Commit 6f6c15d5 authored by Natanael Copa's avatar Natanael Copa
Browse files

main/gimp: upgrade to 2.6.12 and fix CVE-2012-2763

fixes #1199
parent 1f439479
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=gimp
pkgver=2.6.11
pkgrel=6
pkgver=2.6.12
pkgrel=0
pkgdesc="GNU Image Manipulation Program"
url="http://www.gimp.org/"
arch="all"
......@@ -12,9 +12,8 @@ makedepends="gtk+-dev libxpm-dev libxmu-dev librsvg-dev dbus-glib-dev
install=
subpackages="$pkgname-dev $pkgname-doc $pkgname-lang"
source="ftp://ftp.$pkgname.org/pub/$pkgname/v2.6/$pkgname-$pkgver.tar.bz2
gimp-libpng1.5-compat.patch
gimp-curl-fix.patch
cve-2011-2896.patch"
CVE-2012-2763.patch
"
_builddir="${srcdir}/${pkgname}-${pkgver}"
prepare() {
......@@ -53,7 +52,5 @@ package() {
find "$pkgdir" -name '*.la' -delete
}
md5sums="bb2939fe13e54fc7255cef5d097bb5dd gimp-2.6.11.tar.bz2
7dfc4006676fdea887f1883ccc6c7772 gimp-libpng1.5-compat.patch
678010acec374e06140e65f7de24ff69 gimp-curl-fix.patch
c317eae455c808b8434e9b600afee648 cve-2011-2896.patch"
md5sums="9f876ee63a0c4a4c83f50f32fb3bbe63 gimp-2.6.12.tar.bz2
5ec673cf5c153af8a19eb264bea5d3f5 CVE-2012-2763.patch"
From 744f7a4a2b5acb8b531a6f5dd8744ebb95348fc2 Mon Sep 17 00:00:00 2001
From: Kevin Cozens <kcozens@cvs.gnome.org>
Date: Mon, 17 Aug 2009 23:29:02 +0000
Subject: script-fu: Bug #679215: Fixed potential buffer overflow in readstr_upto()
Cherry picked from commit 76155d79df8d497d9a5994029247387e222da9e9.
gimp-2-6 is no longer maintained. But we might as well commit this for
the benefit of EL/LTS distros. This patch hasn't even been compiled, so
YMMV. Enjoy.
---
diff --git a/plug-ins/script-fu/tinyscheme/scheme.c b/plug-ins/script-fu/tinyscheme/scheme.c
index 60440fc..1f509f2 100644
--- a/plug-ins/script-fu/tinyscheme/scheme.c
+++ b/plug-ins/script-fu/tinyscheme/scheme.c
@@ -1710,7 +1710,7 @@ static char *readstr_upto(scheme *sc, char *delim) {
char *p = sc->strbuff;
gunichar c = 0;
gunichar c_prev = 0;
- int len = 0;
+ int len = 0;
#if 0
while (!is_one_of(delim, (*p++ = inchar(sc))))
@@ -1727,7 +1727,8 @@ static char *readstr_upto(scheme *sc, char *delim) {
c = inchar(sc);
len = g_unichar_to_utf8(c, p);
p += len;
- } while (c && !is_one_of(delim, c));
+ } while ((p - sc->strbuff < sizeof(sc->strbuff)) &&
+ (c && !is_one_of(delim, c)));
if(p==sc->strbuff+2 && c_prev=='\\')
*p = '\0';
@@ -2053,9 +2054,11 @@ static void atom2str(scheme *sc, pointer l, int f, char **pp, int *plen) {
default:
#if USE_ASCII_NAMES
if(c==127) {
- strcpy(p,"#\\del"); break;
+ snprintf(p,STRBUFFSIZE, "#\\del");
+ break;
} else if(c<32) {
- strcpy(p,"#\\"); strcat(p,charnames[c]); break;
+ snprintf(p,STRBUFFSIZE, "#\\%s", charnames[c]);
+ break;
}
#else
if(c<32) {
@@ -2655,7 +2658,7 @@ static pointer opexe_0(scheme *sc, enum scheme_opcodes op) {
if(sc->tracing) {
s_save(sc,OP_REAL_APPLY,sc->args,sc->code);
sc->print_flag = 1;
- /* sc->args=cons(sc,sc->code,sc->args);*/
+ /* sc->args=cons(sc,sc->code,sc->args);*/
putstr(sc,"\nApply to: ");
s_goto(sc,OP_P0LIST);
