[gentoo-commits] gentoo-x86 commit in media-libs/gst-plugins-good/files: gst-plugins-good-0.10.15-CVE-2009-1932.patch

public inbox for gentoo-commits@lists.gentoo.org
 help / color / mirror / Atom feed

* [gentoo-commits] gentoo-x86 commit in media-libs/gst-plugins-good/files: gst-plugins-good-0.10.15-CVE-2009-1932.patch
@ 2009-06-06 21:18 Olivier Crete (tester)
  0 siblings, 0 replies; 2+ messages in thread
From: Olivier Crete (tester) @ 2009-06-06 21:18 UTC (permalink / raw
  To: gentoo-commits

tester      09/06/06 21:18:45

  Added:                gst-plugins-good-0.10.15-CVE-2009-1932.patch
  Log:
  Add patch for pngdec bug, CVE-2009-1932, bug #272972
  (Portage version: 2.1.6.11/cvs/Linux i686)

Revision  Changes    Path
1.1                  media-libs/gst-plugins-good/files/gst-plugins-good-0.10.15-CVE-2009-1932.patch

file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/media-libs/gst-plugins-good/files/gst-plugins-good-0.10.15-CVE-2009-1932.patch?rev=1.1&view=markup
plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/media-libs/gst-plugins-good/files/gst-plugins-good-0.10.15-CVE-2009-1932.patch?rev=1.1&content-type=text/plain

Index: gst-plugins-good-0.10.15-CVE-2009-1932.patch
===================================================================
From d9544bcc44adcef769cbdf7f6453e140058a3adc Mon Sep 17 00:00:00 2001
From: Jan Schmidt <thaytan@noraisin.net>
Date: Wed, 27 May 2009 16:06:34 +0000
Subject: pngdec: Avoid possible overflow in calculations

A malformed (or simply huge) PNG file can lead to integer overflow in
calculating the size of the output buffer, leading to crashes or buffer
overflows later. Fixes SA35205 security advisory.
---
diff --git a/ext/libpng/gstpngdec.c b/ext/libpng/gstpngdec.c
index 524b468..dde459d 100644
--- a/ext/libpng/gstpngdec.c
+++ b/ext/libpng/gstpngdec.c
@@ -201,7 +201,14 @@ user_info_callback (png_structp png_ptr, png_infop info)
 
   /* Allocate output buffer */
   pngdec->rowbytes = png_get_rowbytes (pngdec->png, pngdec->info);
-  buffer_size = pngdec->height * GST_ROUND_UP_4 (pngdec->rowbytes);
+  if (pngdec->rowbytes > (G_MAXUINT32 - 3)
+      || pngdec->height > G_MAXUINT32 / pngdec->rowbytes) {
+    ret = GST_FLOW_ERROR;
+    goto beach;
+  }
+  pngdec->rowbytes = GST_ROUND_UP_4 (pngdec->rowbytes);
+  buffer_size = pngdec->height * pngdec->rowbytes;
+
   ret =
       gst_pad_alloc_buffer_and_set_caps (pngdec->srcpad, GST_BUFFER_OFFSET_NONE,
       buffer_size, GST_PAD_CAPS (pngdec->srcpad), &buffer);
@@ -228,7 +235,7 @@ user_endrow_callback (png_structp png_ptr, png_bytep new_row,
   /* If buffer_out doesn't exist, it means buffer_alloc failed, which 
    * will already have set the return code */
   if (GST_IS_BUFFER (pngdec->buffer_out)) {
-    size_t offset = row_num * GST_ROUND_UP_4 (pngdec->rowbytes);
+    size_t offset = row_num * pngdec->rowbytes;
 
     GST_LOG ("got row %u, copying in buffer %p at offset %" G_GSIZE_FORMAT,
         (guint) row_num, pngdec->buffer_out, offset);
@@ -496,7 +503,12 @@ gst_pngdec_task (GstPad * pad)
 
   /* Allocate output buffer */
   rowbytes = png_get_rowbytes (pngdec->png, pngdec->info);
-  buffer_size = pngdec->height * GST_ROUND_UP_4 (rowbytes);
+  if (rowbytes > (G_MAXUINT32 - 3) || pngdec->height > G_MAXUINT32 / rowbytes) {
+    ret = GST_FLOW_ERROR;
+    goto pause;
+  }
+  rowbytes = GST_ROUND_UP_4 (rowbytes);
+  buffer_size = pngdec->height * rowbytes;
   ret =
       gst_pad_alloc_buffer_and_set_caps (pngdec->srcpad, GST_BUFFER_OFFSET_NONE,
       buffer_size, GST_PAD_CAPS (pngdec->srcpad), &buffer);
@@ -509,7 +521,7 @@ gst_pngdec_task (GstPad * pad)
 
   for (i = 0; i < pngdec->height; i++) {
     rows[i] = inp;
-    inp += GST_ROUND_UP_4 (rowbytes);
+    inp += rowbytes;
   }
 
   /* Read the actual picture */
--
cgit v0.8.2






^ permalink raw reply related	[flat|nested] 2+ messages in thread

* [gentoo-commits] gentoo-x86 commit in media-libs/gst-plugins-good/files: gst-plugins-good-0.10.15-CVE-2009-1932.patch
@ 2009-06-07 14:18 Olivier Crete (tester)
  0 siblings, 0 replies; 2+ messages in thread
From: Olivier Crete (tester) @ 2009-06-07 14:18 UTC (permalink / raw
  To: gentoo-commits

tester      09/06/07 14:18:14

  Removed:              gst-plugins-good-0.10.15-CVE-2009-1932.patch
  Log:
  Remove patch from wrong split pkg
  (Portage version: 2.1.6.11/cvs/Linux i686)



^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2009-06-07 14:18 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-06-06 21:18 [gentoo-commits] gentoo-x86 commit in media-libs/gst-plugins-good/files: gst-plugins-good-0.10.15-CVE-2009-1932.patch Olivier Crete (tester)
  -- strict thread matches above, loose matches on Subject: below --
2009-06-07 14:18 Olivier Crete (tester)

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox