ports/122366: vulnerability on graphics/sdl_image
Marcus von Appen
mva at sysfault.org
Wed Apr 2 08:00:09 UTC 2008
The following reply was made to PR ports/122366; it has been noted by GNATS.
From: Marcus von Appen <mva at sysfault.org>
To: bug-followup at FreeBSD.org
Cc: turutani at scphys.kyoto-u.ac.jp
Subject: Re: ports/122366: vulnerability on graphics/sdl_image
Date: Wed, 2 Apr 2008 09:40:55 +0200
--ADZbWkCsHQ7r3kzd
Content-Type: multipart/mixed; boundary="Kj7319i9nmIyA2yE"
Content-Disposition: inline
--Kj7319i9nmIyA2yE
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Thanks for the report.
A fix for both, the GIF and LBM buffer overflows, is attached.
--Kj7319i9nmIyA2yE
Content-Type: text/x-diff; charset=us-ascii
Content-Disposition: attachment; filename="sdl_image.diff"
Content-Transfer-Encoding: quoted-printable
diff -Nur sdl_image/Makefile sdl_image.new/Makefile
--- sdl_image/Makefile 2008-03-13 15:05:28.000000000 +0100
+++ sdl_image.new/Makefile 2008-04-02 09:33:06.000000000 +0200
@@ -7,6 +7,7 @@
=20
PORTNAME=3D sdl_image
PORTVERSION=3D 1.2.6
+PORTREVISION=3D 1
CATEGORIES=3D graphics
MASTER_SITES=3D http://www.libsdl.org/projects/SDL_image/release/
DISTNAME=3D SDL_image-${PORTVERSION}
diff -Nur sdl_image/files/patch-IMG_gif.c sdl_image.new/files/patch-IMG_gif=
=2Ec
--- sdl_image/files/patch-IMG_gif.c 1970-01-01 01:00:00.000000000 +0100
+++ sdl_image.new/files/patch-IMG_gif.c 2008-04-02 09:33:35.000000000 +0200
@@ -0,0 +1,13 @@
+--- IMG_gif.c 2007/02/13 10:09:17 2970
++++ IMG_gif.c 2007/12/28 16:43:56 3462
+@@ -418,6 +418,10 @@
+ static int stack[(1 << (MAX_LWZ_BITS)) * 2], *sp;
+ register int i;
+=20
++ /* Fixed buffer overflow found by Michael Skladnikiewicz */
++ if (input_code_size > MAX_LWZ_BITS)
++ return -1;
++
+ if (flag) {
+ set_code_size =3D input_code_size;
+ code_size =3D set_code_size + 1;
diff -Nur sdl_image/files/patch-IMG_lbm.c sdl_image.new/files/patch-IMG_lbm=
=2Ec
--- sdl_image/files/patch-IMG_lbm.c 1970-01-01 01:00:00.000000000 +0100
+++ sdl_image.new/files/patch-IMG_lbm.c 2008-04-02 09:33:25.000000000 +0200
@@ -0,0 +1,28 @@
+--- IMG_lbm.c 2007/07/20 04:37:11 3341
++++ IMG_lbm.c 2008/01/03 20:05:34 3521
+@@ -28,6 +28,7 @@
+ EHB and HAM (specific Amiga graphic chip modes) support added by Marc =
Le Douarain
+ (http://www.multimania.com/mavati) in December 2003.
+ Stencil and colorkey fixes by David Raulo (david.raulo AT free DOT fr)=
in February 2004.
++ Buffer overflow fix in RLE decompression by David Raulo in January 200=
8.
+ */
+=20
+ #include <stdio.h>
+@@ -328,7 +329,7 @@
+ count ^=3D 0xFF;
+ count +=3D 2; /* now it */
+=20
+- if ( !SDL_RWread( src, &color, 1, 1 ) )
++ if ( ( count > remainingbytes ) || !SDL_RWread( src, &color, 1, 1 )=
)
+ {
+ error=3D"error reading BODY chunk";
+ goto done;
+@@ -339,7 +340,7 @@
+ {
+ ++count;
+=20
+- if ( !SDL_RWread( src, ptr, count, 1 ) )
++ if ( ( count > remainingbytes ) || !SDL_RWread( src, ptr, count, 1 =
) )
+ {
+ error=3D"error reading BODY chunk";
+ goto done;
--Kj7319i9nmIyA2yE--
--ADZbWkCsHQ7r3kzd
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (FreeBSD)
iEYEARECAAYFAkfzOIcACgkQo/JpszXavhxOtACeNGKUEG6gE9q0+gV2NbPrSDmF
r4cAoI0d+eSCU5Hy6XWN174v6UIw8NXl
=KHDq
-----END PGP SIGNATURE-----
--ADZbWkCsHQ7r3kzd--
More information about the freebsd-ports-bugs
mailing list