}
@@ -2769,7 +2772,7 @@ static pointer opexe_0(scheme *sc, enum scheme_opcodes op) {
case OP_SET0: /* set! */
if(is_immutable(car(sc->code)))
- Error_1(sc,"set!: unable to alter immutable variable", car(sc->code));
+ Error_1(sc,"set!: unable to alter immutable variable",car(sc->code));
s_save(sc,OP_SET1, sc->NIL, car(sc->code));
sc->code = cadr(sc->code);
s_goto(sc,OP_EVAL);
@@ -3593,17 +3596,11 @@ static pointer opexe_2(scheme *sc, enum scheme_opcodes op) {
static int is_list(scheme *sc, pointer a)
{ return list_length(sc,a) >= 0; }
-/* Result is:
- proper list: length
- circular list: -1
- not even a pair: -2
- dotted list: -2 minus length before dot
-*/
-int list_length(scheme *sc, pointer a) {
+int list_length(scheme *sc, pointer p) {
int i=0;
pointer slow, fast;
- slow = fast = a;
+ slow = fast = p;
while (1)
{
if (fast == sc->NIL)
@@ -4156,13 +4153,13 @@ static pointer opexe_5(scheme *sc, enum scheme_opcodes op) {
case OP_RDVEC:
/*sc->code=cons(sc,mk_proc(sc,OP_VECTOR),sc->value);
s_goto(sc,OP_EVAL); Cannot be quoted*/
- /*x=cons(sc,mk_proc(sc,OP_VECTOR),sc->value);
- s_return(sc,x); Cannot be part of pairs*/
- /*sc->code=mk_proc(sc,OP_VECTOR);
- sc->args=sc->value;
- s_goto(sc,OP_APPLY);*/
- sc->args=sc->value;
- s_goto(sc,OP_VECTOR);
+ /*x=cons(sc,mk_proc(sc,OP_VECTOR),sc->value);
+ s_return(sc,x); Cannot be part of pairs*/
+ /*sc->code=mk_proc(sc,OP_VECTOR);
+ sc->args=sc->value;
+ s_goto(sc,OP_APPLY);*/
+ sc->args=sc->value;
+ s_goto(sc,OP_VECTOR);
/* ========== printing part ========== */
case OP_P0LIST:
diff --git a/plug-ins/script-fu/tinyscheme/scheme.h b/plug-ins/script-fu/tinyscheme/scheme.h
index 92edba6..c3bf08e 100644
--- a/plug-ins/script-fu/tinyscheme/scheme.h
+++ b/plug-ins/script-fu/tinyscheme/scheme.h
@@ -198,7 +198,7 @@ struct scheme_interface {
gunichar (*charvalue)(pointer p);
int (*is_list)(scheme *sc, pointer p);
int (*is_vector)(pointer p);
- int (*list_length)(scheme *sc, pointer a);
+ int (*list_length)(scheme *sc, pointer p);
long (*vector_length)(pointer vec);
void (*fill_vector)(pointer vec, pointer elem);
pointer (*vector_elem)(pointer vec, int ielem);
--
cgit v0.9.0.2
From 376ad788c1a1c31d40f18494889c383f6909ebfc Mon Sep 17 00:00:00 2001
From: Nils Philippsen <nils@redhat.com>
Date: Thu, 04 Aug 2011 10:51:42 +0000
Subject: file-gif-load: fix heap corruption and buffer overflow (CVE-2011-2896)
---
(limited to 'plug-ins/common/file-gif-load.c')
diff --git a/plug-ins/common/file-gif-load.c b/plug-ins/common/file-gif-load.c
index 81f3bd0..c91e7aa 100644
--- a/plug-ins/common/file-gif-load.c
+++ b/plug-ins/common/file-gif-load.c
@@ -713,7 +713,8 @@ LZWReadByte (FILE *fd,
static gint firstcode, oldcode;
static gint clear_code, end_code;
static gint table[2][(1 << MAX_LZW_BITS)];
- static gint stack[(1 << (MAX_LZW_BITS)) * 2], *sp;
+#define STACK_SIZE ((1 << (MAX_LZW_BITS)) * 2)
+ static gint stack[STACK_SIZE], *sp;
gint i;
if (just_reset_LZW)
@@ -788,7 +789,7 @@ LZWReadByte (FILE *fd,
return firstcode & 255;
}
- else if (code == end_code)
+ else if (code == end_code || code > max_code)
{
gint count;
guchar buf[260];
@@ -807,13 +808,14 @@ LZWReadByte (FILE *fd,
incode = code;
- if (code >= max_code)
+ if (code == max_code)
{
- *sp++ = firstcode;
+ if (sp < &(stack[STACK_SIZE]))
+ *sp++ = firstcode;
code = oldcode;
}
- while (code >= clear_code)
+ while (code >= clear_code && sp < &(stack[STACK_SIZE]))
{
*sp++ = table[1][code];
if (code == table[0][code])
@@ -824,7 +826,8 @@ LZWReadByte (FILE *fd,
code = table[0][code];
}
- *sp++ = firstcode = table[1][code];
+ if (sp < &(stack[STACK_SIZE]))
+ *sp++ = firstcode = table[1][code];
if ((code = max_code) < (1 << MAX_LZW_BITS))
{
--
cgit v0.9.0.2
diff --git a/plug-ins/file-uri/uri-backend-libcurl.c b/plug-ins/file-uri/uri-backend-libcurl.c
index a566966..747dca7 100644
--- a/plug-ins/file-uri/uri-backend-libcurl.c
+++ b/plug-ins/file-uri/uri-backend-libcurl.c
@@ -24,7 +24,6 @@
#include <errno.h>
#include <curl/curl.h>
-#include <curl/types.h>
#include <curl/easy.h>
#include <glib/gstdio.h>
From 2a53e15a7a373c13dec4333c5dd8d2cfde9ebd40 Mon Sep 17 00:00:00 2001
From: Thomas Klausner <wiz@danbala.tuwien.ac.at>
Date: Mon, 24 Jan 2011 18:06:50 +0100
Subject: [PATCH] Bug 640409 - png-1.5 compatibility fixes
---
plug-ins/common/file-png.c | 138 +++++++++++++++++++++++++++-----------------
1 files changed, 84 insertions(+), 54 deletions(-)
diff --git a/plug-ins/common/file-png.c b/plug-ins/common/file-png.c
index be3b4c6..2ccd0e5 100644
--- a/plug-ins/common/file-png.c
+++ b/plug-ins/common/file-png.c
@@ -652,7 +652,11 @@ on_read_error (png_structp png_ptr, png_const_charp error_msg)
error_data->drawable->width, num);
}
+#if (PNG_LIBPNG_VER < 10500)
longjmp (png_ptr->jmpbuf, 1);
+#else
+ png_longjmp (png_ptr, 1);
+#endif
}
/*
@@ -696,7 +700,7 @@ load_image (const gchar *filename,
pp = png_create_read_struct (PNG_LIBPNG_VER_STRING, NULL, NULL, NULL);
info = png_create_info_struct (pp);
- if (setjmp (pp->jmpbuf))
+ if (setjmp (png_jmpbuf(pp)))
{
g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
_("Error while reading '%s'. File corrupted?"),
@@ -737,17 +741,19 @@ load_image (const gchar *filename,
* Latest attempt, this should be my best yet :)
*/
- if (info->bit_depth == 16)
+ if (png_get_bit_depth(pp, info) == 16)
{
png_set_strip_16 (pp);
}
- if (info->color_type == PNG_COLOR_TYPE_GRAY && info->bit_depth < 8)
+ if (png_get_color_type(pp, info) == PNG_COLOR_TYPE_GRAY &&
+ png_get_bit_depth(pp, info) < 8)
{
png_set_expand (pp);
}
- if (info->color_type == PNG_COLOR_TYPE_PALETTE && info->bit_depth < 8)
+ if (png_get_color_type(pp, info) == PNG_COLOR_TYPE_PALETTE &&
+ png_get_bit_depth(pp, info) < 8)
{
png_set_packing (pp);
}
@@ -756,8 +762,8 @@ load_image (const gchar *filename,
* Expand G+tRNS to GA, RGB+tRNS to RGBA
*/
- if (info->color_type != PNG_COLOR_TYPE_PALETTE &&
- (info->valid & PNG_INFO_tRNS))
+ if (png_get_color_type(pp, info) != PNG_COLOR_TYPE_PALETTE &&
+ png_get_valid(pp, info, PNG_INFO_tRNS) != 0)
{
png_set_expand (pp);
}
@@ -774,7 +780,7 @@ load_image (const gchar *filename,
*/
if (png_get_valid (pp, info, PNG_INFO_tRNS) &&
- info->color_type == PNG_COLOR_TYPE_PALETTE)
+ png_get_color_type(pp, info) == PNG_COLOR_TYPE_PALETTE)
{
png_get_tRNS (pp, info, &alpha_ptr, &num, NULL);
/* Copy the existing alpha values from the tRNS chunk */
@@ -796,7 +802,7 @@ load_image (const gchar *filename,
png_read_update_info (pp, info);
- switch (info->color_type)
+ switch (png_get_color_type(pp, info))
{
case PNG_COLOR_TYPE_RGB: /* RGB */
bpp = 3;
@@ -835,7 +841,9 @@ load_image (const gchar *filename,
return -1;
}
- image = gimp_image_new (info->width, info->height, image_type);
+ image = gimp_image_new (png_get_image_width(pp, info),
+ png_get_image_height(pp, info),
+ image_type);
if (image == -1)
{
g_set_error (error, 0, 0,
@@ -848,7 +856,9 @@ load_image (const gchar *filename,
* Create the "background" layer to hold the image...
*/
- layer = gimp_layer_new (image, _("Background"), info->width, info->height,
+ layer = gimp_layer_new (image, _("Background"),
+ png_get_image_width(pp, info),
+ png_get_image_height(pp, info),
layer_type, 100, GIMP_NORMAL_MODE);
gimp_image_insert_layer (image, layer, -1, 0);
@@ -882,7 +892,8 @@ load_image (const gchar *filename,
gimp_layer_set_offsets (layer, offset_x, offset_y);
- if ((abs (offset_x) > info->width) || (abs (offset_y) > info->height))
+ if ((abs (offset_x) > png_get_image_width(pp, info)) ||
+ (abs (offset_y) > png_get_image_height(pp, info)))
{
if (interactive)
g_message (_("The PNG file specifies an offset that caused "
@@ -937,23 +948,27 @@ load_image (const gchar *filename,
empty = 0; /* by default assume no full transparent palette entries */
- if (info->color_type & PNG_COLOR_MASK_PALETTE)
+ if (png_get_color_type(pp, info) & PNG_COLOR_MASK_PALETTE)
{
+ png_colorp palette;
+ int num_palette;
+ png_get_PLTE(pp, info, &palette, &num_palette);
+
if (png_get_valid (pp, info, PNG_INFO_tRNS))
{
for (empty = 0; empty < 256 && alpha[empty] == 0; ++empty)
/* Calculates number of fully transparent "empty" entries */;
/* keep at least one entry */
- empty = MIN (empty, info->num_palette - 1);
+ empty = MIN (empty, num_palette - 1);
- gimp_image_set_colormap (image, (guchar *) (info->palette + empty),
- info->num_palette - empty);
+ gimp_image_set_colormap (image, (guchar *) (palette + empty),
+ num_palette - empty);
}
else
{
- gimp_image_set_colormap (image, (guchar *) info->palette,
- info->num_palette);
+ gimp_image_set_colormap (image, (guchar *) palette,
+ num_palette);
}
}
@@ -971,18 +986,20 @@ load_image (const gchar *filename,
*/
tile_height = gimp_tile_height ();
- pixel = g_new0 (guchar, tile_height * info->width * bpp);
+ pixel = g_new0 (guchar, tile_height * png_get_image_width(pp, info) * bpp);
pixels = g_new (guchar *, tile_height);
for (i = 0; i < tile_height; i++)
- pixels[i] = pixel + info->width * info->channels * i;
+ pixels[i] = pixel + (png_get_image_width(pp, info) *
