Date: Sun, 13 Dec 2015 20:26:24 +0000 (UTC) From: Koop Mast <kwm@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r403688 - in head/graphics/freeimage: . files Message-ID: <201512132026.tBDKQOoM069495@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: kwm Date: Sun Dec 13 20:26:24 2015 New Revision: 403688 URL: https://svnweb.freebsd.org/changeset/ports/403688 Log: Fix included dcraw vulnability. Fix integer overflow in PluginPCX.cpp. [1] Add dcraw files to dos2unix so patching is easier. Obtained from: Debian freeimage package (both patches) Security: 33459061-a1d6-11e5-8794-bcaec565249c [1] Added: head/graphics/freeimage/files/patch-integer_overflow (contents, props changed) head/graphics/freeimage/files/patch-integer_overflow_ljpeg_start (contents, props changed) Modified: head/graphics/freeimage/Makefile Modified: head/graphics/freeimage/Makefile ============================================================================== --- head/graphics/freeimage/Makefile Sun Dec 13 20:23:41 2015 (r403687) +++ head/graphics/freeimage/Makefile Sun Dec 13 20:26:24 2015 (r403688) @@ -3,6 +3,7 @@ PORTNAME= freeimage PORTVERSION= 3.16.0 +PORTREVISION= 1 # Version 3.17.0 is available, but does not build on i386 (and probably # other 32-bit arches) without some not-quite-trivial patching. If one # decides to update the port, please make sure 32-bit builds are tested! @@ -14,7 +15,9 @@ MAINTAINER= ports@FreeBSD.org COMMENT= Simple C/C++ bitmap graphics library USES= dos2unix gmake zip -DOS2UNIX_FILES= Source/LibOpenJPEG/opj_malloc.h +DOS2UNIX_FILES= Source/LibOpenJPEG/opj_malloc.h \ + Source/LibRawLite/dcraw/dcraw.c \ + Source/LibRawLite/internal/dcraw_common.cpp USE_LDCONFIG= yes WRKSRC= ${WRKDIR}/FreeImage MAKE_ARGS= CC="${CC}" CPP="${CPP}" CXX="${CXX}" Added: head/graphics/freeimage/files/patch-integer_overflow ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/graphics/freeimage/files/patch-integer_overflow Sun Dec 13 20:26:24 2015 (r403688) @@ -0,0 +1,129 @@ +CVE-2015-0852 + +Description: fix integer overflow +Origin: upstream + http://freeimage.cvs.sourceforge.net/viewvc/freeimage/FreeImage/Source/FreeImage/PluginPCX.cpp?view=patch&r1=1.17&r2=1.18&pathrev=MAIN + http://freeimage.cvs.sourceforge.net/viewvc/freeimage/FreeImage/Source/FreeImage/PluginPCX.cpp?view=patch&r1=1.18&r2=1.19&pathrev=MAIN +Bug-Debian: https://bugs.debian.org/797165 +Last-Update: 2015-09-14 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +Index: freeimage/Source/FreeImage/PluginPCX.cpp +=================================================================== +--- freeimage.orig/Source/FreeImage/PluginPCX.cpp ++++ Source/FreeImage/PluginPCX.cpp +@@ -347,12 +347,14 @@ Load(FreeImageIO *io, fi_handle handle, + + try { + // check PCX identifier +- +- long start_pos = io->tell_proc(handle); +- BOOL validated = pcx_validate(io, handle); +- io->seek_proc(handle, start_pos, SEEK_SET); +- if(!validated) { +- throw FI_MSG_ERROR_MAGIC_NUMBER; ++ // (note: should have been already validated using FreeImage_GetFileType but check again) ++ { ++ long start_pos = io->tell_proc(handle); ++ BOOL validated = pcx_validate(io, handle); ++ io->seek_proc(handle, start_pos, SEEK_SET); ++ if(!validated) { ++ throw FI_MSG_ERROR_MAGIC_NUMBER; ++ } + } + + // process the header +@@ -366,20 +368,38 @@ Load(FreeImageIO *io, fi_handle handle, + SwapHeader(&header); + #endif + +- // allocate a new DIB ++ // process the window ++ const WORD *window = header.window; // left, upper, right,lower pixel coord. ++ const int left = window[0]; ++ const int top = window[1]; ++ const int right = window[2]; ++ const int bottom = window[3]; + +- unsigned width = header.window[2] - header.window[0] + 1; +- unsigned height = header.window[3] - header.window[1] + 1; +- unsigned bitcount = header.bpp * header.planes; +- +- if (bitcount == 24) { +- dib = FreeImage_AllocateHeader(header_only, width, height, bitcount, FI_RGBA_RED_MASK, FI_RGBA_GREEN_MASK, FI_RGBA_BLUE_MASK); +- } else { +- dib = FreeImage_AllocateHeader(header_only, width, height, bitcount); ++ // check image size ++ if((left >= right) || (top >= bottom)) { ++ throw FI_MSG_ERROR_PARSING; + } + +- // if the dib couldn't be allocated, throw an error ++ const unsigned width = right - left + 1; ++ const unsigned height = bottom - top + 1; ++ const unsigned bitcount = header.bpp * header.planes; ++ ++ // allocate a new DIB ++ switch(bitcount) { ++ case 1: ++ case 4: ++ case 8: ++ dib = FreeImage_AllocateHeader(header_only, width, height, bitcount); ++ break; ++ case 24: ++ dib = FreeImage_AllocateHeader(header_only, width, height, bitcount, FI_RGBA_RED_MASK, FI_RGBA_GREEN_MASK, FI_RGBA_BLUE_MASK); ++ break; ++ default: ++ throw FI_MSG_ERROR_DIB_MEMORY; ++ break; ++ } + ++ // if the dib couldn't be allocated, throw an error + if (!dib) { + throw FI_MSG_ERROR_DIB_MEMORY; + } +@@ -426,19 +446,23 @@ Load(FreeImageIO *io, fi_handle handle, + + if (palette_id == 0x0C) { + BYTE *cmap = (BYTE*)malloc(768 * sizeof(BYTE)); +- io->read_proc(cmap, 768, 1, handle); + +- pal = FreeImage_GetPalette(dib); +- BYTE *pColormap = &cmap[0]; ++ if(cmap) { ++ io->read_proc(cmap, 768, 1, handle); + +- for(int i = 0; i < 256; i++) { +- pal[i].rgbRed = pColormap[0]; +- pal[i].rgbGreen = pColormap[1]; +- pal[i].rgbBlue = pColormap[2]; +- pColormap += 3; ++ pal = FreeImage_GetPalette(dib); ++ BYTE *pColormap = &cmap[0]; ++ ++ for(int i = 0; i < 256; i++) { ++ pal[i].rgbRed = pColormap[0]; ++ pal[i].rgbGreen = pColormap[1]; ++ pal[i].rgbBlue = pColormap[2]; ++ pColormap += 3; ++ } ++ ++ free(cmap); + } + +- free(cmap); + } + + // wrong palette ID, perhaps a gray scale is needed ? +@@ -466,9 +490,9 @@ Load(FreeImageIO *io, fi_handle handle, + // calculate the line length for the PCX and the DIB + + // length of raster line in bytes +- unsigned linelength = header.bytes_per_line * header.planes; ++ const unsigned linelength = header.bytes_per_line * header.planes; + // length of DIB line (rounded to DWORD) in bytes +- unsigned pitch = FreeImage_GetPitch(dib); ++ const unsigned pitch = FreeImage_GetPitch(dib); + + // run-length encoding ? + Added: head/graphics/freeimage/files/patch-integer_overflow_ljpeg_start ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/graphics/freeimage/files/patch-integer_overflow_ljpeg_start Sun Dec 13 20:26:24 2015 (r403688) @@ -0,0 +1,34 @@ +Description: Fix integer overflow in the ljpeg_start function in dcraw +Author: Alex Tutubalin <lexa@lexa.ru> +Bug-Debian: https://bugs.debian.org/786790 +Origin: https://github.com/LibRaw/LibRaw/commit/4606c28f494a750892c5c1ac7903e62dd1c6fdb5 + https://github.com/rawstudio/rawstudio/commit/983bda1f0fa5fa86884381208274198a620f006e +Bug: https://security-tracker.debian.org/tracker/CVE-2015-3885 +Bug: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3885 +Reviewed-By: Anton Gladky <gladk@debian.org> +Last-Update: 2015-10-29 + +--- freeimage-3.15.4.orig/Source/LibRawLite/dcraw/dcraw.c ++++ Source/LibRawLite/dcraw/dcraw.c +@@ -768,7 +768,8 @@ struct jhead { + + int CLASS ljpeg_start (struct jhead *jh, int info_only) + { +- int c, tag, len; ++ int c, tag; ++ ushort len; + uchar data[0x10000]; + const uchar *dp; + +--- freeimage-3.15.4.orig/Source/LibRawLite/internal/dcraw_common.cpp ++++ Source/LibRawLite/internal/dcraw_common.cpp +@@ -630,7 +630,8 @@ void CLASS canon_compressed_load_raw() + + int CLASS ljpeg_start (struct jhead *jh, int info_only) + { +- int c, tag, len; ++ int c, tag; ++ ushort len; + uchar data[0x10000]; + const uchar *dp; +
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201512132026.tBDKQOoM069495>