Sophie

Sophie

distrib > Mandriva > 2007.1 > x86_64 > media > main-updates-src > by-pkgid > bb22702497779b4d92f9e9ef1d938adb > files > 2

imlib2-1.2.2-3.2mdv2007.1.src.rpm

--- imlib2-1.2.2/src/lib/common.h.cve-2006-4806	2006-01-23 20:46:04.000000000 -0700
+++ imlib2-1.2.2/src/lib/common.h	2006-11-07 09:19:48.000000000 -0700
@@ -35,6 +35,10 @@ if ((y + h) > ((yy) + (hh))) {h = (hh) -
 #define MIN(a, b) (((a) < (b)) ? (a) : (b))
 #define MAX(a, b) (((a) > (b)) ? (a) : (b))
 
+/* used to check image size for CVE-2006-4806 */
+#define CHKIMGSZ(w, h) \
+(w < 1 || h < 1 || w > 16383 || h > 16383)
+
 #ifdef __EMX__
 extern char *__XOS2RedirRoot(const char *);
 #endif
--- imlib2-1.2.2/src/modules/loaders/loader_png.c.cve-2006-4806	2006-01-23 20:46:08.000000000 -0700
+++ imlib2-1.2.2/src/modules/loaders/loader_png.c	2006-11-07 09:19:48.000000000 -0700
@@ -83,6 +83,12 @@ load(ImlibImage * im, ImlibProgressFunct
         png_get_IHDR(png_ptr, info_ptr, (png_uint_32 *) (&w32),
                      (png_uint_32 *) (&h32), &bit_depth, &color_type,
                      &interlace_type, NULL, NULL);
+        if CHKIMGSZ(w32, h32)
+          {
+             png_destroy_read_struct(&png_ptr, NULL, NULL);
+             fclose(f);
+             return 0;
+          }  
         im->w = (int)w32;
         im->h = (int)h32;
         if (color_type == PNG_COLOR_TYPE_PALETTE)
--- imlib2-1.2.2/src/modules/loaders/loader_lbm.c.cve-2006-4806	2006-01-23 20:46:08.000000000 -0700
+++ imlib2-1.2.2/src/modules/loaders/loader_lbm.c	2006-11-07 09:19:48.000000000 -0700
@@ -421,7 +421,7 @@ ILBM    ilbm;
 
         im->w = L2RWORD(ilbm.bmhd.data);
         im->h = L2RWORD(ilbm.bmhd.data + 2);
-        if (im->w <= 0 || im->h <= 0) ok = 0;
+        if CHKIMGSZ(im->w, im->h) ok = 0;
 
         ilbm.depth = ilbm.bmhd.data[8];
         if (ilbm.depth < 1 || (ilbm.depth > 8 && ilbm.depth != 24 && ilbm.depth != 32)) ok = 0; /* Only 1 to 8, 24, or 32 planes. */
@@ -453,6 +453,7 @@ ILBM    ilbm;
         }
     }
     if (!full || !ok) {
+        im->w = im->h = 0;
         freeilbm(&ilbm);
         return ok;
     }
@@ -467,12 +468,13 @@ ILBM    ilbm;
     cancel = 0;
     plane[0] = NULL;
 
-    im->data = malloc(im->w * im->h * sizeof(DATA32));
-    if (im->data) {
         n = ilbm.depth;
         if (ilbm.mask == 1) n++;
 
+    im->data = malloc(im->w * im->h * sizeof(DATA32));
         plane[0] = malloc(((im->w + 15) / 16) * 2 * n);
+
+    if (im->data && plane[0]) {
         for (i = 1; i < n; i++) plane[i] = plane[i - 1] + ((im->w + 15) / 16) * 2;
 
         z = ((im->w + 15) / 16) * 2 * n;
@@ -508,9 +510,10 @@ ILBM    ilbm;
 
   /*----------
    * We either had a successful decode, the user cancelled, or we couldn't get
-   * the memory for im->data.
+   * the memory for im->data or plane[0].
    *----------*/
     if (!ok) {
+        im->w = im->h = 0;
         if (im->data) free(im->data);
         im->data = NULL;
     }
--- imlib2-1.2.2/src/modules/loaders/loader_tiff.c.cve-2006-4806	2006-11-07 09:19:48.000000000 -0700
+++ imlib2-1.2.2/src/modules/loaders/loader_tiff.c	2006-11-07 09:19:48.000000000 -0700
@@ -213,8 +213,16 @@ load(ImlibImage * im, ImlibProgressFunct
      }
    
    rgba_image.image = im;
-   im->w = width = rgba_image.rgba.width;
-   im->h = height = rgba_image.rgba.height;
+   width = rgba_image.rgba.width;
+   height = rgba_image.rgba.height;
+   if CHKIMGSZ(width, height)
+     {      
+       TIFFRGBAImageEnd((TIFFRGBAImage *) &rgba_image);
+       TIFFClose(tif);
+       return 0;
+     }       
+   im->w = width;
+   im->h = height;
    rgba_image.num_pixels = num_pixels = width * height;
    if (rgba_image.rgba.alpha != EXTRASAMPLE_UNSPECIFIED)
       SET_FLAG(im->flags, F_HAS_ALPHA);
--- imlib2-1.2.2/src/modules/loaders/loader_argb.c.cve-2006-4806	2006-01-23 20:46:08.000000000 -0700
+++ imlib2-1.2.2/src/modules/loaders/loader_argb.c	2006-11-07 09:19:48.000000000 -0700
@@ -23,7 +23,7 @@ char
 load(ImlibImage * im, ImlibProgressFunction progress,
      char progress_granularity, char immediate_load)
 {
-   int                 w, h, alpha;
+   int                 w=0, h=0, alpha;
    FILE               *f;
 
    if (im->data)
@@ -36,13 +36,15 @@ load(ImlibImage * im, ImlibProgressFunct
    {
       char                buf[256], buf2[256];
 
+      memset(buf, 0, sizeof(buf));
+      memset(buf2, 0, sizeof(buf2));
       if (!fgets(buf, 255, f))
         {
            fclose(f);
            return 0;
         }
       sscanf(buf, "%s %i %i %i", buf2, &w, &h, &alpha);
-      if (strcmp(buf2, "ARGB"))
+      if (strcmp(buf2, "ARGB") || CHKIMGSZ(w, h))
         {
            fclose(f);
            return 0;
--- imlib2-1.2.2/src/modules/loaders/loader_jpeg.c.cve-2006-4806	2006-01-23 20:46:08.000000000 -0700
+++ imlib2-1.2.2/src/modules/loaders/loader_jpeg.c	2006-11-07 09:26:17.000000000 -0700
@@ -104,8 +104,9 @@ load(ImlibImage * im, ImlibProgressFunct
         im->w = w = cinfo.output_width;
         im->h = h = cinfo.output_height;
 
-        if (cinfo.rec_outbuf_height > 16)
+        if (cinfo.rec_outbuf_height > 16 || CHKIMGSZ(w, h))
           {
+             im->w = im->h = 0;
              jpeg_destroy_decompress(&cinfo);
              fclose(f);
              return 0;

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional