security bump, markx86

3 files changed, 103 insertions, 0 deletions

diff --git a/media-libs/gdk-pixbuf/files/digest-gdk-pixbuf-0.22.0-r3 b/media-libs/gdk-pixbuf/files/digest-gdk-pixbuf-0.22.0-r3
new file mode 100644
index 000000000000..ce45f33770cf
--- /dev/null
+++ b/media-libs/gdk-pixbuf/files/digest-gdk-pixbuf-0.22.0-r3
@@ -0,0 +1 @@
+MD5 05fcb68ceaa338614ab650c775efc2f2 gdk-pixbuf-0.22.0.tar.bz2 398208
diff --git a/media-libs/gdk-pixbuf/files/gdk-pixbuf-0.22.0-bmp_secure.patch b/media-libs/gdk-pixbuf/files/gdk-pixbuf-0.22.0-bmp_secure.patch
new file mode 100644
index 000000000000..29471f1477ec
--- /dev/null
+++ b/media-libs/gdk-pixbuf/files/gdk-pixbuf-0.22.0-bmp_secure.patch
@@ -0,0 +1,19 @@
+Index: io-bmp.c
+===================================================================
+RCS file: /cvs/gnome/gtk+/gdk-pixbuf/io-bmp.c,v
+retrieving revision 1.41
+diff -u -p -r1.41 io-bmp.c
+--- gdk-pixbuf/io-bmp.c	13 Aug 2004 02:26:57 -0000	1.41
++++ gdk-pixbuf/io-bmp.c	20 Aug 2004 00:18:14 -0000
+@@ -876,8 +876,10 @@ DoCompressed(struct bmp_progressive_stat
+ 	guchar c;
+ 	gint idx;
+ 
+-	if (context->compr.y >= context->Header.height)
++	if (context->compr.y >= context->Header.height) {
++		context->BufferDone = 0;
+ 		return TRUE;
++	}
+ 
+ 	y = context->compr.y;
+ 
diff --git a/media-libs/gdk-pixbuf/files/gdk-pixbuf-0.22.0-loaders.patch b/media-libs/gdk-pixbuf/files/gdk-pixbuf-0.22.0-loaders.patch
new file mode 100644
index 000000000000..9fbe93f59bef
--- /dev/null
+++ b/media-libs/gdk-pixbuf/files/gdk-pixbuf-0.22.0-loaders.patch
@@ -0,0 +1,83 @@
+--- gdk-pixbuf-0.22.0/gdk-pixbuf/io-ico.c.loaders	2004-09-15 13:32:28.397302000 -0400
++++ gdk-pixbuf-0.22.0/gdk-pixbuf/io-ico.c	2004-09-15 13:32:28.441258000 -0400
+@@ -330,6 +330,9 @@
+ 
+ 	State->HeaderSize+=I;
+ 
++ 	if (State->HeaderSize < 0)
++ 		return FALSE;
++ 
+  	if (State->HeaderSize>State->BytesInHeaderBuf) {
+ 		guchar *tmp=realloc(State->HeaderBuf,State->HeaderSize);
+ 		if (!tmp)
+--- gdk-pixbuf-0.22.0/gdk-pixbuf/io-xpm.c.loaders	2001-03-01 15:16:28.000000000 -0500
++++ gdk-pixbuf-0.22.0/gdk-pixbuf/io-xpm.c	2004-09-15 13:41:09.804373000 -0400
+@@ -243,8 +243,8 @@
+ 			break;
+ 		else {
+ 			if (numnames > 0) {
+-				space -= 1;
+-				strcat (color, " ");
++				strncat (color, " ", space);
++				space -= MIN (space, 1);
+ 			}
+ 
+ 			strncat (color, temp, space);
+@@ -352,16 +352,31 @@
+ 		return NULL;
+ 	}
+ 	sscanf (buffer, "%d %d %d %d", &w, &h, &n_col, &cpp);
+-	if (cpp >= 32) {
+-		g_warning ("XPM has more than 31 chars per pixel.");
++	if (cpp <= 0 || cpp >= 32) {
++		g_warning ("XPM has invalid number of chars per pixel.");
+ 		return NULL;
+ 	}
++ 	if (n_col <= 0 || n_col >= G_MAXINT / (cpp + 1)) {
++		g_warning ("XPM file has invalid number of colors");
++  		return NULL;
++  	}
+ 
+ 	/* The hash is used for fast lookups of color from chars */
+ 	color_hash = g_hash_table_new (g_str_hash, g_str_equal);
+ 
+-	name_buf = g_new (gchar, n_col * (cpp + 1));
+-	colors = g_new (_XPMColor, n_col);
++ 	name_buf = malloc (n_col * (cpp + 1));
++ 	if (!name_buf) {
++		g_warning ("Cannot allocate memory for loading XPM image");
++ 		g_hash_table_destroy (color_hash);
++ 		return NULL;
++ 	}
++ 	colors = (_XPMColor *) malloc (sizeof (_XPMColor) * n_col);
++ 	if (!colors) {
++		g_warning ("Cannot allocate memory for loading XPM image");
++ 		g_hash_table_destroy (color_hash);
++ 		free (name_buf);
++ 		return NULL;
++ 	}
+ 
+ 	for (cnt = 0; cnt < n_col; cnt++) {
+ 		gchar *color_name;
+@@ -404,8 +419,8 @@
+ 
+ 	if (!pixels) {
+ 		g_hash_table_destroy (color_hash);
+-		g_free (colors);
+-		g_free (name_buf);
++		free (colors);
++		free (name_buf);
+ 		return NULL;
+ 	}
+ 
+@@ -440,8 +455,8 @@
+ 	}
+ 
+ 	g_hash_table_destroy (color_hash);
+-	g_free (colors);
+-	g_free (name_buf);
++	free (colors);
++	free (name_buf);
+ 
+ 	return gdk_pixbuf_new_from_data (pixels, GDK_COLORSPACE_RGB, is_trans, 8,
+ 					 w, h, is_trans ? (w * 4) : (w * 3),