROR_PARSING;
++              }
+ 
+-              if (bitcount == 24) {
+-                      dib = FreeImage_AllocateHeader(header_only, width, height, bitcount, FI_RGBA_RED_MASK, FI_RGBA_GREEN_MASK, FI_RGBA_BLUE_MASK);
+-              } else {
+-                      dib = FreeImage_AllocateHeader(header_only, width, height, bitcount);                   
++              const unsigned width = right - left + 1;
++              const unsigned height = bottom - top + 1;
++              const unsigned bitcount = header.bpp * header.planes;
++
++              // allocate a new dib
++              switch(bitcount) {
++                      case 1:
++                      case 4:
++                      case 8:
++                              dib = FreeImage_AllocateHeader(header_only, width, height, bitcount);
++                              break;
++                      case 24:
++                              dib = FreeImage_AllocateHeader(header_only, width, height, bitcount, FI_RGBA_RED_MASK, FI_RGBA_GREEN_MASK, FI_RGBA_BLUE_MASK);
++                              break;
++                      default:
++                              throw FI_MSG_ERROR_DIB_MEMORY;
++                              break;
+               }
+ 
+               // if the dib couldn't be allocated, throw an error
+-
+               if (!dib) {
+                       throw FI_MSG_ERROR_DIB_MEMORY;
+               }
+@@ -426,19 +434,23 @@ Load(FreeImageIO *io, fi_handle handle, 
+ 
+                               if (palette_id == 0x0C) {
+                                       BYTE *cmap = (BYTE*)malloc(768 * sizeof(BYTE));
+-                                      io->read_proc(cmap, 768, 1, handle);
+ 
+-                                      pal = FreeImage_GetPalette(dib);
+-                                      BYTE *pColormap = &cmap[0];
++                                      if(cmap) {
++                                              io->read_proc(cmap, 768, 1, handle);
+ 
+-                                      for(int i = 0; i < 256; i++) {
+-                                              pal[i].rgbRed   = pColormap[0];
+-                                              pal[i].rgbGreen = pColormap[1];
+-                                              pal[i].rgbBlue  = pColormap[2];
+-                                              pColormap += 3;
++                                              pal = FreeImage_GetPalette(dib);
++                                              BYTE *pColormap = &cmap[0];
++
++                                              for(int i = 0; i < 256; i++) {
++                                                      pal[i].rgbRed   = pColormap[0];
++                                                      pal[i].rgbGreen = pColormap[1];
++                                                      pal[i].rgbBlue  = pColormap[2];
++                                                      pColormap += 3;
++                                              }
++
++                                              free(cmap);
+                                       }
+ 
+-                                      free(cmap);
+                               }
+ 
+                               // wrong palette ID, perhaps a gray scale is needed ?
+@@ -463,12 +475,12 @@ Load(FreeImageIO *io, fi_handle handle, 
+                       return dib;
+               }
+ 
+-              // calculate the line length for the PCX and the DIB
++              // calculate the line length for the PCX and the dib
+ 
+               // length of raster line in bytes
+-              unsigned linelength = header.bytes_per_line * header.planes;
+-              // length of DIB line (rounded to DWORD) in bytes
+-              unsigned pitch = FreeImage_GetPitch(dib);
++              const unsigned linelength = header.bytes_per_line * header.planes;
++              // length of dib line (rounded to DWORD) in bytes
++              const unsigned pitch = FreeImage_GetPitch(dib);
+ 
+               // run-length encoding ?
+ 
+@@ -478,14 +490,18 @@ Load(FreeImageIO *io, fi_handle handle, 
+               // ---------------
+ 
+               line = (BYTE*)malloc(linelength * sizeof(BYTE));
+-              if(!line) throw FI_MSG_ERROR_MEMORY;
++              if(!line) {
++                      throw FI_MSG_ERROR_MEMORY;
++              }
+               
+-              ReadBuf = (BYTE*)malloc(IO_BUF_SIZE * sizeof(BYTE));
+-              if(!ReadBuf) throw FI_MSG_ERROR_MEMORY;
++              ReadBuf = (BYTE*)malloc(PCX_IO_BUF_SIZE * sizeof(BYTE));
++              if(!ReadBuf) {
++                      throw FI_MSG_ERROR_MEMORY;
++              }
+               
+               bits = FreeImage_GetScanLine(dib, height - 1);
+ 
+-              int ReadPos = IO_BUF_SIZE;
++              int ReadPos = PCX_IO_BUF_SIZE;
+ 
+               if ((header.planes == 1) && ((header.bpp == 1) || (header.bpp == 8))) {
+                       BYTE skip;
+@@ -497,7 +513,7 @@ Load(FreeImageIO *io, fi_handle handle, 
+                               // skip trailing garbage at the end of the scanline
+ 
+                               for (unsigned count = written; count < linelength; count++) {
+-                                      if (ReadPos < IO_BUF_SIZE) {
++                                      if (ReadPos < PCX_IO_BUF_SIZE) {
+                                               ReadPos++;
+                                       } else {
+                                               io->read_proc(&skip, sizeof(BYTE), 1, handle);
+@@ -513,7 +529,9 @@ Load(FreeImageIO *io, fi_handle handle, 
+                       unsigned x, y, written;
+ 
+                       buffer = (BYTE*)malloc(width * sizeof(BYTE));
+-                      if(!buffer) throw FI_MSG_ERROR_MEMORY;
++                      if(!buffer) {
++                              throw FI_MSG_ERROR_MEMORY;
++                      }
+ 
+                       for (y = 0; y < height; y++) {
+                               written = readline(*io, handle, line, linelength, bIsRLE, ReadBuf, &ReadPos);
+@@ -532,7 +550,7 @@ Load(FreeImageIO *io, fi_handle handle, 
+                                       }
+                               }
+ 
+-                              // then write the DIB row
++                              // then write the dib row
+ 
+                               for (x = 0; x < width / 2; x++) {
+                                       bits[x] = (buffer[2*x] << 4) | buffer[2*x+1];
+@@ -541,7 +559,7 @@ Load(FreeImageIO *io, fi_handle handle, 
+                               // skip trailing garbage at the end of the scanline
+ 
+                               for (unsigned count = written; count < linelength; count++) {
+-                                      if (ReadPos < IO_BUF_SIZE) {
++                                      if (ReadPos < PCX_IO_BUF_SIZE) {
+                                               ReadPos++;
+                                       } else {
+                                               io->read_proc(&skip, sizeof(BYTE), 1, handle);
diff -r 12cf833bcd06 -r a99d12974072 graphics/freeimage/patches/patch-Source_FreeImage_PluginXPM.cpp
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/freeimage/patches/patch-Source_FreeImage_PluginXPM.cpp   Mon Feb 20 08:00:42 2017 +0000
@@ -0,0 +1,33 @@
+$NetBSD: patch-Source_FreeImage_PluginXPM.cpp,v 1.1 2017/02/20 08:00:42 snj Exp $
+
+Fix CVE-2016-5684.
+
+http://freeimage.cvs.sourceforge.net/viewvc/freeimage/FreeImage/Source/FreeImage/PluginXPM.cpp?r1=1.17&r2=1.18
+
+and
+
+http://freeimage.cvs.sourceforge.net/viewvc/freeimage/FreeImage/Source/FreeImage/PluginXPM.cpp?r1=1.18&r2=1.19
+
+--- Source/FreeImage/PluginXPM.cpp.orig        2015-03-02 02:07:08.000000000 -0800
++++ Source/FreeImage/PluginXPM.cpp     2017-02-19 11:37:34.000000000 -0800
+@@ -181,6 +181,11 @@ Load(FreeImageIO *io, fi_handle handle, 
+               }
+               free(str);
+ 
++              // check info string
++              if((width <= 0) || (height <= 0) || (colors <= 0) || (cpp <= 0)) {
++                      throw "Improperly formed info string";
++              }
++
+         if (colors > 256) {
+                       dib = FreeImage_AllocateHeader(header_only, width, height, 24, FI_RGBA_RED_MASK, FI_RGBA_GREEN_MASK, FI_RGBA_BLUE_MASK);
+               } else {
+@@ -193,7 +198,7 @@ Load(FreeImageIO *io, fi_handle handle, 
+                       FILE_RGBA rgba;
+ 
+                       str = ReadString(io, handle);
+-                      if(!str)
++                      if(!str || (strlen(str) < (size_t)cpp))
+                               throw "Error reading color strings";
+ 
+                       std::string chrs(str,cpp); //create a string for the color chars using the first cpp chars



Home | Main Index | Thread Index | Old Index