Ubuntu
gegl package

Merge lp:~logan/ubuntu/raring/gegl/new-merge into lp:ubuntu/raring/gegl

  1. Raring (13.04)
  2. new-merge
  3. Merge into raring
Proposed by Logan Rosen
Status: Merged
Merged at revision: 16
Proposed branch: lp:~logan/ubuntu/raring/gegl/new-merge
Merge into: lp:ubuntu/raring/gegl
Diff against target: 256 lines (+180/-9)
5 files modified
.pc/applied-patches (+1/-0)
debian/changelog (+18/-0)
debian/patches/cve-2012-4433.patch (+107/-0)
debian/patches/series (+1/-0)
operations/external/ppm-load.c (+53/-9)
To merge this branch: bzr merge lp:~logan/ubuntu/raring/gegl/new-merge
Reviewer Review Type Date Requested Status
Didier Roche-Tolomelli Approve
Ubuntu branches Pending
Review via email: mp+142029@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Didier Roche-Tolomelli (didrocks) wrote :

Looks fine and builds well. Sponsoring :)

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file '.pc/applied-patches'
2--- .pc/applied-patches 2012-10-29 16:01:18 +0000
3+++ .pc/applied-patches 2013-01-06 08:40:24 +0000
4@@ -0,0 +1,1 @@
5+cve-2012-4433.patch
6
7=== modified file 'debian/changelog'
8--- debian/changelog 2012-10-29 16:01:18 +0000
9+++ debian/changelog 2013-01-06 08:40:24 +0000
10@@ -1,3 +1,21 @@
11+gegl (0.2.0-2+nmu1ubuntu1) raring; urgency=low
12+
13+ * Merge from Debiam unstable. Remaining changes:
14+ - debian/control:
15+ + Drop Build-Depends on libopenraw-dev (in universe).
16+ + Drop Build-Depends on libavcodec-dev (can't be shipped on the CDs).
17+ + Drop Build-Depends on libavformat-dev, otherwise libavcodec-dev is
18+ still pulled in.
19+
20+ -- Logan Rosen <logatronico@gmail.com> Sun, 06 Jan 2013 03:31:41 -0500
21+
22+gegl (0.2.0-2+nmu1) unstable; urgency=high
23+
24+ * Non-maintainer upload.
25+ * Fix cve-2012-4433: multiple buffer overflow issues (closes: #692435).
26+
27+ -- Michael Gilbert <mgilbert@debian.org> Thu, 22 Nov 2012 08:04:44 +0000
28+
29 gegl (0.2.0-2ubuntu1) raring; urgency=low
30
31 * Merge from Debian unstable. Remaining changes:
32
33=== added directory 'debian/patches'
34=== added file 'debian/patches/cve-2012-4433.patch'
35--- debian/patches/cve-2012-4433.patch 1970-01-01 00:00:00 +0000
36+++ debian/patches/cve-2012-4433.patch 2013-01-06 08:40:24 +0000
37@@ -0,0 +1,107 @@
38+Description: Fix cve-2012-4433: multiple buffer overflow issues (closes: #692435).
39+Author: Michael Gilbert <mgilbert@debian.org>
40+Bug-Debian: http://bugs.debian.org/692435
41+--- gegl-0.2.0.orig/operations/external/ppm-load.c
42++++ gegl-0.2.0/operations/external/ppm-load.c
43+@@ -36,6 +36,7 @@ gegl_chant_file_path (path, _("File"), "
44+ #include "gegl-chant.h"
45+ #include <stdio.h>
46+ #include <stdlib.h>
47++#include <errno.h>
48+
49+ typedef enum {
50+ PIXMAP_ASCII = 51,
51+@@ -44,8 +45,8 @@ typedef enum {
52+
53+ typedef struct {
54+ map_type type;
55+- gint width;
56+- gint height;
57++ glong width;
58++ glong height;
59+ gsize numsamples; /* width * height * channels */
60+ gsize bpc; /* bytes per channel */
61+ guchar *data;
62+@@ -82,12 +83,33 @@ ppm_load_read_header(FILE *fp,
63+ }
64+
65+ /* Get Width and Height */
66+- img->width = strtol (header,&ptr,0);
67+- img->height = atoi (ptr);
68+- img->numsamples = img->width * img->height * CHANNEL_COUNT;
69++ errno = 0;
70++ img->width = strtol (header,&ptr,10);
71++ if (errno)
72++ {
73++ g_warning ("Error reading width: %s", strerror(errno));
74++ return FALSE;
75++ }
76++ else if (img->width < 0)
77++ {
78++ g_warning ("Error: width is negative");
79++ return FALSE;
80++ }
81++
82++ img->height = strtol (ptr,&ptr,10);
83++ if (errno)
84++ {
85++ g_warning ("Error reading height: %s", strerror(errno));
86++ return FALSE;
87++ }
88++ else if (img->width < 0)
89++ {
90++ g_warning ("Error: height is negative");
91++ return FALSE;
92++ }
93+
94+ fgets (header,MAX_CHARS_IN_ROW,fp);
95+- maxval = strtol (header,&ptr,0);
96++ maxval = strtol (header,&ptr,10);
97+
98+ if ((maxval != 255) && (maxval != 65535))
99+ {
100+@@ -109,6 +131,16 @@ ppm_load_read_header(FILE *fp,
101+ g_warning ("%s: Programmer stupidity error", G_STRLOC);
102+ }
103+
104++ /* Later on, img->numsamples is multiplied with img->bpc to allocate
105++ * memory. Ensure it doesn't overflow. */
106++ if (!img->width || !img->height ||
107++ G_MAXSIZE / img->width / img->height / CHANNEL_COUNT < img->bpc)
108++ {
109++ g_warning ("Illegal width/height: %ld/%ld", img->width, img->height);
110++ return FALSE;
111++ }
112++ img->numsamples = img->width * img->height * CHANNEL_COUNT;
113++
114+ return TRUE;
115+ }
116+
117+@@ -229,12 +261,24 @@ process (GeglOperation *operation,
118+ if (!ppm_load_read_header (fp, &img))
119+ goto out;
120+
121+- rect.height = img.height;
122+- rect.width = img.width;
123+-
124+ /* Allocating Array Size */
125++
126++ /* Should use g_try_malloc(), but this causes crashes elsewhere because the
127++ * error signalled by returning FALSE isn't properly acted upon. Therefore
128++ * g_malloc() is used here which aborts if the requested memory size can't be
129++ * allocated causing a controlled crash. */
130+ img.data = (guchar*) g_malloc (img.numsamples * img.bpc);
131+
132++ /* No-op without g_try_malloc(), see above. */
133++ if (! img.data)
134++ {
135++ g_warning ("Couldn't allocate %" G_GSIZE_FORMAT " bytes, giving up.", ((gsize)img.numsamples * img.bpc));
136++ goto out;
137++ }
138++
139++ rect.height = img.height;
140++ rect.width = img.width;
141++
142+ switch (img.bpc)
143+ {
144+ case 1:
145
146=== added file 'debian/patches/series'
147--- debian/patches/series 1970-01-01 00:00:00 +0000
148+++ debian/patches/series 2013-01-06 08:40:24 +0000
149@@ -0,0 +1,1 @@
150+cve-2012-4433.patch
151
152=== modified file 'operations/external/ppm-load.c'
153--- operations/external/ppm-load.c 2012-05-06 09:36:40 +0000
154+++ operations/external/ppm-load.c 2013-01-06 08:40:24 +0000
155@@ -36,6 +36,7 @@
156 #include "gegl-chant.h"
157 #include <stdio.h>
158 #include <stdlib.h>
159+#include <errno.h>
160
161 typedef enum {
162 PIXMAP_ASCII = 51,
163@@ -44,8 +45,8 @@
164
165 typedef struct {
166 map_type type;
167- gint width;
168- gint height;
169+ glong width;
170+ glong height;
171 gsize numsamples; /* width * height * channels */
172 gsize bpc; /* bytes per channel */
173 guchar *data;
174@@ -82,12 +83,33 @@
175 }
176
177 /* Get Width and Height */
178- img->width = strtol (header,&ptr,0);
179- img->height = atoi (ptr);
180- img->numsamples = img->width * img->height * CHANNEL_COUNT;
181+ errno = 0;
182+ img->width = strtol (header,&ptr,10);
183+ if (errno)
184+ {
185+ g_warning ("Error reading width: %s", strerror(errno));
186+ return FALSE;
187+ }
188+ else if (img->width < 0)
189+ {
190+ g_warning ("Error: width is negative");
191+ return FALSE;
192+ }
193+
194+ img->height = strtol (ptr,&ptr,10);
195+ if (errno)
196+ {
197+ g_warning ("Error reading height: %s", strerror(errno));
198+ return FALSE;
199+ }
200+ else if (img->width < 0)
201+ {
202+ g_warning ("Error: height is negative");
203+ return FALSE;
204+ }
205
206 fgets (header,MAX_CHARS_IN_ROW,fp);
207- maxval = strtol (header,&ptr,0);
208+ maxval = strtol (header,&ptr,10);
209
210 if ((maxval != 255) && (maxval != 65535))
211 {
212@@ -109,6 +131,16 @@
213 g_warning ("%s: Programmer stupidity error", G_STRLOC);
214 }
215
216+ /* Later on, img->numsamples is multiplied with img->bpc to allocate
217+ * memory. Ensure it doesn't overflow. */
218+ if (!img->width || !img->height ||
219+ G_MAXSIZE / img->width / img->height / CHANNEL_COUNT < img->bpc)
220+ {
221+ g_warning ("Illegal width/height: %ld/%ld", img->width, img->height);
222+ return FALSE;
223+ }
224+ img->numsamples = img->width * img->height * CHANNEL_COUNT;
225+
226 return TRUE;
227 }
228
229@@ -229,12 +261,24 @@
230 if (!ppm_load_read_header (fp, &img))
231 goto out;
232
233+ /* Allocating Array Size */
234+
235+ /* Should use g_try_malloc(), but this causes crashes elsewhere because the
236+ * error signalled by returning FALSE isn't properly acted upon. Therefore
237+ * g_malloc() is used here which aborts if the requested memory size can't be
238+ * allocated causing a controlled crash. */
239+ img.data = (guchar*) g_malloc (img.numsamples * img.bpc);
240+
241+ /* No-op without g_try_malloc(), see above. */
242+ if (! img.data)
243+ {
244+ g_warning ("Couldn't allocate %" G_GSIZE_FORMAT " bytes, giving up.", ((gsize)img.numsamples * img.bpc));
245+ goto out;
246+ }
247+
248 rect.height = img.height;
249 rect.width = img.width;
250
251- /* Allocating Array Size */
252- img.data = (guchar*) g_malloc (img.numsamples * img.bpc);
253-
254 switch (img.bpc)
255 {
256 case 1:

Subscribers

People subscribed via source and target branches

to all changes: