packages/gdk-pixbuf2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:f6a16f4efe9fb2cc9b488a2dbbb4155fac8197e4
Branches Tags
packages:main
..
compare: packages:d72c5518181ae832fa380af2ce71c72be257a68c
Branches Tags
packages:main

No commits in common. "f6a16f4efe9fb2cc9b488a2dbbb4155fac8197e4" and "d72c5518181ae832fa380af2ce71c72be257a68c" have entirely different histories.
f6a16f4efe ... d72c551818

5 changed files with 5 additions and 237 deletions
Show Stats Expand all files Collapse all files

40
backport-CVE-2021-44648.patch
View File

@ -1,40 +0,0 @@
From 19ebba03117aefc9d0312f675f3a210ffdcc4907 Mon Sep 17 00:00:00 2001
From: Robert Ancell <Robert Ancell @robert.ancell>
Date: Tue, 24 May 2022 14:36:15 +0800
Subject: [PATCH] Fix overflow when reading GIF images with invalid LZW initial code size.
Conflict:NA
Reference:https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/merge_requests/130/diffs?commit_id=19ebba03117aefc9d0312f675f3a210ffdcc4907
---
gdk-pixbuf/io-gif.c | 2 +-
gdk-pixbuf/lzw.c | 2 ++
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/gdk-pixbuf/io-gif.c b/gdk-pixbuf/io-gif.c
index 1befba1..3d2a7a9 100644
--- a/gdk-pixbuf/io-gif.c
+++ b/gdk-pixbuf/io-gif.c
@@ -500,7 +500,7 @@ gif_prepare_lzw (GifContext *context)
return -1;
}
- if (context->lzw_set_code_size > 12) {
+ if (context->lzw_set_code_size >= 12) {
g_set_error_literal (context->error,
GDK_PIXBUF_ERROR,
GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
diff --git a/gdk-pixbuf/lzw.c b/gdk-pixbuf/lzw.c
index 105daf2..f3fae17 100644
--- a/gdk-pixbuf/lzw.c
+++ b/gdk-pixbuf/lzw.c
@@ -121,6 +121,8 @@ lzw_decoder_new (guint8 code_size)
LZWDecoder *self;
int i;
+ g_return_val_if_fail (code_size <= LZW_CODE_MAX, NULL);
+
self = g_object_new (lzw_decoder_get_type (), NULL);
self->min_code_size = code_size;
--
2.27.0

61
backport-CVE-2021-46829.patch
View File

@ -1,61 +0,0 @@
From 6976bdc8ee9dd2c2954f91066f7b0f643769a379 Mon Sep 17 00:00:00 2001
From: Robert Ancell <robert.ancell@canonical.com>
Date: Thu, 3 Jun 2021 11:05:56 +1200
Subject: [PATCH] gif: Check for overflow when compositing or clearing frames.
Fixes: #190
Similar to fix in 086e8adf4cc352cd11572f96066b001b545f354e
---
gdk-pixbuf/io-gif-animation.c | 21 +++++++++++++--------
1 file changed, 13 insertions(+), 8 deletions(-)
diff --git a/gdk-pixbuf/io-gif-animation.c b/gdk-pixbuf/io-gif-animation.c
index 8335cdd76..71d9265e6 100644
--- a/gdk-pixbuf/io-gif-animation.c
+++ b/gdk-pixbuf/io-gif-animation.c
@@ -369,7 +369,7 @@ composite_frame (GdkPixbufGifAnim *anim, GdkPixbufFrame *frame)
for (i = 0; i < n_indexes; i++) {
guint8 index = index_buffer[i];
guint x, y;
- int offset;
+ gsize offset;
if (index == frame->transparent_index)
continue;
@@ -379,11 +379,13 @@ composite_frame (GdkPixbufGifAnim *anim, GdkPixbufFrame *frame)
if (x >= anim->width || y >= anim->height)
continue;
- offset = y * gdk_pixbuf_get_rowstride (anim->last_frame_data) + x * 4;
- pixels[offset + 0] = frame->color_map[index * 3 + 0];
- pixels[offset + 1] = frame->color_map[index * 3 + 1];
- pixels[offset + 2] = frame->color_map[index * 3 + 2];
- pixels[offset + 3] = 255;
+ if (g_size_checked_mul (&offset, gdk_pixbuf_get_rowstride (anim->last_frame_data), y) &&
+ g_size_checked_add (&offset, offset, x * 4)) {
+ pixels[offset + 0] = frame->color_map[index * 3 + 0];
+ pixels[offset + 1] = frame->color_map[index * 3 + 1];
+ pixels[offset + 2] = frame->color_map[index * 3 + 2];
+ pixels[offset + 3] = 255;
+ }
}
out:
@@ -448,8 +450,11 @@ gdk_pixbuf_gif_anim_iter_get_pixbuf (GdkPixbufAnimationIter *anim_iter)
x_end = MIN (anim->last_frame->x_offset + anim->last_frame->width, anim->width);
y_end = MIN (anim->last_frame->y_offset + anim->last_frame->height, anim->height);
for (y = anim->last_frame->y_offset; y < y_end; y++) {
- guchar *line = pixels + y * gdk_pixbuf_get_rowstride (anim->last_frame_data) + anim->last_frame->x_offset * 4;
- memset (line, 0, (x_end - anim->last_frame->x_offset) * 4);
+ gsize offset;
+ if (g_size_checked_mul (&offset, gdk_pixbuf_get_rowstride (anim->last_frame_data), y) &&
+ g_size_checked_add (&offset, offset, anim->last_frame->x_offset * 4)) {
+ memset (pixels + offset, 0, (x_end - anim->last_frame->x_offset) * 4);
+ }
}
break;
case GDK_PIXBUF_FRAME_REVERT:
--
GitLab

113
backport-CVE-2022-48622.patch
View File

@ -1,113 +0,0 @@
From 00c071dd11f723ca608608eef45cb1aa98da89cc Mon Sep 17 00:00:00 2001
From: Benjamin Gilbert <bgilbert@backtick.net>
Date: Tue, 30 Apr 2024 07:26:54 -0500
Subject: [PATCH 1/3] ANI: Reject files with multiple anih chunks
An anih chunk causes us to initialize a bunch of state, which we only
expect to do once per file.
Fixes: #202
Fixes: CVE-2022-48622
---
gdk-pixbuf/io-ani.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/gdk-pixbuf/io-ani.c b/gdk-pixbuf/io-ani.c
index c6c4642cf4..a78ea7ace4 100644
--- a/gdk-pixbuf/io-ani.c
+++ b/gdk-pixbuf/io-ani.c
@@ -295,6 +295,15 @@ ani_load_chunk (AniLoaderContext *context, GError **error)
if (context->chunk_id == TAG_anih)
{
+ if (context->animation)
+ {
+ g_set_error_literal (error,
+ GDK_PIXBUF_ERROR,
+ GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+ _("Invalid header in animation"));
+ return FALSE;
+ }
+
context->HeaderSize = read_int32 (context);
context->NumFrames = read_int32 (context);
context->NumSteps = read_int32 (context);
--
GitLab
From d52134373594ff76614fb415125b0d1c723ddd56 Mon Sep 17 00:00:00 2001
From: Benjamin Gilbert <bgilbert@backtick.net>
Date: Tue, 30 Apr 2024 07:13:37 -0500
Subject: [PATCH 2/3] ANI: Reject files with multiple INAM or IART chunks
There should be at most one chunk each. These would cause memory leaks
otherwise.
---
gdk-pixbuf/io-ani.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gdk-pixbuf/io-ani.c b/gdk-pixbuf/io-ani.c
index a78ea7ace4..8e8414117c 100644
--- a/gdk-pixbuf/io-ani.c
+++ b/gdk-pixbuf/io-ani.c
@@ -445,7 +445,7 @@ ani_load_chunk (AniLoaderContext *context, GError **error)
}
else if (context->chunk_id == TAG_INAM)
{
- if (!context->animation)
+ if (!context->animation || context->title)
{
g_set_error_literal (error,
GDK_PIXBUF_ERROR,
@@ -472,7 +472,7 @@ ani_load_chunk (AniLoaderContext *context, GError **error)
}
else if (context->chunk_id == TAG_IART)
{
- if (!context->animation)
+ if (!context->animation || context->author)
{
g_set_error_literal (error,
GDK_PIXBUF_ERROR,
--
GitLab
From 91b8aa5cd8a0eea28acb51f0e121827ca2e7eb78 Mon Sep 17 00:00:00 2001
From: Benjamin Gilbert <bgilbert@backtick.net>
Date: Tue, 30 Apr 2024 08:17:25 -0500
Subject: [PATCH 3/3] ANI: Validate anih chunk size
Before reading a chunk, we verify that enough bytes are available to match
the chunk size declared by the file. However, uniquely, the anih chunk
loader doesn't verify that this size matches the number of bytes it
actually intends to read. Thus, if the chunk size is too small and the
file ends in the middle of the chunk, we populate some context fields with
stack garbage. (But we'd still fail later on because the file doesn't
contain any images.) Fix this.
---
gdk-pixbuf/io-ani.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/gdk-pixbuf/io-ani.c b/gdk-pixbuf/io-ani.c
index 8e8414117c..cfafd7b196 100644
--- a/gdk-pixbuf/io-ani.c
+++ b/gdk-pixbuf/io-ani.c
@@ -295,6 +295,14 @@ ani_load_chunk (AniLoaderContext *context, GError **error)
if (context->chunk_id == TAG_anih)
{
+ if (context->chunk_size < 36)
+ {
+ g_set_error_literal (error,
+ GDK_PIXBUF_ERROR,
+ GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+ _("Malformed chunk in animation"));
+ return FALSE;
+ }
if (context->animation)
{
g_set_error_literal (error,
--
GitLab

