Fix Multiple Integer Overflow Vulnerabilities (CVE-2010-1526) (bug #334101) applying upstream patch also used in Fedora.

Package-Manager: portage-2.1.8.3/cvs/Linux x86_64

4 files changed, 277 insertions, 6 deletions

diff --git a/dev-dotnet/libgdiplus/ChangeLog b/dev-dotnet/libgdiplus/ChangeLog
index 7b56cac0765f..68eb51eb248c 100644
--- a/dev-dotnet/libgdiplus/ChangeLog
+++ b/dev-dotnet/libgdiplus/ChangeLog
@@ -1,6 +1,13 @@
 # ChangeLog for dev-dotnet/libgdiplus
 # Copyright 1999-2010 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/dev-dotnet/libgdiplus/ChangeLog,v 1.115 2010/07/21 17:29:33 pacho Exp $
+# $Header: /var/cvsroot/gentoo-x86/dev-dotnet/libgdiplus/ChangeLog,v 1.116 2010/09/07 21:57:03 pacho Exp $
+
+*libgdiplus-2.6.7-r1 (07 Sep 2010)
+
+  07 Sep 2010; Pacho Ramos <pacho@gentoo.org> +libgdiplus-2.6.7-r1.ebuild,
+  +files/libgdiplus-2.6.7-fix-overflows.patch:
+  Fix Multiple Integer Overflow Vulnerabilities (CVE-2010-1526) (bug
+  #334101) applying upstream patch also used in Fedora.
 
 *libgdiplus-2.6.7 (21 Jul 2010)
 
diff --git a/dev-dotnet/libgdiplus/Manifest b/dev-dotnet/libgdiplus/Manifest
index 73ad97608978..e56560f42127 100644
--- a/dev-dotnet/libgdiplus/Manifest
+++ b/dev-dotnet/libgdiplus/Manifest
@@ -6,6 +6,7 @@ AUX libgdiplus-1.2.4-cairo.patch 395 RMD160 145c58e3bbbd719011d62ea5df12b42b57fe
 AUX libgdiplus-1.2.5-imglibs.patch 5743 RMD160 0c42aaf53d7e46489cd203f3633a487bb8e1146f SHA1 29bebd9434a818abcefc64caa2cba69a5dff3b38 SHA256 3c54fdead42729e8c8b6f9103b413c51df4a29273aa5a7def505b4abc1613fed
 AUX libgdiplus-1.2.6-autotool-variables.patch 1025 RMD160 320f836ab095e8eb8c453fc568a141561746c81d SHA1 2bfba4793df7ba087a6b547275a5c8a816239d33 SHA256 c2d4123b50e514fbd4eaf2a2bf27646d92e7c5105156dffc8c2513b19d1998f5
 AUX libgdiplus-2.6-libpng14.patch 578 RMD160 2e5defa0a4951f22bb70fd8f11670879173cfd70 SHA1 79c42160a0f535cb9b6e98692c7c498526a0fd8b SHA256 01a07e28a23f88104c2033b3719ab9bf7eed9abc11b1f0189b131e87c0beded5
+AUX libgdiplus-2.6.7-fix-overflows.patch 7963 RMD160 033ee74060ac3103a4f9d5d8bd8bfc57ddab1fdb SHA1 199fa36eac75a3501befded439d38a8a97fdd5eb SHA256 5e0143cf657d9dee39e4e2226816c5acf12616e329f469a7d468f2baf1630627
 DIST libgdiplus-1.2.4.tar.bz2 2848526 RMD160 90d17f78ba50256d71478c105bbba0a30b68ab3e SHA1 53498e13ba0756ff1cb8a0b6227044dbc6bb3603 SHA256 373af7c1cf80d765e25a843ee69fe50809defab25a3e3a6df8ef974a47cb1326
 DIST libgdiplus-1.2.6.tar.bz2 2897855 RMD160 9eeb1f3859017e1b73d7b49d96cb103413a806b6 SHA1 57321ab24b9fe1f821e39e3cffdf8c16a2e9677b SHA256 5eb1a7a8d3b75c751eac6075239469059238082aee1963bc6a172b3073046cfe
 DIST libgdiplus-2.0.tar.bz2 1971529 RMD160 5279db7cc3be45cb0a3a79bc10b48172a6549445 SHA1 3f4fc1cb2808932e946aa2bb049494fd87fdaa5d SHA256 0a308dc3a8d1a91f036502ed45b8debc3c6f838d86cf6e15430c6969ab4a33b1
@@ -20,15 +21,16 @@ EBUILD libgdiplus-2.0.ebuild 1353 RMD160 7ae634a9cfe04dcfec4d45e6b48ffca0ca3dc14
 EBUILD libgdiplus-2.4.2.ebuild 1246 RMD160 5a238db54521fa2da751ac8daea34c778421296b SHA1 eae185526473a78dac3feeff22d0631c1e08c12e SHA256 768b62e992b5d9dad31e3beab4a9426f92698de8eef0e1b891cebb2920a195b1
 EBUILD libgdiplus-2.4.9999.ebuild 1279 RMD160 9595f4dc9a4369f24fe367949e5666cb58bbbda4 SHA1 457c0a9cf38941ef665a2dc4a34e35345a7c18dd SHA256 f548adfcc2ca0774819adc1eb561bfbdb9f5d7c473eb2d5efc49245215f349b8
 EBUILD libgdiplus-2.6.4.ebuild 1100 RMD160 aa4d9a6c7eb6a26337513d24402407b26b732729 SHA1 e5e30b047ae1accbd16549e5a0981defb9984dbc SHA256 bc57f4260c7bdbd2dc2fde66903a94253e646929434e8e098f20a25687c82009
+EBUILD libgdiplus-2.6.7-r1.ebuild 1215 RMD160 947864e62a1afb59fb0d5b83f406f65c2fee50ef SHA1 fc03e06a04bef64d8157fec0532e19cc85513a3b SHA256 62e8d3af60bff997915d7db53ec0e5b9548575a3c3e20957f540c493c88b58d6
 EBUILD libgdiplus-2.6.7.ebuild 1102 RMD160 2fa2b4916770dcd19fa2fe37f5655d8a550f340b SHA1 026f00a51d9d551ea2925e01890ca6fbe051ff1b SHA256 93c515170293bcd47da0ef839c9e89232101812ed602c5f7d99de949797fc13c
 EBUILD libgdiplus-2.6.ebuild 1246 RMD160 6444d6b34c2dcb634ce20be04e4b43a8dfe65c0f SHA1 87801d4d59dc34893e16a09a4cdb346371dff382 SHA256 017df7d015be36c30fbef2e9582fdf1e47a1c8561fa028e3497f6cc709467fc3
 EBUILD libgdiplus-9999.ebuild 1227 RMD160 9aeb03dbc80c28d9ba6c1b588eaa450623fabed2 SHA1 f611cbc4b0d7287fea5f4022ee07c9d336231a2f SHA256 e76a2e500117cdda76c37908179a8df80dc320d9e225704a2f4b2c91c6be6077
-MISC ChangeLog 18605 RMD160 61808ff82eaaa882b445cd7484f6bf8edced0075 SHA1 d3cb9a3cd62a58ee3b048ebacf0e9721fcbcb0bc SHA256 ff5e878f6fcdaef83c785915492aa92ccb8ed1a0e7ae7b156e0709d8c73d9ff4
+MISC ChangeLog 18889 RMD160 bf6b6185745e6e1be5e19cfc4951435ea71ced04 SHA1 0096791fbe805f03537d2ae06d6bab3f34e7f78d SHA256 5601fd91e01910ec9405878dc25493ba5d822a3f6ca1ddf037d69a601c13dca5
 MISC metadata.xml 160 RMD160 cc10b170ad63a746d8bdfbe5bf1bd9f7065922b8 SHA1 49eaf4246f7502850064d3806cce65d3a404ce1b SHA256 1bc3e313a948415fff0dfa63a5610943327146bfe16bfeca603379bf9706a687
 -----BEGIN PGP SIGNATURE-----
-Version: GnuPG v2.0.15 (GNU/Linux)
+Version: GnuPG v2.0.16 (GNU/Linux)
 
-iEYEARECAAYFAkxHLoMACgkQCaWpQKGI+9QgKwCfTQwjhfrELC9Q/kSKo/PdKPmE
-ixEAn3FW3TuokFlAgChuv7gvyqwdzbxF
-=tkRI
+iEYEARECAAYFAkyGtTcACgkQCaWpQKGI+9TnNwCfT4EIAi47vxeNfuXZIfxYIAH8
+S+MAn0r+0rz2uUkuZg60PoVi/kLADV2N
+=dxPz
 -----END PGP SIGNATURE-----
diff --git a/dev-dotnet/libgdiplus/files/libgdiplus-2.6.7-fix-overflows.patch b/dev-dotnet/libgdiplus/files/libgdiplus-2.6.7-fix-overflows.patch
new file mode 100644
index 000000000000..2611bd142261
--- /dev/null
+++ b/dev-dotnet/libgdiplus/files/libgdiplus-2.6.7-fix-overflows.patch
@@ -0,0 +1,215 @@
+From 6779fbf994d5270720ccb1687ba8b004e20a1821 Mon Sep 17 00:00:00 2001
+From: Sebastien Pouliot <sebastien@ximian.com>
+Date: Mon, 16 Aug 2010 16:48:02 -0400
+Subject: [PATCH] Fix integer overflows when loading images, see bnc #630756
+
+* src/bmpcodec.c:
+* src/jpgcodec.c:
+* src/tifcodec.c:
+	Ensure no integer overflow can occur when computing the
+	stride or the total pixel size (in bytes) used to load
+	pictures in memory. Fix bug #630756
+---
+ src/bmpcodec.c  |   32 +++++++++++++++++++++++---------
+ src/jpegcodec.c |   25 +++++++++++++++++++------
+ src/tiffcodec.c |   23 ++++++++++++++++++-----
+ 3 files changed, 60 insertions(+), 20 deletions(-)
+
+diff --git a/src/bmpcodec.c b/src/bmpcodec.c
+index 7f02561..5547262 100644
+--- a/src/bmpcodec.c
++++ b/src/bmpcodec.c
+@@ -781,7 +781,6 @@ gdip_read_bmp_image (void *pointer, GpImage **image, ImageSource source)
+ 	int		colours;
+ 	BOOL		os2format = FALSE;
+ 	BOOL		upsidedown = TRUE;
+-	int		size;
+ 	int		size_read;
+ 	BYTE		*data_read = NULL;
+ 	int		line;
+@@ -793,6 +792,7 @@ gdip_read_bmp_image (void *pointer, GpImage **image, ImageSource source)
+ 	ARGB green_mask = 0;
+ 	ARGB blue_mask = 0;
+ 	int red_shift = 0;
++	unsigned long long int size;
+ 
+ 	status = gdip_read_BITMAPINFOHEADER (pointer, &bmi, source, &os2format, &upsidedown);
+ 	if (status != Ok)
+@@ -860,23 +860,30 @@ gdip_read_bmp_image (void *pointer, GpImage **image, ImageSource source)
+ 	result->active_bitmap->width = bmi.biWidth;
+ 	result->active_bitmap->height = bmi.biHeight;
+ 
++	/* biWidth and biHeight are LONG (32 bits signed integer) */
++	size = bmi.biWidth;
++
+ 	switch (result->active_bitmap->pixel_format) {
+ 	case PixelFormat1bppIndexed:
+-		result->active_bitmap->stride = (result->active_bitmap->width + 7) / 8;
++		result->active_bitmap->stride = (size + 7) / 8;
+ 		break;
+ 	case PixelFormat4bppIndexed:
+-		result->active_bitmap->stride = (result->active_bitmap->width + 1) / 2;
++		result->active_bitmap->stride = (size + 1) / 2;
+ 		break;
+ 	case PixelFormat8bppIndexed:
+-		result->active_bitmap->stride =  result->active_bitmap->width;
+-		break;
+-	case PixelFormat24bppRGB:
+-		result->active_bitmap->stride = result->active_bitmap->width * 4;
++		result->active_bitmap->stride = size;
+ 		break;
+ 	default:
+ 		/* For other types, we assume 32 bit and translate into 32 bit from source format */
+ 		result->active_bitmap->pixel_format = PixelFormat32bppRGB;
+-		result->active_bitmap->stride = result->active_bitmap->width * 4;
++		/* fall-thru */
++	case PixelFormat24bppRGB:
++		/* stride is a (signed) _int_ and once multiplied by 4 it should hold a value that can be allocated by GdipAlloc
++		 * this effectively limits 'width' to 536870911 pixels */
++		size *= 4;
++		if (size > G_MAXINT32)
++			goto error;
++		result->active_bitmap->stride = size;
+ 		break;
+ 	}
+ 
+@@ -922,7 +929,14 @@ gdip_read_bmp_image (void *pointer, GpImage **image, ImageSource source)
+ 		data_read = NULL;
+ 	}
+ 
+-	pixels = GdipAlloc (result->active_bitmap->stride * result->active_bitmap->height);
++	size = result->active_bitmap->stride;
++	/* ensure total 'size' does not overflow an integer and fits inside our 2GB limit */
++	size *= result->active_bitmap->height;
++	if (size > G_MAXINT32) {
++		status = OutOfMemory;
++		goto error;
++	}
++	pixels = GdipAlloc (size);
+ 	if (pixels == NULL) {
+ 		status = OutOfMemory;
+ 		goto error;
+diff --git a/src/jpegcodec.c b/src/jpegcodec.c
+index 55df776..e330efb 100644
+--- a/src/jpegcodec.c
++++ b/src/jpegcodec.c
+@@ -282,6 +282,7 @@ gdip_load_jpeg_image_internal (struct jpeg_source_mgr *src, GpImage **image)
+ 	BYTE		*lines[4] = {NULL, NULL, NULL, NULL};
+ 	GpStatus	status;
+ 	int		stride;
++	unsigned long long int size;
+ 
+ 	destbuf = NULL;
+ 	result = NULL;
+@@ -323,20 +324,21 @@ gdip_load_jpeg_image_internal (struct jpeg_source_mgr *src, GpImage **image)
+ 
+ 	if (cinfo.num_components == 1) {
+ 		result->cairo_format = CAIRO_FORMAT_A8;
+-		result->active_bitmap->stride = cinfo.image_width;
+ 		result->active_bitmap->pixel_format = PixelFormat8bppIndexed;
++		size = 1;
+ 	} else if (cinfo.num_components == 3) {
+ 		/* libjpeg gives us RGB for many formats and
+ 		 * we convert to RGB format when needed. JPEG
+ 		 * does not support alpha (transparency). */
+ 		result->cairo_format = CAIRO_FORMAT_ARGB32;
+-		result->active_bitmap->stride = 4 * cinfo.image_width;
+ 		result->active_bitmap->pixel_format = PixelFormat24bppRGB;
++		size = 4;
+ 	} else if (cinfo.num_components == 4) {
+ 		result->cairo_format = CAIRO_FORMAT_ARGB32;
+-		result->active_bitmap->stride = 4 * cinfo.image_width;
+ 		result->active_bitmap->pixel_format = PixelFormat32bppRGB;
+-	}
++		size = 4;
++	} else
++		goto error;
+ 
+ 	switch (cinfo.jpeg_color_space) {
+ 	case JCS_GRAYSCALE:
+@@ -360,7 +362,12 @@ gdip_load_jpeg_image_internal (struct jpeg_source_mgr *src, GpImage **image)
+ 		break;
+ 	}
+ 
+-	stride = result->active_bitmap->stride;
++	size *= cinfo.image_width;
++	/* stride is a (signed) _int_ and once multiplied by 4 it should hold a value that can be allocated by GdipAlloc
++	 * this effectively limits 'width' to 536870911 pixels */
++	if (size > G_MAXINT32)
++		goto error;
++	stride = result->active_bitmap->stride = size;
+ 
+ 	/* Request cairo-compat output */
+ 	/* libjpeg can do only following conversions,
+@@ -397,7 +404,13 @@ gdip_load_jpeg_image_internal (struct jpeg_source_mgr *src, GpImage **image)
+ 
+ 	jpeg_start_decompress (&cinfo);
+ 
+-	destbuf = GdipAlloc (stride * cinfo.output_height);
++	/* ensure total 'size' does not overflow an integer and fits inside our 2GB limit */
++	size *= cinfo.output_height;
++	if (size > G_MAXINT32) {
++		status = OutOfMemory;
++		goto error;
++	}
++	destbuf = GdipAlloc (size);
+ 	if (destbuf == NULL) {
+ 		status = OutOfMemory;
+ 		goto error;
+diff --git a/src/tiffcodec.c b/src/tiffcodec.c
+index 9e9504f..cf4cf3b 100644
+--- a/src/tiffcodec.c
++++ b/src/tiffcodec.c
+@@ -1104,6 +1104,8 @@ gdip_load_tiff_image (TIFF *tiff, GpImage **image)
+ 	frame = gdip_frame_add(result, &gdip_image_frameDimension_page_guid);
+ 
+ 	for (page = 0; page < num_of_pages; page++) {
++		unsigned long long int size;
++
+ 		bitmap_data = gdip_frame_add_bitmapdata(frame);
+ 		if (bitmap_data == NULL) {
+ 			goto error;
+@@ -1139,14 +1141,25 @@ gdip_load_tiff_image (TIFF *tiff, GpImage **image)
+ 			bitmap_data->image_flags |= ImageFlagsHasRealDPI;
+ 		}
+ 
+-		bitmap_data->stride = tiff_image.width * 4;
++		/* width and height are uint32, but TIFF uses 32 bits offsets (so it's real size limit is 4GB),
++		 * however libtiff uses signed int (int32 not uint32) as offsets so we limit ourselves to 2GB */
++		size = tiff_image.width;
++		/* stride is a (signed) _int_ and once multiplied by 4 it should hold a value that can be allocated by GdipAlloc
++		 * this effectively limits 'width' to 536870911 pixels */
++		size *= sizeof (guint32);
++		if (size > G_MAXINT32)
++			goto error;
++		bitmap_data->stride = size;
+ 		bitmap_data->width = tiff_image.width;
+ 		bitmap_data->height = tiff_image.height;
+ 		bitmap_data->reserved = GBD_OWN_SCAN0;
+ 		bitmap_data->image_flags |= ImageFlagsColorSpaceRGB | ImageFlagsHasRealPixelSize | ImageFlagsReadOnly;
+ 
+-		num_of_pixels = tiff_image.width * tiff_image.height;
+-		pixbuf = GdipAlloc(num_of_pixels * sizeof(guint32));
++		/* ensure total 'size' does not overflow an integer and fits inside our 2GB limit */
++		size *= tiff_image.height;
++		if (size > G_MAXINT32)
++			goto error;
++		pixbuf = GdipAlloc (size);
+ 		if (pixbuf == NULL) {
+ 			goto error;
+ 		}
+@@ -1168,9 +1181,9 @@ gdip_load_tiff_image (TIFF *tiff, GpImage **image)
+ 			memcpy(pixbuf + (bitmap_data->stride * (tiff_image.height - i - 1)), pixbuf_row, bitmap_data->stride);
+ 		}
+ 
+-		/* Now flip from ARGB to ABGR */
++		/* Now flip from ARGB to ABGR processing one pixel (4 bytes) at the time */
+ 		pixbuf_ptr = (guint32 *)pixbuf;
+-		for (i = 0; i < num_of_pixels; i++) {
++		for (i = 0; i < (size >> 2); i++) {
+ 			*pixbuf_ptr =	(*pixbuf_ptr & 0xff000000) | 
+ 					((*pixbuf_ptr & 0x00ff0000) >> 16) |
+ 					(*pixbuf_ptr & 0x0000ff00) | 
+-- 
+1.7.2.1
+
diff --git a/dev-dotnet/libgdiplus/libgdiplus-2.6.7-r1.ebuild b/dev-dotnet/libgdiplus/libgdiplus-2.6.7-r1.ebuild
new file mode 100644
index 000000000000..32234dcd286f
--- /dev/null
+++ b/dev-dotnet/libgdiplus/libgdiplus-2.6.7-r1.ebuild
@@ -0,0 +1,47 @@
+# Copyright 1999-2010 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/dev-dotnet/libgdiplus/libgdiplus-2.6.7-r1.ebuild,v 1.1 2010/09/07 21:57:03 pacho Exp $
+
+EAPI=2
+
+inherit eutils go-mono mono flag-o-matic
+
+DESCRIPTION="Library for using System.Drawing with mono"
+HOMEPAGE="http://www.go-mono.com/"
+
+LICENSE="MIT"
+SLOT="0"
+KEYWORDS="~amd64 ~ppc ~x86 ~x86-freebsd ~amd64-linux ~x86-linux ~x86-solaris"
+IUSE="cairo"
+
+RDEPEND=">=dev-libs/glib-2.16
+		>=media-libs/freetype-2.3.7
+		>=media-libs/fontconfig-2.6
+		media-libs/libpng
+		x11-libs/libXrender
+		x11-libs/libX11
+		x11-libs/libXt
+		>=x11-libs/cairo-1.8.4[X]
+		media-libs/libexif
+		>=media-libs/giflib-4.1.3
+		media-libs/jpeg
+		media-libs/tiff
+		!cairo? ( >=x11-libs/pango-1.20 )"
+DEPEND="${RDEPEND}"
+
+RESTRICT="test"
+
+src_prepare() {
+	go-mono_src_prepare
+	sed -i -e 's:ungif:gif:g' configure || die
+
+	# Fix integer overflows when loading images, see bug #334101
+	epatch "${FILESDIR}/${P}-fix-overflows.patch"
+}
+
+src_configure() {
+	append-flags -fno-strict-aliasing
+	go-mono_src_configure	--with-cairo=system			\
+				$(use !cairo && printf %s --with-pango)	\
+				|| die "configure failed"
+}