Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 38628 Details for
Bug 61619
media-gfx/xv: multiple buffer overflows
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
fix security issues reported
xv-3.10a-validation.diff (text/plain), 2.75 KB, created by
Tavis Ormandy (RETIRED)
on 2004-08-31 16:16:52 UTC
(
hide
)
Description:
fix security issues reported
Filename:
MIME Type:
Creator:
Tavis Ormandy (RETIRED)
Created:
2004-08-31 16:16:52 UTC
Size:
2.75 KB
patch
obsolete
>##### ># Add extra validation to check for the issues reported ># here http://www.securityfocus.com/archive/1/372345 ># ># - taviso@gentoo.org (1 Sep 2004) >############# >diff -ruN xv-3.10a/xvbmp.c xv-3.10a.new/xvbmp.c >--- xv-3.10a/xvbmp.c 2004-08-31 23:26:20.711591624 +0100 >+++ xv-3.10a.new/xvbmp.c 2004-08-31 23:21:48.887915104 +0100 >@@ -165,6 +165,11 @@ > int i, cmaplen; > > cmaplen = (biClrUsed) ? biClrUsed : 1 << biBitCount; >+ >+ /* sanity check user supplied value */ >+ if (cmaplen > 256) >+ { bmpError(bname,"invalid colormap length"); goto ERROR; } >+ > for (i=0; i<cmaplen; i++) { > pinfo->b[i] = getc(fp); > pinfo->g[i] = getc(fp); >Files xv-3.10a/.xv.h.swp and xv-3.10a.new/.xv.h.swp differ >diff -ruN xv-3.10a/xviris.c xv-3.10a.new/xviris.c >--- xv-3.10a/xviris.c 1994-12-22 22:34:47.000000000 +0000 >+++ xv-3.10a.new/xviris.c 2004-08-31 23:52:18.753733216 +0100 >@@ -265,8 +265,18 @@ > byte *rledat; > u_long *starttab, *lengthtab; > >+ /* check they are postive */ >+ if ((xsize <= 0) || (ysize <= 0) || (zsize <= 0)) >+ FatalError("invalid image size supplied to LoadIRIS()"); >+ > rlebuflen = 2 * xsize + 10; > tablen = ysize * zsize; >+ >+ /* did they overflow */ >+ >+ if ((rlebuflen <= 0) || (tablen <= 0)) >+ FatalError("invalid image size supplied to LoadIRIS()"); >+ > starttab = (u_long *) malloc((size_t) tablen * sizeof(long)); > lengthtab = (u_long *) malloc((size_t) tablen * sizeof(long)); > rledat = (byte *) malloc((size_t) rlebuflen); >diff -ruN xv-3.10a/xvpcx.c xv-3.10a.new/xvpcx.c >--- xv-3.10a/xvpcx.c 1995-01-10 23:06:37.000000000 +0000 >+++ xv-3.10a.new/xvpcx.c 2004-09-01 00:04:28.464800272 +0100 >@@ -4,6 +4,7 @@ > * LoadPCX(fname, pinfo) - loads a PCX file > */ > >+#include <limits.h> > #include "copyright.h" > > /* >@@ -222,6 +223,10 @@ > byte *image; > > /* note: overallocation to make life easier... */ >+ if ((pinfo->h <= 0) || (pinfo->h > INT_MAX-1) || >+ (pinfo->w <= 0) || (pinfo->w > INT_MAX-16)) >+ FatalError("bad image specs in pcxLoadImage8()"); >+ > image = (byte *) malloc((size_t) (pinfo->h + 1) * pinfo->w + 16); > if (!image) FatalError("Can't alloc 'image' in pcxLoadImage8()"); > >diff -ruN xv-3.10a/xvpm.c xv-3.10a.new/xvpm.c >--- xv-3.10a/xvpm.c 1994-12-22 22:34:40.000000000 +0000 >+++ xv-3.10a.new/xvpm.c 2004-09-01 00:07:34.721484952 +0100 >@@ -5,6 +5,8 @@ > * WritePM(fp, pic, ptype, w, h, r,g,b, numcols, style, comment) > */ > >+#include <limits.h> >+ > #include "copyright.h" > > #include "xv.h" >@@ -137,7 +139,7 @@ > > > /* alloc and read in comment, if any */ >- if (thePic.pm_cmtsize>0) { >+ if (thePic.pm_cmtsize>0 && thePic.pm_cmtsize<(INT_MAX-1)) { > thePic.pm_cmt = (char *) malloc((size_t) thePic.pm_cmtsize+1); > if (thePic.pm_cmt) { > thePic.pm_cmt[thePic.pm_cmtsize] = '\0'; /* to be safe */
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 61619
: 38628 |
38759