import gdk-pixbuf2-2.42.6-3.el9

c9 imports/c9/gdk-pixbuf2-2.42.6-3.el9
CentOS Sources 2 years ago committed by MSVSphere Packaging Team
parent 6db2d1b1f0
commit 51bb2a2d49

@ -0,0 +1,61 @@
From 6976bdc8ee9dd2c2954f91066f7b0f643769a379 Mon Sep 17 00:00:00 2001
From: Robert Ancell <robert.ancell@canonical.com>
Date: Thu, 3 Jun 2021 11:05:56 +1200
Subject: [PATCH] gif: Check for overflow when compositing or clearing frames.
Fixes: #190
Similar to fix in 086e8adf4cc352cd11572f96066b001b545f354e
---
gdk-pixbuf/io-gif-animation.c | 21 +++++++++++++--------
1 file changed, 13 insertions(+), 8 deletions(-)
diff --git a/gdk-pixbuf/io-gif-animation.c b/gdk-pixbuf/io-gif-animation.c
index 8335cdd76..71d9265e6 100644
--- a/gdk-pixbuf/io-gif-animation.c
+++ b/gdk-pixbuf/io-gif-animation.c
@@ -369,7 +369,7 @@ composite_frame (GdkPixbufGifAnim *anim, GdkPixbufFrame *frame)
for (i = 0; i < n_indexes; i++) {
guint8 index = index_buffer[i];
guint x, y;
- int offset;
+ gsize offset;
if (index == frame->transparent_index)
continue;
@@ -379,11 +379,13 @@ composite_frame (GdkPixbufGifAnim *anim, GdkPixbufFrame *frame)
if (x >= anim->width || y >= anim->height)
continue;
- offset = y * gdk_pixbuf_get_rowstride (anim->last_frame_data) + x * 4;
- pixels[offset + 0] = frame->color_map[index * 3 + 0];
- pixels[offset + 1] = frame->color_map[index * 3 + 1];
- pixels[offset + 2] = frame->color_map[index * 3 + 2];
- pixels[offset + 3] = 255;
+ if (g_size_checked_mul (&offset, gdk_pixbuf_get_rowstride (anim->last_frame_data), y) &&
+ g_size_checked_add (&offset, offset, x * 4)) {
+ pixels[offset + 0] = frame->color_map[index * 3 + 0];
+ pixels[offset + 1] = frame->color_map[index * 3 + 1];
+ pixels[offset + 2] = frame->color_map[index * 3 + 2];
+ pixels[offset + 3] = 255;
+ }
}
out:
@@ -448,8 +450,11 @@ gdk_pixbuf_gif_anim_iter_get_pixbuf (GdkPixbufAnimationIter *anim_iter)
x_end = MIN (anim->last_frame->x_offset + anim->last_frame->width, anim->width);
y_end = MIN (anim->last_frame->y_offset + anim->last_frame->height, anim->height);
for (y = anim->last_frame->y_offset; y < y_end; y++) {
- guchar *line = pixels + y * gdk_pixbuf_get_rowstride (anim->last_frame_data) + anim->last_frame->x_offset * 4;
- memset (line, 0, (x_end - anim->last_frame->x_offset) * 4);
+ gsize offset;
+ if (g_size_checked_mul (&offset, gdk_pixbuf_get_rowstride (anim->last_frame_data), y) &&
+ g_size_checked_add (&offset, offset, anim->last_frame->x_offset * 4)) {
+ memset (pixels + offset, 0, (x_end - anim->last_frame->x_offset) * 4);
+ }
}
break;
case GDK_PIXBUF_FRAME_REVERT:
--
GitLab

@ -0,0 +1,224 @@
From 76eda67dbc3f48c9dd6815a5aaf6014ea4a16771 Mon Sep 17 00:00:00 2001
From: Robert Ancell <robert.ancell@canonical.com>
Date: Wed, 2 Feb 2022 12:36:08 +1300
Subject: [PATCH 1/4] Fix test GIF that was broken in the LZW code size, not
the values of the pixels
---
.../test-images/gif-test-suite/invalid-colors.gif | Bin 37 -> 35 bytes
1 file changed, 0 insertions(+), 0 deletions(-)
diff --git a/tests/test-images/gif-test-suite/invalid-colors.gif b/tests/test-images/gif-test-suite/invalid-colors.gif
index c3111525ac2d977a0dbedf917f2beae610b614f8..6c3a7240e6ba58c344051351eb3581887fa314c7 100644
GIT binary patch
delta 11
ScmY#Yo*>J{%%s7|U=08YGy!b@
delta 13
UcmY#ZogmA>!}4E&fr-Hy01|-$Y5)KL
--
GitLab
From 0cf97225c9c227d11fc4ddf9cba8e8480672ee1b Mon Sep 17 00:00:00 2001
From: Robert Ancell <robert.ancell@canonical.com>
Date: Wed, 2 Feb 2022 12:38:45 +1300
Subject: [PATCH 2/4] Add an assertion that checks for maximum LZW code size
---
gdk-pixbuf/lzw.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/gdk-pixbuf/lzw.c b/gdk-pixbuf/lzw.c
index 105daf2b1..15293560b 100644
--- a/gdk-pixbuf/lzw.c
+++ b/gdk-pixbuf/lzw.c
@@ -121,6 +121,8 @@ lzw_decoder_new (guint8 code_size)
LZWDecoder *self;
int i;
+ g_return_val_if_fail (code_size <= LZW_CODE_MAX, NULL);
+
self = g_object_new (lzw_decoder_get_type (), NULL);
self->min_code_size = code_size;
--
GitLab
From 19ebba03117aefc9d0312f675f3a210ffdcc4907 Mon Sep 17 00:00:00 2001
From: Robert Ancell <robert.ancell@canonical.com>
Date: Wed, 2 Feb 2022 14:03:13 +1300
Subject: [PATCH 3/4] Fix the check for maximum value of LZW initial code size.
This value is the number of bits for each symbol (i.e. colour index) decoded via LZW.
The maximum LZW code is specified as 12 bits, so the value here can only be 11 as two additional code words are required (clear and end of information) that immediately uses an additional bit.
This implementation has always been wrong, and the Firefox implementation has the same issue so it seems a common misinterpretation of the spec.
This has been changed here to avoid an assertion later in the LZW decoder.
Note that there is never any reason for a GIF to be encoded with more than 8 bits of colour information, as the colour tables only support up to 8 bits.
---
gdk-pixbuf/io-gif.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gdk-pixbuf/io-gif.c b/gdk-pixbuf/io-gif.c
index 1befba155..310bdff6a 100644
--- a/gdk-pixbuf/io-gif.c
+++ b/gdk-pixbuf/io-gif.c
@@ -499,8 +499,8 @@ gif_prepare_lzw (GifContext *context)
/*g_message (_("GIF: EOF / read error on image data\n"));*/
return -1;
}
-
- if (context->lzw_set_code_size > 12) {
+
+ if (context->lzw_set_code_size >= 12) {
g_set_error_literal (context->error,
GDK_PIXBUF_ERROR,
GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
--
GitLab
From 449441210921c8ed417b0c4d5edbccd2d57e23f8 Mon Sep 17 00:00:00 2001
From: Robert Ancell <robert.ancell@canonical.com>
Date: Wed, 2 Feb 2022 14:19:06 +1300
Subject: [PATCH 4/4] Add tests for GIF files with invalid LZW code sizes
---
tests/test-images/fail/overflow-codes-max.gif | Bin 0 -> 65 bytes
tests/test-images/fail/overflow-codes.gif | Bin 0 -> 35 bytes
tests/test-images/gif-test-suite/TESTS | 2 ++
tests/test-images/gif-test-suite/invalid-code.conf | 11 +++++++++++
tests/test-images/gif-test-suite/invalid-code.gif | Bin 0 -> 35 bytes
.../gif-test-suite/overflow-codes-max.conf | 11 +++++++++++
.../gif-test-suite/overflow-codes-max.gif | Bin 0 -> 65 bytes
.../test-images/gif-test-suite/overflow-codes.conf | 11 +++++++++++
.../test-images/gif-test-suite/overflow-codes.gif | Bin 0 -> 35 bytes
9 files changed, 35 insertions(+)
create mode 100644 tests/test-images/fail/overflow-codes-max.gif
create mode 100644 tests/test-images/fail/overflow-codes.gif
create mode 100644 tests/test-images/gif-test-suite/invalid-code.conf
create mode 100644 tests/test-images/gif-test-suite/invalid-code.gif
create mode 100644 tests/test-images/gif-test-suite/overflow-codes-max.conf
create mode 100644 tests/test-images/gif-test-suite/overflow-codes-max.gif
create mode 100644 tests/test-images/gif-test-suite/overflow-codes.conf
create mode 100644 tests/test-images/gif-test-suite/overflow-codes.gif
diff --git a/tests/test-images/fail/overflow-codes-max.gif b/tests/test-images/fail/overflow-codes-max.gif
new file mode 100644
index 0000000000000000000000000000000000000000..3d507ca7daa790c9370e69a2ab277f55d749a013
GIT binary patch
literal 65
ncmZ?wbhEHbWMW`q_`m=H|NsBj0ns24hW`ozAU1Bm$Y2csUc3i2
literal 0
HcmV?d00001
diff --git a/tests/test-images/fail/overflow-codes.gif b/tests/test-images/fail/overflow-codes.gif
new file mode 100644
index 0000000000000000000000000000000000000000..c38053872ae2e3378ff6fb8f3eaff839fa5d35ed
GIT binary patch
literal 35
jcmZ?wbhEHbWMW`q_`m=H|NsBj0ns241|B8>Mh0sDhc^Z!
literal 0
HcmV?d00001
diff --git a/tests/test-images/gif-test-suite/TESTS b/tests/test-images/gif-test-suite/TESTS
index 1d4a3f13f..bc573acf4 100644
--- a/tests/test-images/gif-test-suite/TESTS
+++ b/tests/test-images/gif-test-suite/TESTS
@@ -44,6 +44,8 @@ max-height
255-codes
large-codes
max-codes
+#overflow-codes
+#overflow-codes-max
transparent
invalid-transparent
disabled-transparent
diff --git a/tests/test-images/gif-test-suite/invalid-code.conf b/tests/test-images/gif-test-suite/invalid-code.conf
new file mode 100644
index 000000000..3bf287b4e
--- /dev/null
+++ b/tests/test-images/gif-test-suite/invalid-code.conf
@@ -0,0 +1,11 @@
+# Automatically generated, do not edit!
+[config]
+input = invalid-code.gif
+version = GIF89a
+width = 2
+height = 2
+background = #000000
+loop-count = 0
+force-animation = no
+frames =
+
diff --git a/tests/test-images/gif-test-suite/invalid-code.gif b/tests/test-images/gif-test-suite/invalid-code.gif
new file mode 100644
index 0000000000000000000000000000000000000000..7d929c9431c0c5b7cd53f636f7711d47385f88b2
GIT binary patch
literal 35
jcmZ?wbhEHbWMW`q_`m=H|NsBj0ns241}3Ke{~4?Sjj;#^
literal 0
HcmV?d00001
diff --git a/tests/test-images/gif-test-suite/overflow-codes-max.conf b/tests/test-images/gif-test-suite/overflow-codes-max.conf
new file mode 100644
index 000000000..f6d3f38d8
--- /dev/null
+++ b/tests/test-images/gif-test-suite/overflow-codes-max.conf
@@ -0,0 +1,11 @@
+# Automatically generated, do not edit!
+[config]
+input = overflow-codes-max.gif
+version = GIF89a
+width = 2
+height = 2
+background = #000000
+loop-count = 0
+force-animation = no
+frames =
+
diff --git a/tests/test-images/gif-test-suite/overflow-codes-max.gif b/tests/test-images/gif-test-suite/overflow-codes-max.gif
new file mode 100644
index 0000000000000000000000000000000000000000..3d507ca7daa790c9370e69a2ab277f55d749a013
GIT binary patch
literal 65
ncmZ?wbhEHbWMW`q_`m=H|NsBj0ns24hW`ozAU1Bm$Y2csUc3i2
literal 0
HcmV?d00001
diff --git a/tests/test-images/gif-test-suite/overflow-codes.conf b/tests/test-images/gif-test-suite/overflow-codes.conf
new file mode 100644
index 000000000..19f57fa74
--- /dev/null
+++ b/tests/test-images/gif-test-suite/overflow-codes.conf
@@ -0,0 +1,11 @@
+# Automatically generated, do not edit!
+[config]
+input = overflow-codes.gif
+version = GIF89a
+width = 2
+height = 2
+background = #000000
+loop-count = 0
+force-animation = no
+frames =
+
diff --git a/tests/test-images/gif-test-suite/overflow-codes.gif b/tests/test-images/gif-test-suite/overflow-codes.gif
new file mode 100644
index 0000000000000000000000000000000000000000..c38053872ae2e3378ff6fb8f3eaff839fa5d35ed
GIT binary patch
literal 35
jcmZ?wbhEHbWMW`q_`m=H|NsBj0ns241|B8>Mh0sDhc^Z!
literal 0
HcmV?d00001
--
GitLab

@ -2,15 +2,19 @@
Name: gdk-pixbuf2
Version: 2.42.6
Release: 2%{?dist}
Release: 3%{?dist}
Summary: An image loading library
License: LGPLv2+
URL: https://gitlab.gnome.org/GNOME/gdk-pixbuf
Source0: https://download.gnome.org/sources/gdk-pixbuf/2.42/gdk-pixbuf-%{version}.tar.xz
Patch0: gif-check-for-overflow.patch
Patch1: gif-lzw-code-size-overflow.patch
BuildRequires: docbook-style-xsl
BuildRequires: gettext
BuildRequires: git
BuildRequires: pkgconfig(gio-2.0) >= %{glib2_version}
BuildRequires: libpng-devel
BuildRequires: libjpeg-devel
@ -57,7 +61,7 @@ The %{name}-tests package contains tests that can be used to verify
the functionality of the installed %{name} package.
%prep
%autosetup -n gdk-pixbuf-%{version} -p1
%autosetup -n gdk-pixbuf-%{version} -p1 -Sgit
%build
%meson \
@ -117,6 +121,11 @@ gdk-pixbuf-query-loaders-%{__isa_bits} --update-cache
%{_datadir}/installed-tests
%changelog
* Mon Oct 31 2022 Tomas Popela <tpopela@redhat.com> - 2.42.6-3
- Backport fixes for CVE-2021-46829 and CVE-2021-44648
- Resolves: rhbz#2115213
- Resolves: rhbz#2044346
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.42.6-2
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688

Loading…
Cancel
Save