Ubuntu
gegl package

Merge lp:~logan/ubuntu/raring/gegl/new-merge into lp:ubuntu/raring/gegl

  1. Raring (13.04)
  2. new-merge
  3. Merge into raring
Proposed by Logan Rosen
Status: Merged
Merged at revision: 16
Proposed branch: lp:~logan/ubuntu/raring/gegl/new-merge
Merge into: lp:ubuntu/raring/gegl
Diff against target: 256 lines (+180/-9)
5 files modified
.pc/applied-patches (+1/-0)
debian/changelog (+18/-0)
debian/patches/cve-2012-4433.patch (+107/-0)
debian/patches/series (+1/-0)
operations/external/ppm-load.c (+53/-9)
To merge this branch: bzr merge lp:~logan/ubuntu/raring/gegl/new-merge
Reviewer Review Type Date Requested Status
Didier Roche-Tolomelli Approve
Ubuntu branches Pending
Review via email: mp+142029@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Didier Roche-Tolomelli (didrocks) wrote :

Looks fine and builds well. Sponsoring :)

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file '.pc/applied-patches'
--- .pc/applied-patches 2012-10-29 16:01:18 +0000
+++ .pc/applied-patches 2013-01-06 08:40:24 +0000
@@ -0,0 +1,1 @@
1cve-2012-4433.patch
02
=== modified file 'debian/changelog'
--- debian/changelog 2012-10-29 16:01:18 +0000
+++ debian/changelog 2013-01-06 08:40:24 +0000
@@ -1,3 +1,21 @@
1gegl (0.2.0-2+nmu1ubuntu1) raring; urgency=low
2
3 * Merge from Debiam unstable. Remaining changes:
4 - debian/control:
5 + Drop Build-Depends on libopenraw-dev (in universe).
6 + Drop Build-Depends on libavcodec-dev (can't be shipped on the CDs).
7 + Drop Build-Depends on libavformat-dev, otherwise libavcodec-dev is
8 still pulled in.
9
10 -- Logan Rosen <logatronico@gmail.com> Sun, 06 Jan 2013 03:31:41 -0500
11
12gegl (0.2.0-2+nmu1) unstable; urgency=high
13
14 * Non-maintainer upload.
15 * Fix cve-2012-4433: multiple buffer overflow issues (closes: #692435).
16
17 -- Michael Gilbert <mgilbert@debian.org> Thu, 22 Nov 2012 08:04:44 +0000
18
1gegl (0.2.0-2ubuntu1) raring; urgency=low19gegl (0.2.0-2ubuntu1) raring; urgency=low
220
3 * Merge from Debian unstable. Remaining changes:21 * Merge from Debian unstable. Remaining changes:
422
=== added directory 'debian/patches'
=== added file 'debian/patches/cve-2012-4433.patch'
--- debian/patches/cve-2012-4433.patch 1970-01-01 00:00:00 +0000
+++ debian/patches/cve-2012-4433.patch 2013-01-06 08:40:24 +0000
@@ -0,0 +1,107 @@
1Description: Fix cve-2012-4433: multiple buffer overflow issues (closes: #692435).
2Author: Michael Gilbert <mgilbert@debian.org>
3Bug-Debian: http://bugs.debian.org/692435
4--- gegl-0.2.0.orig/operations/external/ppm-load.c
5+++ gegl-0.2.0/operations/external/ppm-load.c
6@@ -36,6 +36,7 @@ gegl_chant_file_path (path, _("File"), "
7 #include "gegl-chant.h"
8 #include <stdio.h>
9 #include <stdlib.h>
10+#include <errno.h>
11
12 typedef enum {
13 PIXMAP_ASCII = 51,
14@@ -44,8 +45,8 @@ typedef enum {
15
16 typedef struct {
17 map_type type;
18- gint width;
19- gint height;
20+ glong width;
21+ glong height;
22 gsize numsamples; /* width * height * channels */
23 gsize bpc; /* bytes per channel */
24 guchar *data;
25@@ -82,12 +83,33 @@ ppm_load_read_header(FILE *fp,
26 }
27
28 /* Get Width and Height */
29- img->width = strtol (header,&ptr,0);
30- img->height = atoi (ptr);
31- img->numsamples = img->width * img->height * CHANNEL_COUNT;
32+ errno = 0;
33+ img->width = strtol (header,&ptr,10);
34+ if (errno)
35+ {
36+ g_warning ("Error reading width: %s", strerror(errno));
37+ return FALSE;
38+ }
39+ else if (img->width < 0)
40+ {
41+ g_warning ("Error: width is negative");
42+ return FALSE;
43+ }
44+
45+ img->height = strtol (ptr,&ptr,10);
46+ if (errno)
47+ {
48+ g_warning ("Error reading height: %s", strerror(errno));
49+ return FALSE;
50+ }
51+ else if (img->width < 0)
52+ {
53+ g_warning ("Error: height is negative");
54+ return FALSE;
55+ }
56
57 fgets (header,MAX_CHARS_IN_ROW,fp);
58- maxval = strtol (header,&ptr,0);
59+ maxval = strtol (header,&ptr,10);
60
61 if ((maxval != 255) && (maxval != 65535))
62 {
63@@ -109,6 +131,16 @@ ppm_load_read_header(FILE *fp,
64 g_warning ("%s: Programmer stupidity error", G_STRLOC);
65 }
66
67+ /* Later on, img->numsamples is multiplied with img->bpc to allocate
68+ * memory. Ensure it doesn't overflow. */
69+ if (!img->width || !img->height ||
70+ G_MAXSIZE / img->width / img->height / CHANNEL_COUNT < img->bpc)
71+ {
72+ g_warning ("Illegal width/height: %ld/%ld", img->width, img->height);
73+ return FALSE;
74+ }
75+ img->numsamples = img->width * img->height * CHANNEL_COUNT;
76+
77 return TRUE;
78 }
79
80@@ -229,12 +261,24 @@ process (GeglOperation *operation,
81 if (!ppm_load_read_header (fp, &img))
82 goto out;
83
84- rect.height = img.height;
85- rect.width = img.width;
86-
87 /* Allocating Array Size */
88+
89+ /* Should use g_try_malloc(), but this causes crashes elsewhere because the
90+ * error signalled by returning FALSE isn't properly acted upon. Therefore
91+ * g_malloc() is used here which aborts if the requested memory size can't be
92+ * allocated causing a controlled crash. */
93 img.data = (guchar*) g_malloc (img.numsamples * img.bpc);
94
95+ /* No-op without g_try_malloc(), see above. */
96+ if (! img.data)
97+ {
98+ g_warning ("Couldn't allocate %" G_GSIZE_FORMAT " bytes, giving up.", ((gsize)img.numsamples * img.bpc));
99+ goto out;
100+ }
101+
102+ rect.height = img.height;
103+ rect.width = img.width;
104+
105 switch (img.bpc)
106 {
107 case 1:
0108
=== added file 'debian/patches/series'
--- debian/patches/series 1970-01-01 00:00:00 +0000
+++ debian/patches/series 2013-01-06 08:40:24 +0000
@@ -0,0 +1,1 @@
1cve-2012-4433.patch
02
=== modified file 'operations/external/ppm-load.c'
--- operations/external/ppm-load.c 2012-05-06 09:36:40 +0000
+++ operations/external/ppm-load.c 2013-01-06 08:40:24 +0000
@@ -36,6 +36,7 @@
36#include "gegl-chant.h"36#include "gegl-chant.h"
37#include <stdio.h>37#include <stdio.h>
38#include <stdlib.h>38#include <stdlib.h>
39#include <errno.h>
3940
40typedef enum {41typedef enum {
41 PIXMAP_ASCII = 51,42 PIXMAP_ASCII = 51,
@@ -44,8 +45,8 @@
4445
45typedef struct {46typedef struct {
46 map_type type;47 map_type type;
47 gint width;48 glong width;
48 gint height;49 glong height;
49 gsize numsamples; /* width * height * channels */50 gsize numsamples; /* width * height * channels */
50 gsize bpc; /* bytes per channel */51 gsize bpc; /* bytes per channel */
51 guchar *data;52 guchar *data;
@@ -82,12 +83,33 @@
82 }83 }
8384
84 /* Get Width and Height */85 /* Get Width and Height */
85 img->width = strtol (header,&ptr,0);86 errno = 0;
86 img->height = atoi (ptr);87 img->width = strtol (header,&ptr,10);
87 img->numsamples = img->width * img->height * CHANNEL_COUNT;88 if (errno)
89 {
90 g_warning ("Error reading width: %s", strerror(errno));
91 return FALSE;
92 }
93 else if (img->width < 0)
94 {
95 g_warning ("Error: width is negative");
96 return FALSE;
97 }
98
99 img->height = strtol (ptr,&ptr,10);
100 if (errno)
101 {
102 g_warning ("Error reading height: %s", strerror(errno));
103 return FALSE;
104 }
105 else if (img->width < 0)
106 {
107 g_warning ("Error: height is negative");
108 return FALSE;
109 }
88110
89 fgets (header,MAX_CHARS_IN_ROW,fp);111 fgets (header,MAX_CHARS_IN_ROW,fp);
90 maxval = strtol (header,&ptr,0);112 maxval = strtol (header,&ptr,10);
91113
92 if ((maxval != 255) && (maxval != 65535))114 if ((maxval != 255) && (maxval != 65535))
93 {115 {
@@ -109,6 +131,16 @@
109 g_warning ("%s: Programmer stupidity error", G_STRLOC);131 g_warning ("%s: Programmer stupidity error", G_STRLOC);
110 }132 }
111133
134 /* Later on, img->numsamples is multiplied with img->bpc to allocate
135 * memory. Ensure it doesn't overflow. */
136 if (!img->width || !img->height ||
137 G_MAXSIZE / img->width / img->height / CHANNEL_COUNT < img->bpc)
138 {
139 g_warning ("Illegal width/height: %ld/%ld", img->width, img->height);
140 return FALSE;
141 }
142 img->numsamples = img->width * img->height * CHANNEL_COUNT;
143
112 return TRUE;144 return TRUE;
113}145}
114146
@@ -229,12 +261,24 @@
229 if (!ppm_load_read_header (fp, &img))261 if (!ppm_load_read_header (fp, &img))
230 goto out;262 goto out;
231263
264 /* Allocating Array Size */
265
266 /* Should use g_try_malloc(), but this causes crashes elsewhere because the
267 * error signalled by returning FALSE isn't properly acted upon. Therefore
268 * g_malloc() is used here which aborts if the requested memory size can't be
269 * allocated causing a controlled crash. */
270 img.data = (guchar*) g_malloc (img.numsamples * img.bpc);
271
272 /* No-op without g_try_malloc(), see above. */
273 if (! img.data)
274 {
275 g_warning ("Couldn't allocate %" G_GSIZE_FORMAT " bytes, giving up.", ((gsize)img.numsamples * img.bpc));
276 goto out;
277 }
278
232 rect.height = img.height;279 rect.height = img.height;
233 rect.width = img.width;280 rect.width = img.width;
234281
235 /* Allocating Array Size */
236 img.data = (guchar*) g_malloc (img.numsamples * img.bpc);
237
238 switch (img.bpc)282 switch (img.bpc)
239 {283 {
240 case 1:284 case 1:

Subscribers

People subscribed via source and target branches

to all changes: