Commit 82c89b69 authored by Natanael Copa's avatar Natanael Copa
Browse files

main/gimp: security fix (CVE-2011-2896)

ref #805
parent 1a21bc3a
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=gimp
pkgver=2.6.11
pkgrel=5
pkgrel=6
pkgdesc="GNU Image Manipulation Program"
url="http://www.gimp.org/"
arch="all"
......@@ -13,7 +13,8 @@ install=
subpackages="$pkgname-dev $pkgname-doc $pkgname-lang"
source="ftp://ftp.$pkgname.org/pub/$pkgname/v2.6/$pkgname-$pkgver.tar.bz2
gimp-libpng1.5-compat.patch
gimp-curl-fix.patch"
gimp-curl-fix.patch
cve-2011-2896.patch"
_builddir="${srcdir}/${pkgname}-${pkgver}"
prepare() {
......@@ -54,4 +55,5 @@ package() {
md5sums="bb2939fe13e54fc7255cef5d097bb5dd gimp-2.6.11.tar.bz2
7dfc4006676fdea887f1883ccc6c7772 gimp-libpng1.5-compat.patch
678010acec374e06140e65f7de24ff69 gimp-curl-fix.patch"
678010acec374e06140e65f7de24ff69 gimp-curl-fix.patch
c317eae455c808b8434e9b600afee648 cve-2011-2896.patch"
From 376ad788c1a1c31d40f18494889c383f6909ebfc Mon Sep 17 00:00:00 2001
From: Nils Philippsen <nils@redhat.com>
Date: Thu, 04 Aug 2011 10:51:42 +0000
Subject: file-gif-load: fix heap corruption and buffer overflow (CVE-2011-2896)
---
(limited to 'plug-ins/common/file-gif-load.c')
diff --git a/plug-ins/common/file-gif-load.c b/plug-ins/common/file-gif-load.c
index 81f3bd0..c91e7aa 100644
--- a/plug-ins/common/file-gif-load.c
+++ b/plug-ins/common/file-gif-load.c
@@ -713,7 +713,8 @@ LZWReadByte (FILE *fd,
static gint firstcode, oldcode;
static gint clear_code, end_code;
static gint table[2][(1 << MAX_LZW_BITS)];
- static gint stack[(1 << (MAX_LZW_BITS)) * 2], *sp;
+#define STACK_SIZE ((1 << (MAX_LZW_BITS)) * 2)
+ static gint stack[STACK_SIZE], *sp;
gint i;
if (just_reset_LZW)
@@ -788,7 +789,7 @@ LZWReadByte (FILE *fd,
return firstcode & 255;
}
- else if (code == end_code)
+ else if (code == end_code || code > max_code)
{
gint count;
guchar buf[260];
@@ -807,13 +808,14 @@ LZWReadByte (FILE *fd,
incode = code;
- if (code >= max_code)
+ if (code == max_code)
{
- *sp++ = firstcode;
+ if (sp < &(stack[STACK_SIZE]))
+ *sp++ = firstcode;
code = oldcode;
}
- while (code >= clear_code)
+ while (code >= clear_code && sp < &(stack[STACK_SIZE]))
{
*sp++ = table[1][code];
if (code == table[0][code])
@@ -824,7 +826,8 @@ LZWReadByte (FILE *fd,
code = table[0][code];
}
- *sp++ = firstcode = table[1][code];
+ if (sp < &(stack[STACK_SIZE]))
+ *sp++ = firstcode = table[1][code];
if ((code = max_code) < (1 << MAX_LZW_BITS))
{
--
cgit v0.9.0.2
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment