Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 198446 Details for
Bug 277722
<x11-libs/wxGTK-2.8.10.1-r1 wxImage::Create() arbitrary code execution (CVE-2009-2369)
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
wxGTK-2.8.10.1-CVE-2009-2369.patch
wxGTK-2.8.10.1-CVE-2009-2369.patch (text/plain), 2.29 KB, created by
Ryan Hill (RETIRED)
on 2009-07-19 01:58:05 UTC
(
hide
)
Description:
wxGTK-2.8.10.1-CVE-2009-2369.patch
Filename:
MIME Type:
Creator:
Ryan Hill (RETIRED)
Created:
2009-07-19 01:58:05 UTC
Size:
2.29 KB
patch
obsolete
>diff -Naurp wxPython-src-2.8.10.1-orig/src/common/imagpng.cpp wxPython-src-2.8.10.1/src/common/imagpng.cpp >--- wxPython-src-2.8.10.1-orig/src/common/imagpng.cpp 2008-05-11 22:26:45.000000000 -0600 >+++ wxPython-src-2.8.10.1/src/common/imagpng.cpp 2009-07-18 19:54:13.128547627 -0600 >@@ -568,18 +568,16 @@ wxPNGHandler::LoadFile(wxImage *image, > if (!image->Ok()) > goto error; > >- lines = (unsigned char **)malloc( (size_t)(height * sizeof(unsigned char *)) ); >+ // initialize all line pointers to NULL to ensure that they can be safely >+ // free()d if an error occurs before all of them could be allocated >+ lines = (unsigned char **)calloc(height, sizeof(unsigned char *)); > if ( !lines ) > goto error; > > for (i = 0; i < height; i++) > { > if ((lines[i] = (unsigned char *)malloc( (size_t)(width * (sizeof(unsigned char) * 4)))) == NULL) >- { >- for ( unsigned int n = 0; n < i; n++ ) >- free( lines[n] ); > goto error; >- } > } > > png_read_image( png_ptr, lines ); >diff -Naurp wxPython-src-2.8.10.1-orig/src/common/imagtiff.cpp wxPython-src-2.8.10.1/src/common/imagtiff.cpp >--- wxPython-src-2.8.10.1-orig/src/common/imagtiff.cpp 2007-09-21 14:27:05.000000000 -0600 >+++ wxPython-src-2.8.10.1/src/common/imagtiff.cpp 2009-07-18 19:54:35.801832862 -0600 >@@ -261,7 +261,6 @@ bool wxTIFFHandler::LoadFile( wxImage *i > } > > uint32 w, h; >- uint32 npixels; > uint32 *raster; > > TIFFGetField( tif, TIFFTAG_IMAGEWIDTH, &w ); >@@ -275,9 +274,20 @@ bool wxTIFFHandler::LoadFile( wxImage *i > (samplesInfo[0] == EXTRASAMPLE_ASSOCALPHA || > samplesInfo[0] == EXTRASAMPLE_UNASSALPHA)); > >- npixels = w * h; >+ // guard against integer overflow during multiplication which could result >+ // in allocating a too small buffer and then overflowing it >+ const double bytesNeeded = (double)w * (double)h * sizeof(uint32); >+ if ( bytesNeeded >= 4294967295U /* UINT32_MAX */ ) >+ { >+ if ( verbose ) >+ wxLogError( _("TIFF: Image size is abnormally big.") ); >+ >+ TIFFClose(tif); >+ >+ return false; >+ } > >- raster = (uint32*) _TIFFmalloc( npixels * sizeof(uint32) ); >+ raster = (uint32*) _TIFFmalloc( bytesNeeded ); > > if (!raster) > {
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 277722
: 198446