summaryrefslogtreecommitdiff
path: root/gnu/packages/patches/freeimage-CVE-2015-0852.patch
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/packages/patches/freeimage-CVE-2015-0852.patch')
-rw-r--r--gnu/packages/patches/freeimage-CVE-2015-0852.patch129
1 files changed, 0 insertions, 129 deletions
diff --git a/gnu/packages/patches/freeimage-CVE-2015-0852.patch b/gnu/packages/patches/freeimage-CVE-2015-0852.patch
deleted file mode 100644
index 34d538e925..0000000000
--- a/gnu/packages/patches/freeimage-CVE-2015-0852.patch
+++ /dev/null
@@ -1,129 +0,0 @@
-Copied from Debian.
-
-Description: fix integer overflow
-Origin: upstream
- http://freeimage.cvs.sourceforge.net/viewvc/freeimage/FreeImage/Source/FreeImage/PluginPCX.cpp?view=patch&r1=1.17&r2=1.18&pathrev=MAIN
- http://freeimage.cvs.sourceforge.net/viewvc/freeimage/FreeImage/Source/FreeImage/PluginPCX.cpp?view=patch&r1=1.18&r2=1.19&pathrev=MAIN
-Bug-Debian: https://bugs.debian.org/797165
-Last-Update: 2015-09-14
----
-This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
-Index: freeimage/Source/FreeImage/PluginPCX.cpp
-===================================================================
---- freeimage.orig/Source/FreeImage/PluginPCX.cpp
-+++ freeimage/Source/FreeImage/PluginPCX.cpp
-@@ -347,12 +347,14 @@ Load(FreeImageIO *io, fi_handle handle,
-
- try {
- // check PCX identifier
--
-- long start_pos = io->tell_proc(handle);
-- BOOL validated = pcx_validate(io, handle);
-- io->seek_proc(handle, start_pos, SEEK_SET);
-- if(!validated) {
-- throw FI_MSG_ERROR_MAGIC_NUMBER;
-+ // (note: should have been already validated using FreeImage_GetFileType but check again)
-+ {
-+ long start_pos = io->tell_proc(handle);
-+ BOOL validated = pcx_validate(io, handle);
-+ io->seek_proc(handle, start_pos, SEEK_SET);
-+ if(!validated) {
-+ throw FI_MSG_ERROR_MAGIC_NUMBER;
-+ }
- }
-
- // process the header
-@@ -366,20 +368,38 @@ Load(FreeImageIO *io, fi_handle handle,
- SwapHeader(&header);
- #endif
-
-- // allocate a new DIB
-+ // process the window
-+ const WORD *window = header.window; // left, upper, right,lower pixel coord.
-+ const int left = window[0];
-+ const int top = window[1];
-+ const int right = window[2];
-+ const int bottom = window[3];
-
-- unsigned width = header.window[2] - header.window[0] + 1;
-- unsigned height = header.window[3] - header.window[1] + 1;
-- unsigned bitcount = header.bpp * header.planes;
--
-- if (bitcount == 24) {
-- dib = FreeImage_AllocateHeader(header_only, width, height, bitcount, FI_RGBA_RED_MASK, FI_RGBA_GREEN_MASK, FI_RGBA_BLUE_MASK);
-- } else {
-- dib = FreeImage_AllocateHeader(header_only, width, height, bitcount);
-+ // check image size
-+ if((left >= right) || (top >= bottom)) {
-+ throw FI_MSG_ERROR_PARSING;
- }
-
-- // if the dib couldn't be allocated, throw an error
-+ const unsigned width = right - left + 1;
-+ const unsigned height = bottom - top + 1;
-+ const unsigned bitcount = header.bpp * header.planes;
-+
-+ // allocate a new DIB
-+ switch(bitcount) {
-+ case 1:
-+ case 4:
-+ case 8:
-+ dib = FreeImage_AllocateHeader(header_only, width, height, bitcount);
-+ break;
-+ case 24:
-+ dib = FreeImage_AllocateHeader(header_only, width, height, bitcount, FI_RGBA_RED_MASK, FI_RGBA_GREEN_MASK, FI_RGBA_BLUE_MASK);
-+ break;
-+ default:
-+ throw FI_MSG_ERROR_DIB_MEMORY;
-+ break;
-+ }
-
-+ // if the dib couldn't be allocated, throw an error
- if (!dib) {
- throw FI_MSG_ERROR_DIB_MEMORY;
- }
-@@ -426,19 +446,23 @@ Load(FreeImageIO *io, fi_handle handle,
-
- if (palette_id == 0x0C) {
- BYTE *cmap = (BYTE*)malloc(768 * sizeof(BYTE));
-- io->read_proc(cmap, 768, 1, handle);
-
-- pal = FreeImage_GetPalette(dib);
-- BYTE *pColormap = &cmap[0];
-+ if(cmap) {
-+ io->read_proc(cmap, 768, 1, handle);
-
-- for(int i = 0; i < 256; i++) {
-- pal[i].rgbRed = pColormap[0];
-- pal[i].rgbGreen = pColormap[1];
-- pal[i].rgbBlue = pColormap[2];
-- pColormap += 3;
-+ pal = FreeImage_GetPalette(dib);
-+ BYTE *pColormap = &cmap[0];
-+
-+ for(int i = 0; i < 256; i++) {
-+ pal[i].rgbRed = pColormap[0];
-+ pal[i].rgbGreen = pColormap[1];
-+ pal[i].rgbBlue = pColormap[2];
-+ pColormap += 3;
-+ }
-+
-+ free(cmap);
- }
-
-- free(cmap);
- }
-
- // wrong palette ID, perhaps a gray scale is needed ?
-@@ -466,9 +490,9 @@ Load(FreeImageIO *io, fi_handle handle,
- // calculate the line length for the PCX and the DIB
-
- // length of raster line in bytes
-- unsigned linelength = header.bytes_per_line * header.planes;
-+ const unsigned linelength = header.bytes_per_line * header.planes;
- // length of DIB line (rounded to DWORD) in bytes
-- unsigned pitch = FreeImage_GetPitch(dib);
-+ const unsigned pitch = FreeImage_GetPitch(dib);
-
- // run-length encoding ?
-