Date: Thu, 16 Jul 2015 16:47:22 +0000 (UTC) From: Mark Felder <feld@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r392301 - in head/graphics/libwmf: . files Message-ID: <201507161647.t6GGlMP2076772@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: feld Date: Thu Jul 16 16:47:21 2015 New Revision: 392301 URL: https://svnweb.freebsd.org/changeset/ports/392301 Log: - Assign maintainership - Resolve backlog of CVEs PR: 201513 Reported by: Sevan Janiyan Submitted by: Jason Unovitch (maintainer) Security: CVE-2004-0941 [1] Security: CVE-2007-0455 [1] Security: CVE-2007-2756 [1] Security: CVE-2007-3472 [1] Security: CVE-2007-3473 [1] Security: CVE-2007-3477 [1] Security: CVE-2009-3546 [1] Security: CVE-2015-4695 [2] Security: CVE-2015-4696 [3] Security: CVE-2015-0848 [4] Security: CVE-2015-4588 [4] Security: ca139c7f-2a8c-11e5-a4a5-002590263bf5 Obtained From: CentOS libwmf RPM git [1] Obtained From: Debian Bug 784205 [2] Obtained From: Debian Bug 784192 [3] Obtained From: Red Hat Bug 1227243 [4] MFH: 2015Q3 Added: head/graphics/libwmf/files/patch-CAN-2004-0941 (contents, props changed) head/graphics/libwmf/files/patch-CVE-2007-0455 (contents, props changed) head/graphics/libwmf/files/patch-CVE-2007-2756 (contents, props changed) head/graphics/libwmf/files/patch-CVE-2007-3472 (contents, props changed) head/graphics/libwmf/files/patch-CVE-2007-3473 (contents, props changed) head/graphics/libwmf/files/patch-CVE-2007-3477 (contents, props changed) head/graphics/libwmf/files/patch-CVE-2009-3546 (contents, props changed) head/graphics/libwmf/files/patch-deb784192-CVE-2015-4696 (contents, props changed) head/graphics/libwmf/files/patch-deb784205-CVE-2015-4695 (contents, props changed) head/graphics/libwmf/files/patch-rh1227243-CVE-2015-0848 (contents, props changed) head/graphics/libwmf/files/patch-rh1227243-CVE-2015-4588 (contents, props changed) Modified: head/graphics/libwmf/Makefile Modified: head/graphics/libwmf/Makefile ============================================================================== --- head/graphics/libwmf/Makefile Thu Jul 16 15:57:37 2015 (r392300) +++ head/graphics/libwmf/Makefile Thu Jul 16 16:47:21 2015 (r392301) @@ -3,11 +3,11 @@ PORTNAME= libwmf PORTVERSION= 0.2.8.4 -PORTREVISION= 13 +PORTREVISION= 14 CATEGORIES= graphics MASTER_SITES= SF/wvware/${PORTNAME}/${PORTVERSION} -MAINTAINER= ports@FreeBSD.org +MAINTAINER= jason.unovitch@gmail.com COMMENT= Tools and library for converting Microsoft WMF (windows metafile) LICENSE= GPLv2 # or later Added: head/graphics/libwmf/files/patch-CAN-2004-0941 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/graphics/libwmf/files/patch-CAN-2004-0941 Thu Jul 16 16:47:21 2015 (r392301) @@ -0,0 +1,17 @@ +--- src/extra/gd/gd_png.c 2004-11-11 14:02:37.407589824 -0500 ++++ src/extra/gd/gd_png.c 2004-11-11 14:04:29.672522960 -0500 +@@ -188,6 +188,14 @@ + + png_get_IHDR (png_ptr, info_ptr, &width, &height, &bit_depth, &color_type, + &interlace_type, NULL, NULL); ++ if (overflow2(sizeof (int), width)) ++ { ++ return NULL; ++ } ++ if (overflow2(sizeof (int) * width, height)) ++ { ++ return NULL; ++ } + if ((color_type == PNG_COLOR_TYPE_RGB) || + (color_type == PNG_COLOR_TYPE_RGB_ALPHA)) + { Added: head/graphics/libwmf/files/patch-CVE-2007-0455 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/graphics/libwmf/files/patch-CVE-2007-0455 Thu Jul 16 16:47:21 2015 (r392301) @@ -0,0 +1,11 @@ +--- src/extra/gd/gdft.c 2010-12-06 11:18:26.000000000 +0000 ++++ src/extra/gd/gdft.c 2010-12-06 11:21:09.000000000 +0000 +@@ -811,7 +811,7 @@ + { + ch = c & 0xFF; /* don't extend sign */ + } +- next++; ++ if (*next) next++; + } + else + { Added: head/graphics/libwmf/files/patch-CVE-2007-2756 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/graphics/libwmf/files/patch-CVE-2007-2756 Thu Jul 16 16:47:21 2015 (r392301) @@ -0,0 +1,16 @@ +--- src/extra/gd/gd_png.c 1 Apr 2007 20:41:01 -0000 1.21.2.1 ++++ src/extra/gd/gd_png.c 16 May 2007 19:06:11 -0000 +@@ -78,8 +78,11 @@ + gdPngReadData (png_structp png_ptr, + png_bytep data, png_size_t length) + { +- gdGetBuf (data, length, (gdIOCtx *) +- png_get_io_ptr (png_ptr)); ++ int check; ++ check = gdGetBuf (data, length, (gdIOCtx *) png_get_io_ptr (png_ptr)); ++ if (check != length) { ++ png_error(png_ptr, "Read Error: truncated data"); ++ } + } + + static void Added: head/graphics/libwmf/files/patch-CVE-2007-3472 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/graphics/libwmf/files/patch-CVE-2007-3472 Thu Jul 16 16:47:21 2015 (r392301) @@ -0,0 +1,61 @@ +Patch modified slightly from upstream CentOS version + +--- src/extra/gd/gd.c ++++ src/extra/gd/gd.c +@@ -106,6 +106,18 @@ + gdImagePtr im; + unsigned long cpa_size; + ++ if (overflow2(sx, sy)) { ++ return NULL; ++ } ++ ++ if (overflow2(sizeof (int *), sy)) { ++ return NULL; ++ } ++ ++ if (overflow2(sizeof(int), sx)) { ++ return NULL; ++ } ++ + im = (gdImage *) gdMalloc (sizeof (gdImage)); + if (im == 0) return 0; + memset (im, 0, sizeof (gdImage)); +--- src/extra/gd/gdhelpers.c 2010-12-06 11:47:31.000000000 +0000 ++++ src/extra/gd/gdhelpers.c 2010-12-06 11:48:04.000000000 +0000 +@@ -2,6 +2,7 @@ + #include "gdhelpers.h" + #include <stdlib.h> + #include <string.h> ++#include <limits.h> + + /* TBB: gd_strtok_r is not portable; provide an implementation */ + +@@ -94,3 +95,18 @@ + { + free (ptr); + } ++ ++int overflow2(int a, int b) ++{ ++ if(a < 0 || b < 0) { ++ fprintf(stderr, "gd warning: one parameter to a memory allocation multiplication is negative, failing operation gracefully\n"); ++ return 1; ++ } ++ if(b == 0) ++ return 0; ++ if(a > INT_MAX / b) { ++ fprintf(stderr, "gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully\n"); ++ return 1; ++ } ++ return 0; ++} +--- src/extra/gd/gdhelpers.h 2010-12-06 11:47:17.000000000 +0000 ++++ src/extra/gd/gdhelpers.h 2010-12-06 11:48:36.000000000 +0000 +@@ -15,4 +15,6 @@ + void *gdMalloc(size_t size); + void *gdRealloc(void *ptr, size_t size); + ++int overflow2(int a, int b); ++ + #endif /* GDHELPERS_H */ Added: head/graphics/libwmf/files/patch-CVE-2007-3473 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/graphics/libwmf/files/patch-CVE-2007-3473 Thu Jul 16 16:47:21 2015 (r392301) @@ -0,0 +1,13 @@ +--- src/extra/gd/gd.c ++++ src/extra/gd/gd.c +@@ -2483,6 +2483,10 @@ BGD_DECLARE(gdImagePtr) gdImageCreateFromXbm (FILE * fd) + } + bytes = (w * h / 8) + 1; + im = gdImageCreate (w, h); ++ if (!im) { ++ return 0; ++ } ++ + gdImageColorAllocate (im, 255, 255, 255); + gdImageColorAllocate (im, 0, 0, 0); + x = 0; Added: head/graphics/libwmf/files/patch-CVE-2007-3477 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/graphics/libwmf/files/patch-CVE-2007-3477 Thu Jul 16 16:47:21 2015 (r392301) @@ -0,0 +1,38 @@ +--- src/extra/gd/gd.c ++++ src/extra/gd/gd.c +@@ -1335,10 +1335,31 @@ + int w2, h2; + w2 = w / 2; + h2 = h / 2; +- while (e < s) +- { +- e += 360; +- } ++ ++ if ((s % 360) == (e % 360)) { ++ s = 0; e = 360; ++ } else { ++ if (s > 360) { ++ s = s % 360; ++ } ++ ++ if (e > 360) { ++ e = e % 360; ++ } ++ ++ while (s < 0) { ++ s += 360; ++ } ++ ++ while (e < s) { ++ e += 360; ++ } ++ ++ if (s == e) { ++ s = 0; e = 360; ++ } ++ } ++ + for (i = s; (i <= e); i++) + { + int x, y; Added: head/graphics/libwmf/files/patch-CVE-2009-3546 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/graphics/libwmf/files/patch-CVE-2009-3546 Thu Jul 16 16:47:21 2015 (r392301) @@ -0,0 +1,13 @@ +--- src/extra/gd/gd_gd.c 2010-12-06 14:56:06.000000000 +0000 ++++ src/extra/gd/gd_gd.c 2010-12-06 14:57:04.000000000 +0000 +@@ -42,6 +42,10 @@ + { + goto fail1; + } ++ if (&im->colorsTotal > gdMaxColors) ++ { ++ goto fail1; ++ } + } + /* Int to accommodate truecolor single-color transparency */ + if (!gdGetInt (&im->transparent, in)) Added: head/graphics/libwmf/files/patch-deb784192-CVE-2015-4696 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/graphics/libwmf/files/patch-deb784192-CVE-2015-4696 Thu Jul 16 16:47:21 2015 (r392301) @@ -0,0 +1,20 @@ +--- src/player/meta.h ++++ src/player/meta.h + ++ if (FR->region_clip) FR->region_clip (API,&polyrect); ++ + wmf_free (API,polyrect.TL); + wmf_free (API,polyrect.BR); + } +@@ -2593,9 +2595,10 @@ + polyrect.BR = 0; + + polyrect.count = 0; ++ ++ if (FR->region_clip) FR->region_clip (API,&polyrect); + } + +- if (FR->region_clip) FR->region_clip (API,&polyrect); + + return (changed); + } Added: head/graphics/libwmf/files/patch-deb784205-CVE-2015-4695 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/graphics/libwmf/files/patch-deb784205-CVE-2015-4695 Thu Jul 16 16:47:21 2015 (r392301) @@ -0,0 +1,58 @@ +Index: src/player/meta.h +=================================================================== +--- libwmf-0.2.8.4.orig/src/player/meta.h ++++ src/player/meta.h +@@ -1565,7 +1565,7 @@ static int meta_rgn_create (wmfAPI* API, + objects = P->objects; + + i = 0; +- while (objects[i].type && (i < NUM_OBJECTS (API))) i++; ++ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++; + + if (i == NUM_OBJECTS (API)) + { WMF_ERROR (API,"Object out of range!"); +@@ -2142,7 +2142,7 @@ static int meta_dib_brush (wmfAPI* API,w + objects = P->objects; + + i = 0; +- while (objects[i].type && (i < NUM_OBJECTS (API))) i++; ++ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++; + + if (i == NUM_OBJECTS (API)) + { WMF_ERROR (API,"Object out of range!"); +@@ -3067,7 +3067,7 @@ static int meta_pen_create (wmfAPI* API, + objects = P->objects; + + i = 0; +- while (objects[i].type && (i < NUM_OBJECTS (API))) i++; ++ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++; + + if (i == NUM_OBJECTS (API)) + { WMF_ERROR (API,"Object out of range!"); +@@ -3181,7 +3181,7 @@ static int meta_brush_create (wmfAPI* AP + objects = P->objects; + + i = 0; +- while (objects[i].type && (i < NUM_OBJECTS (API))) i++; ++ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++; + + if (i == NUM_OBJECTS (API)) + { WMF_ERROR (API,"Object out of range!"); +@@ -3288,7 +3288,7 @@ static int meta_font_create (wmfAPI* API + objects = P->objects; + + i = 0; +- while (objects[i].type && (i < NUM_OBJECTS (API))) i++; ++ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++; + + if (i == NUM_OBJECTS (API)) + { WMF_ERROR (API,"Object out of range!"); +@@ -3396,7 +3396,7 @@ static int meta_palette_create (wmfAPI* + objects = P->objects; + + i = 0; +- while (objects[i].type && (i < NUM_OBJECTS (API))) i++; ++ while ((i < NUM_OBJECTS (API)) && objects[i].type) i++; + + if (i == NUM_OBJECTS (API)) + { WMF_ERROR (API,"Object out of range!"); Added: head/graphics/libwmf/files/patch-rh1227243-CVE-2015-0848 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/graphics/libwmf/files/patch-rh1227243-CVE-2015-0848 Thu Jul 16 16:47:21 2015 (r392301) @@ -0,0 +1,20 @@ +--- src/ipa/ipa/bmp.h 2015-06-02 11:35:04.072201795 +0100 ++++ src/ipa/ipa/bmp.h 2015-06-02 11:35:20.647406414 +0100 +@@ -1145,8 +1143,15 @@ + } + } + else +- { /* Convert run-length encoded raster pixels. */ +- DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image); ++ { ++ if (bmp_info.bits_per_pixel == 8) /* Convert run-length encoded raster pixels. */ ++ { ++ DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image); ++ } ++ else ++ { WMF_ERROR (API,"Unexpected pixel depth"); ++ API->err = wmf_E_BadFormat; ++ } + } + + if (ERR (API)) Added: head/graphics/libwmf/files/patch-rh1227243-CVE-2015-4588 ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/graphics/libwmf/files/patch-rh1227243-CVE-2015-4588 Thu Jul 16 16:47:21 2015 (r392301) @@ -0,0 +1,111 @@ +diff -ru src/ipa/ipa/bmp.h src/ipa/ipa/bmp.h +--- src/ipa/ipa/bmp.h 2015-06-03 09:30:59.410501271 +0100 ++++ src/ipa/ipa/bmp.h 2015-06-03 09:31:05.775572630 +0100 +@@ -859,7 +859,7 @@ + % + % + */ +-static void DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels) ++static int DecodeImage (wmfAPI* API,wmfBMP* bmp,BMPSource* src,unsigned int compression,unsigned char* pixels) + { int byte; + int count; + int i; +@@ -870,12 +870,14 @@ + U32 u; + + unsigned char* q; ++ unsigned char* end; + + for (u = 0; u < ((U32) bmp->width * (U32) bmp->height); u++) pixels[u] = 0; + + byte = 0; + x = 0; + q = pixels; ++ end = pixels + bmp->width * bmp->height; + + for (y = 0; y < bmp->height; ) + { count = ReadBlobByte (src); +@@ -884,7 +886,10 @@ + { /* Encoded mode. */ + byte = ReadBlobByte (src); + for (i = 0; i < count; i++) +- { if (compression == 1) ++ { ++ if (q == end) ++ return 0; ++ if (compression == 1) + { (*(q++)) = (unsigned char) byte; + } + else +@@ -896,13 +901,15 @@ + else + { /* Escape mode. */ + count = ReadBlobByte (src); +- if (count == 0x01) return; ++ if (count == 0x01) return 1; + switch (count) + { + case 0x00: + { /* End of line. */ + x = 0; + y++; ++ if (y >= bmp->height) ++ return 0; + q = pixels + y * bmp->width; + break; + } +@@ -910,13 +917,20 @@ + { /* Delta mode. */ + x += ReadBlobByte (src); + y += ReadBlobByte (src); ++ if (y >= bmp->height) ++ return 0; ++ if (x >= bmp->width) ++ return 0; + q = pixels + y * bmp->width + x; + break; + } + default: + { /* Absolute mode. */ + for (i = 0; i < count; i++) +- { if (compression == 1) ++ { ++ if (q == end) ++ return 0; ++ if (compression == 1) + { (*(q++)) = ReadBlobByte (src); + } + else +@@ -943,7 +957,7 @@ + byte = ReadBlobByte (src); /* end of line */ + byte = ReadBlobByte (src); + +- return; ++ return 1; + } + + /* +@@ -1146,7 +1160,10 @@ + { + if (bmp_info.bits_per_pixel == 8) /* Convert run-length encoded raster pixels. */ + { +- DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image); ++ if (!DecodeImage (API,bmp,src,(unsigned int) bmp_info.compression,data->image)) ++ { WMF_ERROR (API,"corrupt bmp"); ++ API->err = wmf_E_BadFormat; ++ } + } + else + { WMF_ERROR (API,"Unexpected pixel depth"); +diff -ru src/ipa/ipa.h src/ipa/ipa.h +--- src/ipa/ipa.h 2015-06-03 09:30:59.410501271 +0100 ++++ src/ipa/ipa.h 2015-06-03 09:31:08.687605277 +0100 +@@ -48,7 +48,7 @@ + static unsigned short ReadBlobLSBShort (BMPSource*); + static unsigned long ReadBlobLSBLong (BMPSource*); + static long TellBlob (BMPSource*); +-static void DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned int,unsigned char*); ++static int DecodeImage (wmfAPI*,wmfBMP*,BMPSource*,unsigned int,unsigned char*); + static void ReadBMPImage (wmfAPI*,wmfBMP*,BMPSource*); + static int ExtractColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned int,unsigned int); + static void SetColor (wmfAPI*,wmfBMP*,wmfRGB*,unsigned char,unsigned int,unsigned int);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201507161647.t6GGlMP2076772>