From: "Alexandre Rostovtsev" <tetromino@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] proj/gnome:master commit in: x11-libs/gdk-pixbuf/, x11-libs/gdk-pixbuf/files/
Date: Tue, 1 Sep 2015 05:17:43 +0000 (UTC) [thread overview]
Message-ID: <1441081503.9e48855fcf4528e77c4c86b9bd1b12fa3176b23a.tetromino@gentoo> (raw)
commit: 9e48855fcf4528e77c4c86b9bd1b12fa3176b23a
Author: Alexandre Rostovtsev <tetromino <AT> gentoo <DOT> org>
AuthorDate: Fri Aug 21 04:49:52 2015 +0000
Commit: Alexandre Rostovtsev <tetromino <AT> gentoo <DOT> org>
CommitDate: Tue Sep 1 04:25:03 2015 +0000
URL: https://gitweb.gentoo.org/proj/gnome.git/commit/?id=9e48855f
x11-libs/gdk-pixbuf: 2.31.5 → 2.31.6 and more fixes for CVE-2015-4491
Really fix the overflow.
Gentoo-Bug: 556314
Upstream-Bug-url: https://bugzilla.gnome.org/show_bug.cgi?id=752297
Package-Manager: portage-2.2.20.1
Manifest-Sign-Key: 0x18E5B6F2D8D5EC8D
.../files/gdk-pixbuf-2.31.6-alpha-overflow.patch | 70 +++++++++
.../files/gdk-pixbuf-2.31.6-jpeg-overflow.patch | 35 +++++
.../gdk-pixbuf-2.31.6-pixops-gcc-optimizer.patch | 46 ++++++
.../files/gdk-pixbuf-2.31.6-pixops-overflow.patch | 173 +++++++++++++++++++++
.../gdk-pixbuf-2.31.6-pixops-variable-type.patch | 37 +++++
.../files/gdk-pixbuf-2.31.6-png-overflow.patch | 72 +++++++++
.../files/gdk-pixbuf-2.31.6-rotate-overflow.patch | 27 ++++
...xbuf-2.31.5.ebuild => gdk-pixbuf-2.31.6.ebuild} | 15 +-
8 files changed, 474 insertions(+), 1 deletion(-)
diff --git a/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-alpha-overflow.patch b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-alpha-overflow.patch
new file mode 100644
index 0000000..bd4abfa
--- /dev/null
+++ b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-alpha-overflow.patch
@@ -0,0 +1,70 @@
+From ca3c56421c075e729750cf80c3438b283232cce8 Mon Sep 17 00:00:00 2001
+From: Matthias Clasen <mclasen@redhat.com>
+Date: Mon, 24 Aug 2015 15:20:08 -0400
+Subject: [PATCH] Avoid integer overflow in gdk_pixbuf_add_alpha
+
+Same as before: don't do ptr = base + y * rowstride if y and
+rowstride are integers.
+
+This should fix http://bugzilla.gnome/org/753569
+---
+ gdk-pixbuf/gdk-pixbuf-util.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/gdk-pixbuf/gdk-pixbuf-util.c b/gdk-pixbuf/gdk-pixbuf-util.c
+index 6abe9b9..3600450 100644
+--- a/gdk-pixbuf/gdk-pixbuf-util.c
++++ b/gdk-pixbuf/gdk-pixbuf-util.c
+@@ -67,6 +67,8 @@ gdk_pixbuf_add_alpha (const GdkPixbuf *pixbuf,
+ int x, y;
+ const guint8 *src_pixels;
+ guint8 *ret_pixels;
++ const guchar *src;
++ guchar *dest;
+
+ g_return_val_if_fail (GDK_IS_PIXBUF (pixbuf), NULL);
+ g_return_val_if_fail (pixbuf->colorspace == GDK_COLORSPACE_RGB, NULL);
+@@ -85,20 +87,18 @@ gdk_pixbuf_add_alpha (const GdkPixbuf *pixbuf,
+ } else {
+ new_pixbuf = gdk_pixbuf_new (GDK_COLORSPACE_RGB, TRUE, 8, pixbuf->width, pixbuf->height);
+ }
+-
++
+ if (!new_pixbuf)
+ return NULL;
+
+ ret_pixels = gdk_pixbuf_get_pixels (new_pixbuf);
+
+- for (y = 0; y < pixbuf->height; y++) {
+- const guchar *src;
+- guchar *dest;
++ for (y = 0; y < pixbuf->height; y++, src_pixels += pixbuf->rowstride, ret_pixels += new_pixbuf->rowstride) {
+ guchar tr, tg, tb;
+
+- src = src_pixels + y * pixbuf->rowstride;
+- dest = ret_pixels + y * new_pixbuf->rowstride;
+-
++ src = src_pixels;
++ dest = ret_pixels;
++
+ if (pixbuf->has_alpha) {
+ /* Just subst color, we already copied everything else */
+ for (x = 0; x < pixbuf->width; x++) {
+@@ -107,12 +107,12 @@ gdk_pixbuf_add_alpha (const GdkPixbuf *pixbuf,
+ src += 4;
+ dest += 4;
+ }
+- } else {
++ } else {
+ for (x = 0; x < pixbuf->width; x++) {
+ tr = *dest++ = *src++;
+ tg = *dest++ = *src++;
+ tb = *dest++ = *src++;
+-
++
+ if (substitute_color && tr == r && tg == g && tb == b)
+ *dest++ = 0;
+ else
+--
+2.5.1
+
diff --git a/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-jpeg-overflow.patch b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-jpeg-overflow.patch
new file mode 100644
index 0000000..ebec196
--- /dev/null
+++ b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-jpeg-overflow.patch
@@ -0,0 +1,35 @@
+From fde8d1d12a32740770253e97ddc9602654e16865 Mon Sep 17 00:00:00 2001
+From: Matthias Clasen <mclasen@redhat.com>
+Date: Mon, 24 Aug 2015 15:48:51 -0400
+Subject: [PATCH] jpeg: Fix some integer overflows
+
+Similar to the previous commit.
+---
+ gdk-pixbuf/io-jpeg.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/gdk-pixbuf/io-jpeg.c b/gdk-pixbuf/io-jpeg.c
+index fa6bec1..eb48aed 100644
+--- a/gdk-pixbuf/io-jpeg.c
++++ b/gdk-pixbuf/io-jpeg.c
+@@ -886,7 +886,7 @@ gdk_pixbuf__jpeg_image_load_lines (JpegProgContext *context,
+ return FALSE;
+ }
+
+- context->dptr += nlines * context->pixbuf->rowstride;
++ context->dptr += (gsize)nlines * context->pixbuf->rowstride;
+
+ /* send updated signal */
+ if (context->updated_func)
+@@ -1494,7 +1494,7 @@ real_save_jpeg (GdkPixbuf *pixbuf,
+ while (cinfo.next_scanline < cinfo.image_height) {
+ /* convert scanline from ARGB to RGB packed */
+ for (j = 0; j < w; j++)
+- memcpy (&(buf[j*3]), &(ptr[i*rowstride + j*n_channels]), 3);
++ memcpy (&(buf[j*3]), &(ptr[(gsize)i*rowstride + j*n_channels]), 3);
+
+ /* write scanline */
+ jbuf = (JSAMPROW *)(&buf);
+--
+2.5.1
+
diff --git a/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-pixops-gcc-optimizer.patch b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-pixops-gcc-optimizer.patch
new file mode 100644
index 0000000..bd957b7
--- /dev/null
+++ b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-pixops-gcc-optimizer.patch
@@ -0,0 +1,46 @@
+From dd4b061c27dc0865c8f8987d294de6e04b321c18 Mon Sep 17 00:00:00 2001
+From: Benjamin Otte <otte@redhat.com>
+Date: Sat, 22 Aug 2015 23:06:23 +0200
+Subject: [PATCH] pixops: Be smarter than gcc's optimizer
+
+gcc realizes that the overflow checks aren't necessary. Why not?
+
+Well, if an int overflows, the behavior is undefined. And turning on
+-fomit-instructions is valid behavior in an undefined situation.