+ png_get_channels(pp, info) *
+ i);
/* Install our own error handler to handle incomplete PNG files better */
error_data.drawable = drawable;
error_data.pixel = pixel;
error_data.tile_height = tile_height;
- error_data.width = info->width;
- error_data.height = info->height;
+ error_data.width = png_get_image_width(pp, info);
+ error_data.height = png_get_image_height(pp, info);
error_data.bpp = bpp;
error_data.pixel_rgn = &pixel_rgn;
@@ -995,10 +1012,11 @@ load_image (const gchar *filename,
*/
for (begin = 0, end = tile_height;
- begin < info->height; begin += tile_height, end += tile_height)
+ begin < png_get_image_height(pp, info);
+ begin += tile_height, end += tile_height)
{
- if (end > info->height)
- end = info->height;
+ if (end > png_get_image_height(pp, info))
+ end = png_get_image_height(pp, info);
num = end - begin;
@@ -1015,10 +1033,11 @@ load_image (const gchar *filename,
gimp_pixel_rgn_set_rect (&pixel_rgn, pixel, 0, begin,
drawable->width, num);
- memset (pixel, 0, tile_height * info->width * bpp);
+ memset (pixel, 0, tile_height * png_get_image_width(pp, info) * bpp);
gimp_progress_update (((gdouble) pass +
- (gdouble) end / (gdouble) info->height) /
+ (gdouble) end /
+ (gdouble) png_get_image_height(pp, info)) /
(gdouble) num_passes);
}
}
@@ -1071,7 +1090,8 @@ load_image (const gchar *filename,
{
png_uint_32 proflen;
- png_charp profname, profile;
+ png_charp profname;
+ png_bytep profile;
int profcomp;
if (png_get_iCCP (pp, info, &profname, &profcomp, &profile, &proflen))
@@ -1199,6 +1219,8 @@ save_image (const gchar *filename,
guchar red, green, blue; /* Used for palette background */
time_t cutime; /* Time since epoch */
struct tm *gmt; /* GMT broken down */
+ int color_type; /* type of colors in image */
+ int bit_depth; /* width of colors in bit */
guchar remap[256]; /* Re-mapping for the palette */
@@ -1207,7 +1229,9 @@ save_image (const gchar *filename,
if (pngvals.comment)
{
GimpParasite *parasite;
+#ifndef PNG_iTXt_SUPPORTED
gsize text_length = 0;
+#endif
parasite = gimp_image_parasite_find (orig_image_ID, "gimp-comment");
if (parasite)
@@ -1248,7 +1272,7 @@ save_image (const gchar *filename,
pp = png_create_write_struct (PNG_LIBPNG_VER_STRING, NULL, NULL, NULL);
info = png_create_info_struct (pp);
- if (setjmp (pp->jmpbuf))
+ if (setjmp (png_jmpbuf(pp)))
{
g_set_error (error, 0, 0,
_("Error while saving '%s'. Could not save image."),
@@ -1290,11 +1314,6 @@ save_image (const gchar *filename,
png_set_compression_level (pp, pngvals.compression_level);
- info->width = drawable->width;
- info->height = drawable->height;
- info->bit_depth = 8;
- info->interlace_type = pngvals.interlaced;
-
/*
* Initialise remap[]
*/
@@ -1308,37 +1327,36 @@ save_image (const gchar *filename,
switch (type)
{
case GIMP_RGB_IMAGE:
- info->color_type = PNG_COLOR_TYPE_RGB;
+ color_type = PNG_COLOR_TYPE_RGB;
bpp = 3;
break;
case GIMP_RGBA_IMAGE:
- info->color_type = PNG_COLOR_TYPE_RGB_ALPHA;
+ color_type = PNG_COLOR_TYPE_RGB_ALPHA;
bpp = 4;
break;
case GIMP_GRAY_IMAGE:
- info->color_type = PNG_COLOR_TYPE_GRAY;
+ color_type = PNG_COLOR_TYPE_GRAY;
bpp = 1;
break;
case GIMP_GRAYA_IMAGE:
- info->color_type = PNG_COLOR_TYPE_GRAY_ALPHA;
+ color_type = PNG_COLOR_TYPE_GRAY_ALPHA;
bpp = 2;
break;
case GIMP_INDEXED_IMAGE:
bpp = 1;
- info->color_type = PNG_COLOR_TYPE_PALETTE;
- info->valid |= PNG_INFO_PLTE;
- info->palette =
- (png_colorp) gimp_image_get_colormap (image_ID, &num_colors);
- info->num_palette = num_colors;
+ color_type = PNG_COLOR_TYPE_PALETTE;
+ png_set_PLTE(pp, info,
+ (png_colorp) gimp_image_get_colormap (image_ID, &num_colors),
+ num_colors);
break;
case GIMP_INDEXEDA_IMAGE:
bpp = 2;
- info->color_type = PNG_COLOR_TYPE_PALETTE;
+ color_type = PNG_COLOR_TYPE_PALETTE;
/* fix up transparency */
respin_cmap (pp, info, remap, image_ID, drawable);
break;
@@ -1352,17 +1370,28 @@ save_image (const gchar *filename,
* Fix bit depths for (possibly) smaller colormap images
*/
- if (info->valid & PNG_INFO_PLTE)
+ bit_depth = 8;
+
+ if (png_get_valid(pp, info, PNG_INFO_PLTE))
{
- if (info->num_palette <= 2)
- info->bit_depth = 1;
- else if (info->num_palette <= 4)
- info->bit_depth = 2;
- else if (info->num_palette <= 16)
- info->bit_depth = 4;
+ png_colorp palette;
+ int num_palette;
+ png_get_PLTE(pp, info, &palette, &num_palette);
+
+ if (num_palette <= 2)
+ bit_depth = 1;
+ else if (num_palette <= 4)
+ bit_depth = 2;
+ else if (num_palette <= 16)
+ bit_depth = 4;
/* otherwise the default is fine */
}
+ png_set_IHDR(pp, info,
+ drawable->width, drawable->height, bit_depth, color_type,
+ pngvals.interlaced ? PNG_INTERLACE_ADAM7 : PNG_INTERLACE_NONE,
+ PNG_COMPRESSION_TYPE_BASE, PNG_FILTER_TYPE_BASE);
+
/* All this stuff is optional extras, if the user is aiming for smallest
possible file size she can turn them all off */
@@ -1476,7 +1505,8 @@ save_image (const gchar *filename,
* Convert unpacked pixels to packed if necessary
*/
- if (info->color_type == PNG_COLOR_TYPE_PALETTE && info->bit_depth < 8)
+ if (png_get_color_type(pp, info) ==
+ PNG_COLOR_TYPE_PALETTE && png_get_bit_depth(pp, info) < 8)
png_set_packing (pp);
/*
@@ -1528,7 +1558,7 @@ save_image (const gchar *filename,
/* If we're dealing with a paletted image with
* transparency set, write out the remapped palette */
- if (info->valid & PNG_INFO_tRNS)
+ if (png_get_valid(pp, info, PNG_INFO_tRNS))
{
guchar inverse_remap[256];
@@ -1548,7 +1578,7 @@ save_image (const gchar *filename,
}
/* Otherwise if we have a paletted image and transparency
* couldn't be set, we ignore the alpha channel */
- else if (info->valid & PNG_INFO_PLTE && bpp == 2)
+ else if (png_get_valid(pp, info, PNG_INFO_PLTE) && bpp == 2)
{
for (i = 0; i < num; ++i)
{
@@ -1563,7 +1593,7 @@ save_image (const gchar *filename,
png_write_rows (pp, pixels, num);
gimp_progress_update (((double) pass + (double) end /
- (double) info->height) /
+ (double) png_get_image_height(pp, info)) /
(double) num_passes);
}
}
--
1.7.3.4
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment