[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
branch master updated: gnu: freeimage: Patch 2 CVEs.
|
From: |
guix-commits |
|
Subject: |
branch master updated: gnu: freeimage: Patch 2 CVEs. |
|
Date: |
Mon, 18 Dec 2023 06:05:51 -0500 |
This is an automated email from the git hooks/post-receive script.
efraim pushed a commit to branch master
in repository guix.
The following commit(s) were added to refs/heads/master by this push:
new 29c94dd522 gnu: freeimage: Patch 2 CVEs.
29c94dd522 is described below
commit 29c94dd522833b2603a651c14a5b06120bcf1829
Author: Efraim Flashner <efraim@flashner.co.il>
AuthorDate: Mon Dec 18 12:51:56 2023 +0200
gnu: freeimage: Patch 2 CVEs.
* gnu/packages/image.scm (freeimage)[source]: Add patches.
* gnu/packages/patches/freeimage-CVE-2020-21428.patch,
gnu/packages/patches/freeimage-CVE-2020-22524.patch: New files.
* gnu/local.mk (dist_patch_DATA): Register them.
Change-Id: Iec114f2295cafbc8b55e81c0d8e4a361fd653152
---
gnu/local.mk | 2 +
gnu/packages/image.scm | 4 +-
.../patches/freeimage-CVE-2020-21428.patch | 17 ++
.../patches/freeimage-CVE-2020-22524.patch | 229 +++++++++++++++++++++
4 files changed, 251 insertions(+), 1 deletion(-)
diff --git a/gnu/local.mk b/gnu/local.mk
index ccc3c233bb..0a5ecd97dc 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1189,6 +1189,8 @@ dist_patch_DATA =
\
%D%/packages/patches/freedink-engine-fix-sdl-hints.patch \
%D%/packages/patches/freeimage-libtiff-compat.patch \
%D%/packages/patches/freeimage-unbundle.patch \
+ %D%/packages/patches/freeimage-CVE-2020-21428.patch \
+ %D%/packages/patches/freeimage-CVE-2020-22524.patch \
%D%/packages/patches/fulcrum-1.9.1-unbundled-libraries.patch \
%D%/packages/patches/fuse-glibc-2.34.patch \
%D%/packages/patches/fuse-overlapping-headers.patch \
diff --git a/gnu/packages/image.scm b/gnu/packages/image.scm
index d237bf689c..8a8e1eacb7 100644
--- a/gnu/packages/image.scm
+++ b/gnu/packages/image.scm
@@ -1253,7 +1253,9 @@ supplies a generic doubly-linked list and some string
functions.")
(patches
(append
(search-patches "freeimage-unbundle.patch"
- "freeimage-libtiff-compat.patch")
+ "freeimage-libtiff-compat.patch"
+ "freeimage-CVE-2020-21428.patch"
+ "freeimage-CVE-2020-22524.patch")
;; Take one patch from Arch Linux that adds LibRaw 0.20
compatibility.
(list (origin
(method url-fetch)
diff --git a/gnu/packages/patches/freeimage-CVE-2020-21428.patch
b/gnu/packages/patches/freeimage-CVE-2020-21428.patch
new file mode 100644
index 0000000000..49f427360b
--- /dev/null
+++ b/gnu/packages/patches/freeimage-CVE-2020-21428.patch
@@ -0,0 +1,17 @@
+https://sources.debian.org/data/main/f/freeimage/3.18.0%2Bds2-10/debian/patches/r1877-improved-DDS-plugin-against-malicious-images.patch
+
+Origin: upstream, r1877
+Index: Source/FreeImage/PluginDDS.cpp
+===================================================================
+diff --git a/Source/FreeImage/PluginDDS.cpp b/Source/FreeImage/PluginDDS.cpp
+--- a/Source/FreeImage/PluginDDS.cpp (revision 1876)
++++ b/Source/FreeImage/PluginDDS.cpp (revision 1877)
+@@ -617,7 +617,7 @@
+ // read the file
+ //
-------------------------------------------------------------------------
+
+- const int line = CalculateLine(width, bpp);
++ const int line = CalculateLine(width, FreeImage_GetBPP(dib));
+ const int filePitch = ((desc->dwFlags & DDSD_PITCH) == DDSD_PITCH) ?
(int)desc->dwPitchOrLinearSize : line;
+ const long delta = (long)filePitch - (long)line;
+
diff --git a/gnu/packages/patches/freeimage-CVE-2020-22524.patch
b/gnu/packages/patches/freeimage-CVE-2020-22524.patch
new file mode 100644
index 0000000000..47368d7d91
--- /dev/null
+++ b/gnu/packages/patches/freeimage-CVE-2020-22524.patch
@@ -0,0 +1,229 @@
+https://sources.debian.org/data/main/f/freeimage/3.18.0%2Bds2-10/debian/patches/r1848-improved-PFM-plugin-against-malicious-images.patch
+
+Origin: upstream, r1848
+Index: Source/FreeImage/PluginPFM.cpp
+---
+diff --git a/Source/FreeImage/PluginPFM.cpp b/Source/FreeImage/PluginPFM.cpp
+--- a/Source/FreeImage/PluginPFM.cpp (revision 1847)
++++ b/Source/FreeImage/PluginPFM.cpp (revision 1848)
+@@ -23,6 +23,12 @@
+ #include "Utilities.h"
+
+ // ==========================================================
++// Plugin Interface
++// ==========================================================
++
++static int s_format_id;
++
++// ==========================================================
+ // Internal functions
+ // ==========================================================
+
+@@ -59,6 +65,9 @@
+
+ /**
+ Get an integer value from the actual position pointed by handle
++@param io
++@param handle
++@return Returns -1 in case of failure, returns the found number otherwise
+ */
+ static int
+ pfm_get_int(FreeImageIO *io, fi_handle handle) {
+@@ -65,70 +74,72 @@
+ char c = 0;
+ BOOL bFirstChar;
+
+- // skip forward to start of next number
++ try {
+
+- if(!io->read_proc(&c, 1, 1, handle)) {
+- throw FI_MSG_ERROR_PARSING;
+- }
++ // skip forward to start of next number
+
+- while (1) {
+- // eat comments
++ if (io->read_proc(&c, 1, 1, handle) != 1) {
++ throw FI_MSG_ERROR_PARSING;
++ }
+
+- if (c == '#') {
+- // if we're at a comment, read to end of line
++ while (1) {
++ // eat comments
+
+- bFirstChar = TRUE;
++ if (c == '#') {
++ // if we're at a comment, read to end of line
+
+- while (1) {
+- if(!io->read_proc(&c, 1, 1, handle)) {
+- throw FI_MSG_ERROR_PARSING;
+- }
++ bFirstChar = TRUE;
+
+- if (bFirstChar && c == ' ') {
+- // loop off 1 sp after #
+- bFirstChar = FALSE;
+- } else if (c == '\n') {
+- break;
++ while (1) {
++ if (io->read_proc(&c, 1, 1, handle) !=
1) {
++ throw FI_MSG_ERROR_PARSING;
++ }
++
++ if (bFirstChar && c == ' ') {
++ // loop off 1 sp after #
++ bFirstChar = FALSE;
++ }
++ else if (c == '\n') {
++ break;
++ }
+ }
+ }
+- }
+
+- if (c >= '0' && c <='9') {
+- // we've found what we were looking for
+- break;
+- }
++ if (c >= '0' && c <= '9') {
++ // we've found what we were looking for
++ break;
++ }
+
+- if(!io->read_proc(&c, 1, 1, handle)) {
+- throw FI_MSG_ERROR_PARSING;
++ if (io->read_proc(&c, 1, 1, handle) != 1) {
++ throw FI_MSG_ERROR_PARSING;
++ }
+ }
+- }
+
+- // we're at the start of a number, continue until we hit a non-number
++ // we're at the start of a number, continue until we hit a
non-number
+
+- int i = 0;
++ int i = 0;
+
+- while (1) {
+- i = (i * 10) + (c - '0');
++ while (1) {
++ i = (i * 10) + (c - '0');
+
+- if(!io->read_proc(&c, 1, 1, handle)) {
+- throw FI_MSG_ERROR_PARSING;
+- }
++ if (io->read_proc(&c, 1, 1, handle) != 1) {
++ throw FI_MSG_ERROR_PARSING;
++ }
+
+- if (c < '0' || c > '9') {
+- break;
++ if (c < '0' || c > '9') {
++ break;
++ }
+ }
+- }
+
+- return i;
++ return i;
++ }
++ catch (const char *message) {
++ FreeImage_OutputMessageProc(s_format_id, message);
++ return -1;
++ }
+ }
+
+ // ==========================================================
+-// Plugin Interface
+-// ==========================================================
+-
+-static int s_format_id;
+-
+-// ==========================================================
+ // Plugin Implementation
+ // ==========================================================
+
+@@ -230,8 +241,12 @@
+ }
+
+ // Read the header information: width, height and the scale
value
+- unsigned width = (unsigned) pfm_get_int(io, handle);
+- unsigned height = (unsigned) pfm_get_int(io, handle);
++ int width = pfm_get_int(io, handle);
++ int height = pfm_get_int(io, handle);
++ if ((width <= 0) || (height <= 0)) {
++ throw FI_MSG_ERROR_PARSING;
++ }
++
+ float scalefactor = 1;
+
+ BOOL bResult = pfm_get_line(io, handle, line_buffer,
PFM_MAXLINE);
+@@ -262,7 +277,7 @@
+ throw FI_MSG_ERROR_MEMORY;
+ }
+
+- for (unsigned y = 0; y < height; y++) {
++ for (int y = 0; y < height; y++) {
+ FIRGBF *bits =
(FIRGBF*)FreeImage_GetScanLine(dib, height - 1 - y);
+
+ if(io->read_proc(lineBuffer, sizeof(float),
lineWidth, handle) != lineWidth) {
+@@ -271,7 +286,7 @@
+ float *channel = lineBuffer;
+ if(scalefactor > 0) {
+ // MSB
+- for (unsigned x = 0; x < width; x++) {
++ for (int x = 0; x < width; x++) {
+ REVERSEBYTES(channel++,
&bits[x].red);
+ REVERSEBYTES(channel++,
&bits[x].green);
+ REVERSEBYTES(channel++,
&bits[x].blue);
+@@ -278,7 +293,7 @@
+ }
+ } else {
+ // LSB
+- for (unsigned x = 0; x < width; x++) {
++ for (int x = 0; x < width; x++) {
+ bits[x].red =
*channel++;
+ bits[x].green = *channel++;
+ bits[x].blue = *channel++;
+@@ -296,7 +311,7 @@
+ throw FI_MSG_ERROR_MEMORY;
+ }
+
+- for (unsigned y = 0; y < height; y++) {
++ for (int y = 0; y < height; y++) {
+ float *bits =
(float*)FreeImage_GetScanLine(dib, height - 1 - y);
+
+ if(io->read_proc(lineBuffer, sizeof(float),
lineWidth, handle) != lineWidth) {
+@@ -305,12 +320,12 @@
+ float *channel = lineBuffer;
+ if(scalefactor > 0) {
+ // MSB - File is Big endian
+- for (unsigned x = 0; x < width; x++) {
++ for (int x = 0; x < width; x++) {
+ REVERSEBYTES(channel++,
&bits[x]);
+ }
+ } else {
+ // LSB - File is Little Endian
+- for (unsigned x = 0; x < width; x++) {
++ for (int x = 0; x < width; x++) {
+ bits[x] = *channel++;
+ }
+ }
+@@ -323,9 +338,12 @@
+ return dib;
+
+ } catch (const char *text) {
+- if(lineBuffer) free(lineBuffer);
+- if(dib) FreeImage_Unload(dib);
+-
++ if (lineBuffer) {
++ free(lineBuffer);
++ }
++ if (dib) {
++ FreeImage_Unload(dib);
++ }
+ if(NULL != text) {
+ FreeImage_OutputMessageProc(s_format_id, text);
+ }
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- branch master updated: gnu: freeimage: Patch 2 CVEs.,
guix-commits <=