28
gdk-pixbuf2.spec
View File

@ -2,16 +2,11 @@
Name: gdk-pixbuf2
Version: 2.42.6
Release: 7
Release: 2
Summary: gdk is a multi-platform toolkit for creating graphical user interfaces.
License: LGPLv2+
URL: https://gitlab.gnome.org/GNOME/gdk-pixbuf
Source0: https://download-fallback.gnome.org/sources/gdk-pixbuf/2.42/gdk-pixbuf-%{version}.tar.xz
Source1: invalid-colors.gif
Patch6000: backport-CVE-2021-46829.patch
Patch6001: backport-CVE-2021-44648.patch
Patch6002: backport-CVE-2022-48622.patch
BuildRequires: docbook-style-xsl
BuildRequires: gettext
@ -68,7 +63,6 @@ developing applications that uses gdk-pixbuf2 xlib and test.
%prep
%autosetup -n gdk-pixbuf-%{version} -p1
cp %{SOURCE1} ./tests/test-images/gif-test-suite/invalid-colors.gif
%build
%meson \
@ -79,6 +73,9 @@ cp %{SOURCE1} ./tests/test-images/gif-test-suite/invalid-colors.gif
%global _smp_mflags -j1
%meson_build
%check
%meson_test
%install
%meson_install
@ -131,28 +128,13 @@ gdk-pixbuf-query-loaders-%{__isa_bits} --update-cache
%{_mandir}/man1/gdk-pixbuf-csource.1*
%changelog
* Wed Jun 26 2024 liningjie <liningjie@xfusion.com> - 2.42.6-7
- Fix CVE-2022-48622
* Tue Jun 20 2023 zhangpan <zhangpan103@h-partners.com> - 2.42.6-6
- fix CVE-2021-44648
* Thu Dec 01 2022 zhouwenpei <zhouwenpei1@h-partners.com> - 2.42.6-5
- disable make check
* Thu Aug 25 2022 wangkerong <wangkerong@h-partners.com> - 2.42.6-4
- fix CVE-2021-46829
* Wed May 18 2022 loong_C <loong_c@yeah.net> - 2.42.6-3
- fix spec changelog date
* Wed Mar 30 2022 liuyumeng <liuyumeng5@h-partners.com> - 2.42.6-2
- enable tests
* Thu Dec 2 2021 hanhui <hanhui15@huawei.com> - 2.42.6-1
- update to 2.42.6
* Tue Jul 20 2021 liuyumeng <liuyumeng5@huawei.com> - 2.40.0-2
* Thu Jul 20 2021 liuyumeng <liuyumeng5@huawei.com> - 2.40.0-2
- delete gdb in buildrequires
* Mon Jul 20 2020 wangye <wangye70@huawei.com> - 2.40.0-1

BIN
invalid-colors.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 35 B