CaROS/poky
3
1
Fork 0
mirror of https://git.yoctoproject.org/git/poky synced 2026-01-04 16:10:04 +00:00
Code Issues Packages Projects Releases Wiki Activity

gdk-pixbuf: Security Advisory - gdk-pixbuf - CVE-2015-4491

Browse Source 
pixops: Be more careful about integer overflow

Integer overflow in the make_filter_table function in pixops/pixops.c
in gdk-pixbuf before 2.31.5, as used in Mozilla Firefox before 40.0 and
Firefox ESR 38.x before 38.2 on Linux, Google Chrome on Linux, and other
products, allows remote attackers to execute arbitrary code or cause a
denial of service (heap-based buffer overflow and application crash) via
crafted bitmap dimensions that are mishandled during scaling.

(From OE-Core master rev: e27f367d08becce9486f2890cb7382f3c8448246)

(From OE-Core rev: 8e6da2d34ed6e3352e235c1723d6b4f425bd5932)

Signed-off-by: Li Zhou <li.zhou@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Joshua Lock <joshua.lock@collabora.co.uk>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Li Zhou 2015-08-18 11:45:41 +08:00 committed by Richard Purdie
parent 541876e3e5
commit 0b1ea952ad
2 changed files with 90 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

89
meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/0001-pixops-Be-more-careful-about-integer-overflow.patch Normal file
View File

@ -0,0 +1,89 @@
From ffec86ed5010c5a2be14f47b33bcf4ed3169a199 Mon Sep 17 00:00:00 2001
From: Matthias Clasen <mclasen@redhat.com>
Date: Mon, 13 Jul 2015 00:33:40 -0400
Subject: [PATCH] pixops: Be more careful about integer overflow
Our loader code is supposed to handle out-of-memory and overflow
situations gracefully, reporting errors instead of aborting. But
if you load an image at a specific size, we also execute our
scaling code, which was not careful enough about overflow in some
places.
This commit makes the scaling code silently return if it fails to
allocate filter tables. This is the best we can do, since
gdk_pixbuf_scale() is not taking a GError.
https://bugzilla.gnome.org/show_bug.cgi?id=752297
Upstream-Status: backport
Signed-off-by: Li Zhou <li.zhou@windriver.com>
---
gdk-pixbuf/pixops/pixops.c | 22 +++++++++++++++++-----
1 file changed, 17 insertions(+), 5 deletions(-)
diff --git a/gdk-pixbuf/pixops/pixops.c b/gdk-pixbuf/pixops/pixops.c
index 29a1c14..ce51745 100644
--- a/gdk-pixbuf/pixops/pixops.c
+++ b/gdk-pixbuf/pixops/pixops.c
@@ -1272,7 +1272,16 @@ make_filter_table (PixopsFilter *filter)
int i_offset, j_offset;
int n_x = filter->x.n;
int n_y = filter->y.n;
- int *weights = g_new (int, SUBSAMPLE * SUBSAMPLE * n_x * n_y);
+ gsize n_weights;
+ int *weights;
+
+ n_weights = SUBSAMPLE * SUBSAMPLE * n_x * n_y;
+ if (n_weights / (SUBSAMPLE * SUBSAMPLE * n_x) != n_y)
+ return NULL; /* overflow, bail */
+
+ weights = g_try_new (int, n_weights);
+ if (!weights)
+ return NULL; /* overflow, bail */
for (i_offset=0; i_offset < SUBSAMPLE; i_offset++)
for (j_offset=0; j_offset < SUBSAMPLE; j_offset++)
@@ -1347,8 +1356,11 @@ pixops_process (guchar *dest_buf,
if (x_step == 0 || y_step == 0)
return; /* overflow, bail out */
- line_bufs = g_new (guchar *, filter->y.n);
filter_weights = make_filter_table (filter);
+ if (!filter_weights)
+ return; /* overflow, bail out */
+
+ line_bufs = g_new (guchar *, filter->y.n);
check_shift = check_size ? get_check_shift (check_size) : 0;
@@ -1468,7 +1480,7 @@ tile_make_weights (PixopsFilterDimension *dim,
double scale)
{
int n = ceil (1 / scale + 1);
- double *pixel_weights = g_new (double, SUBSAMPLE * n);
+ double *pixel_weights = g_malloc_n (sizeof (double) * SUBSAMPLE, n);
int offset;
int i;
@@ -1526,7 +1538,7 @@ bilinear_magnify_make_weights (PixopsFilterDimension *dim,
}
dim->n = n;
- dim->weights = g_new (double, SUBSAMPLE * n);
+ dim->weights = g_malloc_n (sizeof (double) * SUBSAMPLE, n);
pixel_weights = dim->weights;
@@ -1617,7 +1629,7 @@ bilinear_box_make_weights (PixopsFilterDimension *dim,
double scale)
{
int n = ceil (1/scale + 3.0);
- double *pixel_weights = g_new (double, SUBSAMPLE * n);
+ double *pixel_weights = g_malloc_n (sizeof (double) * SUBSAMPLE, n);
double w;
int offset, i;
--
1.7.9.5

1
meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.30.8.bb
View File

@ -18,6 +18,7 @@ SRC_URI = "${GNOME_MIRROR}/${BPN}/${MAJ_VER}/${BPN}-${PV}.tar.xz \
file://extending-libinstall-dependencies.patch \
file://run-ptest \
file://fatal-loader.patch \
file://0001-pixops-Be-more-careful-about-integer-overflow.patch \
"
SRC_URI[md5sum] = "4fed0d54432f1b69fc6e66e608bd5542"