+---
+ gdk-pixbuf/pixops/pixops.c | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+diff --git a/gdk-pixbuf/pixops/pixops.c b/gdk-pixbuf/pixops/pixops.c
+index b7951c7..5564a40 100644
+--- a/gdk-pixbuf/pixops/pixops.c
++++ b/gdk-pixbuf/pixops/pixops.c
+@@ -1272,18 +1272,17 @@ make_filter_table (PixopsFilter *filter)
+ int i_offset, j_offset;
+ int n_x = filter->x.n;
+ int n_y = filter->y.n;
+- int n_weights;
+ int *weights;
+
+- n_weights = SUBSAMPLE * SUBSAMPLE * n_x;
+- if (n_weights / (SUBSAMPLE * SUBSAMPLE) != n_x)
+- return NULL; /* overflow, bail */
++ /* check n_x doesn't overflow */
++ if (G_MAXINT / (SUBSAMPLE * SUBSAMPLE) < n_x)
++ return NULL;
+
+- n_weights *= n_y;
+- if (n_weights / (SUBSAMPLE * SUBSAMPLE * n_x) != n_y)
+- return NULL; /* overflow, bail */
++ /* check n_y doesn't overflow */
++ if (G_MAXINT / (SUBSAMPLE * SUBSAMPLE * n_x) < n_y)
++ return NULL;
+
+- weights = g_try_new (int, n_weights);
++ weights = g_try_new (int, SUBSAMPLE * SUBSAMPLE * n_x * n_y);
+ if (!weights)
+ return NULL; /* overflow, bail */
+
+--
+2.5.1
+
diff --git a/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-pixops-overflow.patch b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-pixops-overflow.patch
new file mode 100644
index 0000000..00789ba
--- /dev/null
+++ b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-pixops-overflow.patch
@@ -0,0 +1,173 @@
+From 7012b9a0b6263310fc7d57f0b06583c8404599af Mon Sep 17 00:00:00 2001
+From: Matthias Clasen <mclasen@redhat.com>
+Date: Mon, 24 Aug 2015 14:44:50 -0400
+Subject: [PATCH] Fix some more integer overflows
+
+The scaling code had a similar problem to the one fixed in the
+previous commit: Expressions like ptr = base + y * rowstride are
+prone to overflow if y and rowstride are (possibly large) integers.
+---
+ gdk-pixbuf/pixops/pixops.c | 48 +++++++++++++++++++++++-----------------------
+ 1 file changed, 24 insertions(+), 24 deletions(-)
+
+diff --git a/gdk-pixbuf/pixops/pixops.c b/gdk-pixbuf/pixops/pixops.c
+index 5564a40..e41b286 100644
+--- a/gdk-pixbuf/pixops/pixops.c
++++ b/gdk-pixbuf/pixops/pixops.c
+@@ -304,8 +304,8 @@ pixops_scale_nearest (guchar *dest_buf,
+ guchar *dest;
+ y_pos = ((i + render_y0) * y_step + y_step / 2) >> SCALE_SHIFT;
+ y_pos = CLAMP (y_pos, 0, src_height - 1);
+- src = src_buf + y_pos * src_rowstride;
+- dest = dest_buf + i * dest_rowstride;
++ src = src_buf + (gsize)y_pos * src_rowstride;
++ dest = dest_buf + (gsize)i * dest_rowstride;
+
+ x = render_x0 * x_step + x_step / 2;
+
+@@ -368,8 +368,8 @@ pixops_composite_nearest (guchar *dest_buf,
+ guchar *dest;
+ y_pos = ((i + render_y0) * y_step + y_step / 2) >> SCALE_SHIFT;
+ y_pos = CLAMP (y_pos, 0, src_height - 1);
+- src = src_buf + y_pos * src_rowstride;
+- dest = dest_buf + i * dest_rowstride;
++ src = src_buf + (gsize)y_pos * src_rowstride;
++ dest = dest_buf + (gsize)i * dest_rowstride;
+
+ x = render_x0 * x_step + x_step / 2;
+
+@@ -442,8 +442,8 @@ pixops_composite_nearest_noscale (guchar *dest_buf,
+
+ for (i = 0; i < (render_y1 - render_y0); i++)
+ {
+- const guchar *src = src_buf + (i + render_y0) * src_rowstride;
+- guchar *dest = dest_buf + i * dest_rowstride;
++ const guchar *src = src_buf + (gsize)(i + render_y0) * src_rowstride;
++ guchar *dest = dest_buf + (gsize)i * dest_rowstride;
+
+ x = render_x0 * src_channels;
+
+@@ -540,8 +540,8 @@ pixops_composite_color_nearest (guchar *dest_buf,
+ guchar *dest;
+ y_pos = ((i + render_y0) * y_step + y_step / 2) >> SCALE_SHIFT;
+ y_pos = CLAMP (y_pos, 0, src_height - 1);
+- src = src_buf + y_pos * src_rowstride;
+- dest = dest_buf + i * dest_rowstride;
++ src = src_buf + (gsize)y_pos * src_rowstride;
++ dest = dest_buf + (gsize)i * dest_rowstride;
+
+ x = render_x0 * x_step + x_step / 2;
+
+@@ -1398,7 +1398,7 @@ pixops_process (guchar *dest_buf,
+ guchar *new_outbuf;
+ guint32 tcolor1, tcolor2;
+
+- guchar *outbuf = dest_buf + dest_rowstride * i;
++ guchar *outbuf = dest_buf + (gsize)dest_rowstride * i;
+ guchar *outbuf_end = outbuf + dest_channels * (render_x1 - render_x0);
+
+ if (((i + check_y) >> check_shift) & 1)
+@@ -1417,9 +1417,9 @@ pixops_process (guchar *dest_buf,
+ if (y_start < 0)
+ line_bufs[j] = (guchar *)src_buf;
+ else if (y_start < src_height)
+- line_bufs[j] = (guchar *)src_buf + src_rowstride * y_start;
++ line_bufs[j] = (guchar *)src_buf + (gsize)src_rowstride * y_start;
+ else
+- line_bufs[j] = (guchar *)src_buf + src_rowstride * (src_height - 1);
++ line_bufs[j] = (guchar *)src_buf + (gsize)src_rowstride * (src_height - 1);
+
+ y_start++;
+ }
+@@ -1443,7 +1443,7 @@ pixops_process (guchar *dest_buf,
+ }
+
+ new_outbuf = (*line_func) (run_weights, filter->x.n, filter->y.n,
+- outbuf, dest_x, dest_buf + dest_rowstride *
++ outbuf, dest_x, dest_buf + (gsize)dest_rowstride *
+ i + run_end_index * dest_channels,
+ dest_channels, dest_has_alpha,
+ line_bufs, src_channels, src_has_alpha,
+@@ -1966,7 +1966,7 @@ _pixops_composite (guchar *dest_buf,
+ return;
+ #endif
+
+- new_dest_buf = dest_buf + dest_y * dest_rowstride + dest_x * dest_channels;
++ new_dest_buf = dest_buf + (gsize)dest_y * dest_rowstride + (gsize)dest_x * dest_channels;
+ render_x0 = dest_x - offset_x;
+ render_y0 = dest_y - offset_y;
+ render_x1 = dest_x + dest_region_width - offset_x;
+@@ -2126,7 +2126,7 @@ pixops_medialib_composite (guchar *dest_buf,
+ if (!use_medialib)
+ {
+ /* Use non-mediaLib version */
+- _pixops_composite_real (dest_buf + dest_y * dest_rowstride + dest_x *
++ _pixops_composite_real (dest_buf + (gsize)dest_y * dest_rowstride + (gsize)dest_x *
+ dest_channels, dest_x - offset_x, dest_y -
+ offset_y, dest_x + dest_region_width - offset_x,
+ dest_y + dest_region_height - offset_y,
+@@ -2168,8 +2168,8 @@ pixops_medialib_composite (guchar *dest_buf,
+ }
+ else
+ {
+- mlib_u8 *data = dest_buf + (dest_y * dest_rowstride) +
+- (dest_x * dest_channels);
++ mlib_u8 *data = dest_buf + (gsize)dest_y * dest_rowstride +
++ (gsize)dest_x * dest_channels;
+
+ mlib_ImageSetStruct (&img_dest, MLIB_BYTE, dest_channels,
