Fix integer overflow in xbm loader (bug #412033).

Package-Manager: portage-2.2.0_alpha100/cvs/Linux x86_64

1 files changed, 48 insertions, 0 deletions

diff --git a/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.24.1-xbm-overflow.patch b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.24.1-xbm-overflow.patch
new file mode 100644
index 000000000000..66b15f70ce63
--- /dev/null
+++ b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.24.1-xbm-overflow.patch
@@ -0,0 +1,48 @@
+From 4f0f465f991cd454d03189497f923eb40c170c22 Mon Sep 17 00:00:00 2001
+From: Matthias Clasen <mclasen@redhat.com>
+Date: Sat, 14 Apr 2012 14:21:09 -0400
+Subject: [PATCH] Avoid an integer overflow in the xbm loader
+
+At the same time, reject some silly input, such as negative
+width or height.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=672811
+---
+ gdk-pixbuf/io-xbm.c |   12 ++++++++++--
+ 1 files changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/gdk-pixbuf/io-xbm.c b/gdk-pixbuf/io-xbm.c
+index 46653b9..4f3e1e8 100644
+--- a/gdk-pixbuf/io-xbm.c
++++ b/gdk-pixbuf/io-xbm.c
+@@ -183,10 +183,16 @@ read_bitmap_file_data (FILE    *fstream,
+ 				type++;
+ 			}
+ 
+-			if (!strcmp ("width", type))
++			if (!strcmp ("width", type)) {
++                                if (value <= 0)
++                                        RETURN (FALSE);
+ 				ww = (unsigned int) value;
+-			if (!strcmp ("height", type))
++                        }
++			if (!strcmp ("height", type)) {
++                                if (value <= 0)
++                                        RETURN (FALSE);
+ 				hh = (unsigned int) value;
++                        }
+ 			if (!strcmp ("hot", type)) {
+ 				if (type-- == name_and_type
+ 				    || type-- == name_and_type)
+@@ -231,6 +237,8 @@ read_bitmap_file_data (FILE    *fstream,
+ 		bytes_per_line = (ww+7)/8 + padding;
+ 
+ 		size = bytes_per_line * hh;
++                if (size / bytes_per_line != hh) /* overflow */
++                        RETURN (FALSE);
+ 		bits = g_malloc (size);
+ 
+ 		if (version10p) {
+-- 
+1.7.8.5
+