[pkgsrc/trunk]: pkgsrc add a security patch from upstream CVS:

To: pkgsrc-changes-hg%NetBSD.org@localhost
Subject: [pkgsrc/trunk]: pkgsrc add a security patch from upstream CVS:
From: drochner <drochner%pkgsrc.org@localhost>
Date: Mon, 16 Jan 2023 19:21:29 +0000

details:   https://anonhg.NetBSD.org/pkgsrc/rev/dc001acc3503
branches:  trunk
changeset: 394109:dc001acc3503
user:      drochner <drochner%pkgsrc.org@localhost>
date:      Fri Jun 05 10:48:37 2009 +0000

description:
add a security patch from upstream CVS:
A malformed (or simply huge) PNG file can lead to integer overflow in
calculating the size of the output buffer, leading to crashes or buffer
overflows later. Fixes SA35205 security advisory.

bump PKGREVISION of affected plugin

diffstat:

 graphics/gst-plugins0.10-png/Makefile            |   4 +-
 multimedia/gst-plugins0.10-good/distinfo         |   3 +-
 multimedia/gst-plugins0.10-good/patches/patch-ad |  52 ++++++++++++++++++++++++
 3 files changed, 57 insertions(+), 2 deletions(-)

diffs (87 lines):

diff -r 3d8c05b01ee2 -r dc001acc3503 graphics/gst-plugins0.10-png/Makefile
--- a/graphics/gst-plugins0.10-png/Makefile     Fri Jun 05 10:19:10 2009 +0000
+++ b/graphics/gst-plugins0.10-png/Makefile     Fri Jun 05 10:48:37 2009 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.2 2008/06/20 01:09:22 joerg Exp $
+# $NetBSD: Makefile,v 1.3 2009/06/05 10:48:38 drochner Exp $
 #
 
 GST_PLUGINS0.10_NAME=  png
@@ -9,5 +9,7 @@
 
 .include "../../multimedia/gst-plugins0.10-good/Makefile.common"
 
+PKGREVISION=   1
+
 .include "../../graphics/png/buildlink3.mk"
 .include "../../mk/bsd.pkg.mk"
diff -r 3d8c05b01ee2 -r dc001acc3503 multimedia/gst-plugins0.10-good/distinfo
--- a/multimedia/gst-plugins0.10-good/distinfo  Fri Jun 05 10:19:10 2009 +0000
+++ b/multimedia/gst-plugins0.10-good/distinfo  Fri Jun 05 10:48:37 2009 +0000
@@ -1,8 +1,9 @@
-$NetBSD: distinfo,v 1.20 2009/05/25 15:50:12 drochner Exp $
+$NetBSD: distinfo,v 1.21 2009/06/05 10:48:37 drochner Exp $
 
 SHA1 (gst-plugins-good-0.10.15.tar.bz2) = b37611f5b4e28c19159ed3f71aeaf7dfff513174
 RMD160 (gst-plugins-good-0.10.15.tar.bz2) = 6caa4c4f93285f03c15c23ac0ae5d390c20bfd07
 Size (gst-plugins-good-0.10.15.tar.bz2) = 2354906 bytes
 SHA1 (patch-ab) = ab70993a71c4b288c21e72847186011c33bd0fb1
 SHA1 (patch-ac) = 8867119011dc8cca89cc3a35fb3f095212887bf7
+SHA1 (patch-ad) = af76828f5ee9ae7b41fd66da8703fbede3d464c1
 SHA1 (patch-ba) = e296bbcfc606967b71765988ae1c3ffe96b9359a
diff -r 3d8c05b01ee2 -r dc001acc3503 multimedia/gst-plugins0.10-good/patches/patch-ad
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/multimedia/gst-plugins0.10-good/patches/patch-ad  Fri Jun 05 10:48:37 2009 +0000
@@ -0,0 +1,52 @@
+$NetBSD: patch-ad,v 1.5 2009/06/05 10:48:38 drochner Exp $
+
+--- ext/libpng/gstpngdec.c.orig        2009-05-12 02:00:06.000000000 +0200
++++ ext/libpng/gstpngdec.c
+@@ -201,7 +201,14 @@ user_info_callback (png_structp png_ptr,
+ 
+   /* Allocate output buffer */
+   pngdec->rowbytes = png_get_rowbytes (pngdec->png, pngdec->info);
+-  buffer_size = pngdec->height * GST_ROUND_UP_4 (pngdec->rowbytes);
++  if (pngdec->rowbytes > (G_MAXUINT32 - 3)
++      || pngdec->height > G_MAXUINT32 / pngdec->rowbytes) {
++    ret = GST_FLOW_ERROR;
++    goto beach;
++  }
++  pngdec->rowbytes = GST_ROUND_UP_4 (pngdec->rowbytes);
++  buffer_size = pngdec->height * pngdec->rowbytes;
++
+   ret =
+       gst_pad_alloc_buffer_and_set_caps (pngdec->srcpad, GST_BUFFER_OFFSET_NONE,
+       buffer_size, GST_PAD_CAPS (pngdec->srcpad), &buffer);
+@@ -228,7 +235,7 @@ user_endrow_callback (png_structp png_pt
+   /* If buffer_out doesn't exist, it means buffer_alloc failed, which 
+    * will already have set the return code */
+   if (GST_IS_BUFFER (pngdec->buffer_out)) {
+-    size_t offset = row_num * GST_ROUND_UP_4 (pngdec->rowbytes);
++    size_t offset = row_num * pngdec->rowbytes;
+ 
+     GST_LOG ("got row %u, copying in buffer %p at offset %" G_GSIZE_FORMAT,
+         (guint) row_num, pngdec->buffer_out, offset);
+@@ -496,7 +503,12 @@ gst_pngdec_task (GstPad * pad)
+ 
+   /* Allocate output buffer */
+   rowbytes = png_get_rowbytes (pngdec->png, pngdec->info);
+-  buffer_size = pngdec->height * GST_ROUND_UP_4 (rowbytes);
++  if (rowbytes > (G_MAXUINT32 - 3) || pngdec->height > G_MAXUINT32 / rowbytes) {
++    ret = GST_FLOW_ERROR;
++    goto pause;
++  }
++  rowbytes = GST_ROUND_UP_4 (rowbytes);
++  buffer_size = pngdec->height * rowbytes;
+   ret =
+       gst_pad_alloc_buffer_and_set_caps (pngdec->srcpad, GST_BUFFER_OFFSET_NONE,
+       buffer_size, GST_PAD_CAPS (pngdec->srcpad), &buffer);
+@@ -509,7 +521,7 @@ gst_pngdec_task (GstPad * pad)
+ 
+   for (i = 0; i < pngdec->height; i++) {
+     rows[i] = inp;
+-    inp += GST_ROUND_UP_4 (rowbytes);
++    inp += rowbytes;
+   }
+ 
+   /* Read the actual picture */

Prev by Date: [pkgsrc/trunk]: pkgsrc/net/yale-tftpd Make it build on DragonFly.
Next by Date: [pkgsrc/trunk]: pkgsrc/doc Updated graphics/MesaLib to 7.4.2
Previous by Thread: [pkgsrc/trunk]: pkgsrc/net/yale-tftpd Make it build on DragonFly.
Next by Thread: [pkgsrc/trunk]: pkgsrc/doc Updated graphics/MesaLib to 7.4.2
Indexes:

Home | Main Index | Thread Index | Old Index