+ dest_region_width, dest_region_height,
+@@ -2236,8 +2236,8 @@ pixops_medialib_composite (guchar *dest_buf,
+ else
+ {
+ /* Should not happen - Use non-mediaLib version */
+- _pixops_composite_real (dest_buf + dest_y * dest_rowstride +
+- dest_x * dest_channels,
++ _pixops_composite_real (dest_buf + (gsize)dest_y * dest_rowstride +
++ (gsize)dest_x * dest_channels,
+ dest_x - offset_x, dest_y - offset_y,
+ dest_x + dest_region_width - offset_x,
+ dest_y + dest_region_height - offset_y,
+@@ -2360,7 +2360,7 @@ _pixops_scale (guchar *dest_buf,
+ return;
+ #endif
+
+- new_dest_buf = dest_buf + dest_y * dest_rowstride + dest_x * dest_channels;
++ new_dest_buf = dest_buf + (gsize)dest_y * dest_rowstride + (gsize)dest_x * dest_channels;
+ render_x0 = dest_x - offset_x;
+ render_y0 = dest_y - offset_y;
+ render_x1 = dest_x + dest_region_width - offset_x;
+@@ -2414,8 +2414,8 @@ pixops_medialib_scale (guchar *dest_buf,
+ */
+ if (!use_medialib)
+ {
+- _pixops_scale_real (dest_buf + dest_y * dest_rowstride + dest_x *
+- dest_channels, dest_x - offset_x, dest_y - offset_y,
++ _pixops_scale_real (dest_buf + (gsize)dest_y * dest_rowstride + (gsize)dest_x *
++ dest_channels, dest_x - offset_x, dest_y - offset_y,
+ dest_x + dest_region_width - offset_x,
+ dest_y + dest_region_height - offset_y,
+ dest_rowstride, dest_channels, dest_has_alpha,
+@@ -2443,8 +2443,8 @@ pixops_medialib_scale (guchar *dest_buf,
+ }
+ else
+ {
+- mlib_u8 *data = dest_buf + (dest_y * dest_rowstride) +
+- (dest_x * dest_channels);
++ mlib_u8 *data = dest_buf + (gsize)dest_y * dest_rowstride +
++ (gsize)dest_x * dest_channels;
+
+ mlib_ImageSetStruct (&img_dest, MLIB_BYTE, dest_channels,
+ dest_region_width, dest_region_height,
+@@ -2479,7 +2479,7 @@ pixops_medialib_scale (guchar *dest_buf,
+ int channels = 3;
+ int rowstride = (channels * src_width + 3) & ~3;
+
+- tmp_buf = g_malloc (src_rowstride * src_height);
++ tmp_buf = g_malloc_n (src_rowstride, src_height);
+
+ if (src_buf != NULL)
+ {
+--
+2.5.1
+
diff --git a/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-pixops-variable-type.patch b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-pixops-variable-type.patch
new file mode 100644
index 0000000..a83535f
--- /dev/null
+++ b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-pixops-variable-type.patch
@@ -0,0 +1,37 @@
+From 3df91dc6c6f8d1421e9c8756959280de792af77a Mon Sep 17 00:00:00 2001
+From: Benjamin Otte <otte@redhat.com>
+Date: Sat, 22 Aug 2015 17:57:23 +0200
+Subject: [PATCH] pixops: Chane variable type
+
+n_weights is used to do overflow checks. So by reducing the size to 32
+bits signed we overflow earlier. This is necessary because further down
+the code lots of code uses int variables to iterate over this variable
+and we don't want those to overflow.
+
+The correct fix would be to make all those variables gsize too, but
+that's way more invasive and requires different checks in different
+places so I'm not gonna do that now.
+And as long as scale factors are not expected to reach G_MAXINT it's not
+really necessary to do this change anyway.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=753908
+---
+ gdk-pixbuf/pixops/pixops.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/gdk-pixbuf/pixops/pixops.c b/gdk-pixbuf/pixops/pixops.c
+index 7f2cbff..b7951c7 100644
+--- a/gdk-pixbuf/pixops/pixops.c
++++ b/gdk-pixbuf/pixops/pixops.c
+@@ -1272,7 +1272,7 @@ make_filter_table (PixopsFilter *filter)
+ int i_offset, j_offset;
+ int n_x = filter->x.n;
+ int n_y = filter->y.n;
+- gsize n_weights;
++ int n_weights;
+ int *weights;
+
+ n_weights = SUBSAMPLE * SUBSAMPLE * n_x;
+--
+2.5.1
+
diff --git a/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-png-overflow.patch b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-png-overflow.patch
new file mode 100644
index 0000000..83c67b5
--- /dev/null
+++ b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-png-overflow.patch
@@ -0,0 +1,72 @@
+From 8714ab407c54d5989d15a78eb15550c2d52d95b8 Mon Sep 17 00:00:00 2001
+From: Matthias Clasen <mclasen@redhat.com>
+Date: Mon, 24 Aug 2015 14:13:37 -0400
+Subject: [PATCH] png: Fix some integer overflows
+
+The png loader was not careful enough in some places. Width * height
+can overflow an integer.
+
+This should fix http://bugzilla.gnome.org/734556.
+---
+ gdk-pixbuf/io-png.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/gdk-pixbuf/io-png.c b/gdk-pixbuf/io-png.c
+index 3336b1e..5690875 100644
+--- a/gdk-pixbuf/io-png.c
++++ b/gdk-pixbuf/io-png.c
+@@ -267,6 +267,7 @@ gdk_pixbuf__png_image_load (FILE *f, GError **error)
+ gchar *density_str;
+ guint32 retval;
+ gint compression_type;
++ gpointer ptr;
+
+ #ifdef PNG_USER_MEM_SUPPORTED
+ png_ptr = png_create_read_struct_2 (PNG_LIBPNG_VER_STRING,
+@@ -326,8 +327,8 @@ gdk_pixbuf__png_image_load (FILE *f, GError **error)
+
+ rows = g_new (png_bytep, h);
+
+- for (i = 0; i < h; i++)
+- rows[i] = pixbuf->pixels + i * pixbuf->rowstride;
++ for (i = 0, ptr = pixbuf->pixels; i < h; i++, ptr += pixbuf->rowstride)
++ rows[i] = ptr;
+
+ png_read_image (png_ptr, rows);
+ png_read_end (png_ptr, info_ptr);
+@@ -745,6 +746,7 @@ png_row_callback (png_structp png_read_ptr,
+ {
+ LoadContext* lc;
+ guchar* old_row = NULL;
++ gsize rowstride;
+
+ lc = png_get_progressive_ptr(png_read_ptr);
+
+@@ -770,8 +772,9 @@ png_row_callback (png_structp png_read_ptr,
+ lc->max_row_seen_in_chunk = MAX(lc->max_row_seen_in_chunk, ((gint)row_num));
+ lc->last_row_seen_in_chunk = row_num;
+ lc->last_pass_seen_in_chunk = pass_num;
+-
+- old_row = lc->pixbuf->pixels + (row_num * lc->pixbuf->rowstride);
++
++ rowstride = lc->pixbuf->rowstride;
++ old_row = lc->pixbuf->pixels + (row_num * rowstride);
+
+ png_progressive_combine_row(lc->png_read_ptr, old_row, new_row);
+ }
+@@ -1123,11 +1126,9 @@ static gboolean real_save_png (GdkPixbuf *pixbuf,
+ png_set_shift (png_ptr, &sig_bit);
+ png_set_packing (png_ptr);
+
+- ptr = pixels;
+- for (y = 0; y < h; y++) {
++ for (y = 0, ptr = pixels; y < h; y++, ptr += rowstride) {
+ row_ptr = (png_bytep)ptr;
+ png_write_rows (png_ptr, &row_ptr, 1);
+- ptr += rowstride;
+ }
+
+ png_write_end (png_ptr, info_ptr);
+--
+2.5.1
+
diff --git a/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-rotate-overflow.patch b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-rotate-overflow.patch
new file mode 100644
index 0000000..fa6b90c
--- /dev/null
+++ b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-rotate-overflow.patch
@@ -0,0 +1,27 @@
+From 4f68cb78a5277f169b9531e6998c00c7976594e4 Mon Sep 17 00:00:00 2001
+From: Matthias Clasen <mclasen@redhat.com>
+Date: Mon, 24 Aug 2015 15:29:36 -0400
+Subject: [PATCH] Avoid integer overflow in gdk_pixbuf_rotate_simple
+
+Same as before: don't do ptr = base + y * rowstride if y and
+rowstride are integers.
+---
+ gdk-pixbuf/gdk-pixbuf-scale.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/gdk-pixbuf/gdk-pixbuf-scale.c b/gdk-pixbuf/gdk-pixbuf-scale.c
+index 4288c65..475126a 100644
+--- a/gdk-pixbuf/gdk-pixbuf-scale.c
++++ b/gdk-pixbuf/gdk-pixbuf-scale.c
+@@ -396,7 +396,7 @@ gdk_pixbuf_composite_color_simple (const GdkPixbuf *src,
+ return dest;
+ }
+
+-#define OFFSET(pb, x, y) ((x) * (pb)->n_channels + (y) * (pb)->rowstride)
++#define OFFSET(pb, x, y) ((x) * (pb)->n_channels + (gsize)(y) * (pb)->rowstride)
+
+ /**
+ * gdk_pixbuf_rotate_simple:
+--
+2.5.1
+
diff --git a/x11-libs/gdk-pixbuf/gdk-pixbuf-2.31.5.ebuild b/x11-libs/gdk-pixbuf/gdk-pixbuf-2.31.6.ebuild
similarity index 86%
rename from x11-libs/gdk-pixbuf/gdk-pixbuf-2.31.5.ebuild
rename to x11-libs/gdk-pixbuf/gdk-pixbuf-2.31.6.ebuild
index e59d782..1ae90b6 100644
--- a/x11-libs/gdk-pixbuf/gdk-pixbuf-2.31.5.ebuild
+++ b/x11-libs/gdk-pixbuf/gdk-pixbuf-2.31.6.ebuild
@@ -1,6 +1,6 @@
# Copyright 1999-2015 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
-# $Header: $
+# $Id$
EAPI="5"
GCONF_DEBUG="no"
@@ -47,6 +47,19 @@ MULTILIB_CHOST_TOOLS=(
)
src_prepare() {
+ # Upstream patches from 2.31.x
+ epatch "${FILESDIR}"/${PN}-2.31.6-pixops-variable-type.patch \
+ "${FILESDIR}"/${PN}-2.31.6-pixops-gcc-optimizer.patch \
+ "${FILESDIR}"/${PN}-2.31.6-png-overflow.patch \
+ "${FILESDIR}"/${PN}-2.31.6-jpeg-overflow.patch \
+ "${FILESDIR}"/${PN}-2.31.6-pixops-overflow.patch \
+ "${FILESDIR}"/${PN}-2.31.6-alpha-overflow.patch \
+ "${FILESDIR}"/${PN}-2.31.6-rotate-overflow.patch #556314
+
+ # ERROR: cve-2015-4491 - missing test plan
+ # FIXME - check if this works in 2.31.7
+ sed -e 's/cve-2015-4491$(EXEEXT)//' -i tests/Makefile.in || die
+
# This will avoid polluting the pkg-config file with versioned libpng,
# which is causing problems with libpng14 -> libpng15 upgrade
# See upstream bug #667068
next reply other threads:[~2015-09-01 5:17 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-09-01 5:17 Alexandre Rostovtsev [this message]
-- strict thread matches above, loose matches on Subject: below --
2016-03-25 0:56 [gentoo-commits] proj/gnome:master commit in: x11-libs/gdk-pixbuf/, x11-libs/gdk-pixbuf/files/ Ole Reifschneider
2011-03-31 13:52 Nirbheek Chauhan
2011-03-18 8:23 Nirbheek Chauhan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1441081503.9e48855fcf4528e77c4c86b9bd1b12fa3176b23a.tetromino@gentoo \
--to=tetromino@gentoo.org \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox