Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 83432 Details for
Bug 128107
app-office/dia: Buffer overflow in xfig import (CVE-2006-1550)
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
/home/ed/dia-0.94_xfigoverflowfix.patch
dia-0.94_xfigoverflowfix.patch (text/plain), 5.43 KB, created by
Eduardo Tongson
on 2006-03-30 07:14:06 UTC
(
hide
)
Description:
/home/ed/dia-0.94_xfigoverflowfix.patch
Filename:
MIME Type:
Creator:
Eduardo Tongson
Created:
2006-03-30 07:14:06 UTC
Size:
5.43 KB
patch
obsolete
>--- dia-0.94/plug-ins/xfig/xfig-import.c.orig 2004-08-16 09:56:21.000000000 +0200 >+++ dia-0.95/plug-ins/xfig/xfig-import.c 2006-03-29 21:40:21.000000000 +0200 >@@ -441,11 +441,17 @@ > static Color > fig_color(int color_index) > { >- if (color_index == -1) >+ if (color_index <= -1) > return color_black; /* Default color */ >- if (color_index < FIG_MAX_DEFAULT_COLORS) >+ else if (color_index < FIG_MAX_DEFAULT_COLORS) > return fig_default_colors[color_index]; >- else return fig_colors[color_index-FIG_MAX_DEFAULT_COLORS]; >+ else if (color_index < FIG_MAX_USER_COLORS) >+ return fig_colors[color_index-FIG_MAX_DEFAULT_COLORS]; >+ else { >+ message_error(_("Color index %d too high, only 512 colors allowed. Using black instead."), >+ color_index); >+ return color_black; >+ } > } > > static Color >@@ -563,23 +569,25 @@ > static int > fig_read_n_points(FILE *file, int n, Point **points) { > int i; >- Point *new_points; >- >- new_points = (Point*)g_malloc(sizeof(Point)*n); >+ GArray *points_list = g_array_sized_new(FALSE, FALSE, sizeof(Point), n); > > for (i = 0; i < n; i++) { > int x,y; >+ Point p; > if (fscanf(file, " %d %d ", &x, &y) != 2) { > message_error(_("Error while reading %dth of %d points: %s\n"), > i, n, strerror(errno)); >- free(new_points); >+ g_array_free(points_list, TRUE); > return FALSE; > } >- new_points[i].x = x/FIG_UNIT; >- new_points[i].y = y/FIG_UNIT; >+ p.x = x/FIG_UNIT; >+ p.y = y/FIG_UNIT; >+ g_array_append_val(points_list, p); > } > fscanf(file, "\n"); >- *points = new_points; >+ >+ *points = (Point *)points_list->data; >+ g_array_free(points_list, FALSE); > return TRUE; > } > >@@ -683,7 +691,7 @@ > return text_buf; > } > >-static GList *depths[1000]; >+static GList *depths[FIG_MAX_DEPTHS]; > > /* If there's something in the compound stack, we ignore the depth field, > as it will be determined by the group anyway */ >@@ -693,6 +701,26 @@ > level. Best we can do now. */ > static int compound_depth; > >+/** Add an object at a given depth. This function checks for depth limits >+ * and updates the compound depth if needed. >+ * >+ * @param newobj An object to add. If we're inside a compound, this >+ * doesn't really add the object. >+ * @param depth A depth as in the Fig format, max 999 >+ */ >+static void >+add_at_depth(DiaObject *newobj, int depth) { >+ if (depth < 0 || depth >= FIG_MAX_DEPTHS) { >+ message_error(_("Depth %d of of range, only 0-%d allowed.\n"), >+ depth, FIG_MAX_DEPTHS-1); >+ depth = FIG_MAX_DEPTHS - 1; >+ } >+ if (compound_stack == NULL) >+ depths[depth] = g_list_append(depths[depth], newobj); >+ else >+ if (compound_depth > depth) compound_depth = depth; >+} >+ > static DiaObject * > fig_read_ellipse(FILE *file, DiagramData *dia) { > int sub_type; >@@ -749,10 +777,7 @@ > /* Angle -- can't rotate yet */ > > /* Depth field */ >- if (compound_stack == NULL) >- depths[depth] = g_list_append(depths[depth], newobj); >- else >- if (compound_depth > depth) compound_depth = depth; >+ add_at_depth(newobj, depth); > > return newobj; > } >@@ -885,10 +910,7 @@ > /* Cap style */ > > /* Depth field */ >- if (compound_stack == NULL) >- depths[depth] = g_list_append(depths[depth], newobj); >- else >- if (compound_depth > depth) compound_depth = depth; >+ add_at_depth(newobj, depth); > exit: > prop_list_free(props); > g_free(forward_arrow_info); >@@ -1111,10 +1133,7 @@ > /* Cap style */ > > /* Depth field */ >- if (compound_stack == NULL) >- depths[depth] = g_list_append(depths[depth], newobj); >- else >- if (compound_depth > depth) compound_depth = depth; >+ add_at_depth(newobj, depth); > exit: > prop_list_free(props); > g_free(forward_arrow_info); >@@ -1202,10 +1221,7 @@ > /* Cap style */ > > /* Depth field */ >- if (compound_stack == NULL) >- depths[depth] = g_list_append(depths[depth], newobj); >- else >- if (compound_depth > depth) compound_depth = depth; >+ add_at_depth(newobj, depth); > > exit: > g_free(forward_arrow_info); >@@ -1298,10 +1314,7 @@ > newobj->ops->set_props(newobj, props); > > /* Depth field */ >- if (compound_stack == NULL) >- depths[depth] = g_list_append(depths[depth], newobj); >- else >- if (compound_depth > depth) compound_depth = depth; >+ add_at_depth(newobj, depth); > > exit: > if (text_buf != NULL) free(text_buf); >@@ -1347,6 +1360,12 @@ > return FALSE; > } > >+ if (colornumber < 32 || colornumber > FIG_MAX_USER_COLORS) { >+ message_error(_("Color number %d out of range 0..%d. Discarding color.\n"), >+ colornumber, FIG_MAX_USER_COLORS); >+ return FALSE; >+ } >+ > color.red = ((colorvalues & 0x00ff0000)>>16) / 255.0; > color.green = ((colorvalues & 0x0000ff00)>>8) / 255.0; > color.blue = (colorvalues & 0x000000ff) / 255.0; >@@ -1393,7 +1412,7 @@ > } > /* Group extends don't really matter */ > if (compound_stack == NULL) >- compound_depth = 999; >+ compound_depth = FIG_MAX_DEPTHS - 1; > compound_stack = g_slist_append(compound_stack, NULL); > return TRUE; > break; >@@ -1551,7 +1570,7 @@ > for (i = 0; i < FIG_MAX_USER_COLORS; i++) { > fig_colors[i] = color_black; > } >- for (i = 0; i < 1000; i++) { >+ for (i = 0; i < FIG_MAX_DEPTHS; i++) { > depths[i] = NULL; > } > >@@ -1606,7 +1625,7 @@ > } while (TRUE); > > /* Now we can reorder for the depth fields */ >- for (i = 0; i < 1000; i++) { >+ for (i = 0; i < FIG_MAX_DEPTHS; i++) { > if (depths[i] != NULL) > layer_add_objects_first(dia->active_layer, depths[i]); > }
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 128107
:
83432
|
83434