author: Koop Mast <kwm@FreeBSD.org> 2015-12-13 20:26:24 +0000
committer: Koop Mast <kwm@FreeBSD.org> 2015-12-13 20:26:24 +0000
commit: 1efaab26442d22a2db9f036dda9cc39ddfb93285 (patch)
tree: 0e4b5c0ffef04651b736689ed98c96d022125b5c /graphics
parent: 3970d847b034fa562cc2b2157d87670b8d90ad1a (diff)
3 files changed, 167 insertions, 1 deletions
diff --git a/graphics/freeimage/Makefile b/graphics/freeimage/Makefile
index 378084f043e3..e572a5313133 100644
--- a/graphics/freeimage/Makefile
+++ b/graphics/freeimage/Makefile
@@ -3,6 +3,7 @@
 
 PORTNAME=	freeimage
 PORTVERSION=	3.16.0
+PORTREVISION=	1
 # Version 3.17.0 is available, but does not build on i386 (and probably
 # other 32-bit arches) without some not-quite-trivial patching.  If one
 # decides to update the port, please make sure 32-bit builds are tested!
@@ -14,7 +15,9 @@ MAINTAINER=	ports@FreeBSD.org
 COMMENT=	Simple C/C++ bitmap graphics library
 
 USES=		dos2unix gmake zip
-DOS2UNIX_FILES=	Source/LibOpenJPEG/opj_malloc.h
+DOS2UNIX_FILES=	Source/LibOpenJPEG/opj_malloc.h \
+		Source/LibRawLite/dcraw/dcraw.c \
+		Source/LibRawLite/internal/dcraw_common.cpp
 USE_LDCONFIG=	yes
 WRKSRC=		${WRKDIR}/FreeImage
 MAKE_ARGS=	CC="${CC}" CPP="${CPP}" CXX="${CXX}"
diff --git a/graphics/freeimage/files/patch-integer_overflow b/graphics/freeimage/files/patch-integer_overflow
new file mode 100644
index 000000000000..d583cc630077
--- /dev/null
+++ b/graphics/freeimage/files/patch-integer_overflow
@@ -0,0 +1,129 @@
+CVE-2015-0852
+
+Description: fix integer overflow
+Origin: upstream
+ http://freeimage.cvs.sourceforge.net/viewvc/freeimage/FreeImage/Source/FreeImage/PluginPCX.cpp?view=patch&r1=1.17&r2=1.18&pathrev=MAIN
+ http://freeimage.cvs.sourceforge.net/viewvc/freeimage/FreeImage/Source/FreeImage/PluginPCX.cpp?view=patch&r1=1.18&r2=1.19&pathrev=MAIN
+Bug-Debian: https://bugs.debian.org/797165
+Last-Update: 2015-09-14
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+Index: freeimage/Source/FreeImage/PluginPCX.cpp
+===================================================================
+--- freeimage.orig/Source/FreeImage/PluginPCX.cpp
++++ Source/FreeImage/PluginPCX.cpp
+@@ -347,12 +347,14 @@ Load(FreeImageIO *io, fi_handle handle,
+ 
+ 	try {
+ 		// check PCX identifier
+-
+-		long start_pos = io->tell_proc(handle);
+-		BOOL validated = pcx_validate(io, handle);		
+-		io->seek_proc(handle, start_pos, SEEK_SET);
+-		if(!validated) {
+-			throw FI_MSG_ERROR_MAGIC_NUMBER;
++		// (note: should have been already validated using FreeImage_GetFileType but check again)
++		{
++			long start_pos = io->tell_proc(handle);
++			BOOL validated = pcx_validate(io, handle);
++			io->seek_proc(handle, start_pos, SEEK_SET);
++			if(!validated) {
++				throw FI_MSG_ERROR_MAGIC_NUMBER;
++			}
+ 		}
+ 
+ 		// process the header
+@@ -366,20 +368,38 @@ Load(FreeImageIO *io, fi_handle handle,
+ 		SwapHeader(&header);
+ #endif
+ 
+-		// allocate a new DIB
++		// process the window
++		const WORD *window = header.window;	// left, upper, right,lower pixel coord.
++		const int left		= window[0];
++		const int top		= window[1];
++		const int right		= window[2];
++		const int bottom	= window[3];
+ 
+-		unsigned width = header.window[2] - header.window[0] + 1;
+-		unsigned height = header.window[3] - header.window[1] + 1;
+-		unsigned bitcount = header.bpp * header.planes;
+-
+-		if (bitcount == 24) {
+-			dib = FreeImage_AllocateHeader(header_only, width, height, bitcount, FI_RGBA_RED_MASK, FI_RGBA_GREEN_MASK, FI_RGBA_BLUE_MASK);
+-		} else {
+-			dib = FreeImage_AllocateHeader(header_only, width, height, bitcount);			
++		// check image size
++		if((left >= right) || (top >= bottom)) {
++			throw FI_MSG_ERROR_PARSING;
+ 		}
+ 
+-		// if the dib couldn't be allocated, throw an error
++		const unsigned width = right - left + 1;
++		const unsigned height = bottom - top + 1;
++		const unsigned bitcount = header.bpp * header.planes;
++
++		// allocate a new DIB
++		switch(bitcount) {
++			case 1:
++			case 4:
++			case 8:
++				dib = FreeImage_AllocateHeader(header_only, width, height, bitcount);
++				break;
++			case 24:
++				dib = FreeImage_AllocateHeader(header_only, width, height, bitcount, FI_RGBA_RED_MASK, FI_RGBA_GREEN_MASK, FI_RGBA_BLUE_MASK);
++				break;
++			default:
++				throw FI_MSG_ERROR_DIB_MEMORY;
++				break;
++		}
+ 
++		// if the dib couldn't be allocated, throw an error
+ 		if (!dib) {
+ 			throw FI_MSG_ERROR_DIB_MEMORY;
+ 		}
+@@ -426,19 +446,23 @@ Load(FreeImageIO *io, fi_handle handle,
+ 
+ 				if (palette_id == 0x0C) {
+ 					BYTE *cmap = (BYTE*)malloc(768 * sizeof(BYTE));
+-					io->read_proc(cmap, 768, 1, handle);
+ 
+-					pal = FreeImage_GetPalette(dib);
+-					BYTE *pColormap = &cmap[0];
++					if(cmap) {
++						io->read_proc(cmap, 768, 1, handle);
+ 
+-					for(int i = 0; i < 256; i++) {
+-						pal[i].rgbRed   = pColormap[0];
+-						pal[i].rgbGreen = pColormap[1];
+-						pal[i].rgbBlue  = pColormap[2];
+-						pColormap += 3;
++						pal = FreeImage_GetPalette(dib);
++						BYTE *pColormap = &cmap[0];
++
++						for(int i = 0; i < 256; i++) {
++							pal[i].rgbRed   = pColormap[0];
++							pal[i].rgbGreen = pColormap[1];
++							pal[i].rgbBlue  = pColormap[2];
++							pColormap += 3;
++						}
++
++						free(cmap);
+ 					}
+ 
+-					free(cmap);
+ 				}
+ 
+ 				// wrong palette ID, perhaps a gray scale is needed ?
+@@ -466,9 +490,9 @@ Load(FreeImageIO *io, fi_handle handle,
+ 		// calculate the line length for the PCX and the DIB
+ 
+ 		// length of raster line in bytes
+-		unsigned linelength = header.bytes_per_line * header.planes;
++		const unsigned linelength = header.bytes_per_line * header.planes;
+ 		// length of DIB line (rounded to DWORD) in bytes
+-		unsigned pitch = FreeImage_GetPitch(dib);
++		const unsigned pitch = FreeImage_GetPitch(dib);
+ 
+ 		// run-length encoding ?
+ 
diff --git a/graphics/freeimage/files/patch-integer_overflow_ljpeg_start b/graphics/freeimage/files/patch-integer_overflow_ljpeg_start
new file mode 100644
index 000000000000..cac5e55e49e1
--- /dev/null
+++ b/graphics/freeimage/files/patch-integer_overflow_ljpeg_start
@@ -0,0 +1,34 @@
+Description: Fix integer overflow in the ljpeg_start function in dcraw
+Author: Alex Tutubalin <lexa@lexa.ru>
+Bug-Debian: https://bugs.debian.org/786790
+Origin: https://github.com/LibRaw/LibRaw/commit/4606c28f494a750892c5c1ac7903e62dd1c6fdb5
+	https://github.com/rawstudio/rawstudio/commit/983bda1f0fa5fa86884381208274198a620f006e
+Bug: https://security-tracker.debian.org/tracker/CVE-2015-3885
+Bug: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3885
+Reviewed-By: Anton Gladky <gladk@debian.org>
+Last-Update: 2015-10-29
+
+--- freeimage-3.15.4.orig/Source/LibRawLite/dcraw/dcraw.c
++++ Source/LibRawLite/dcraw/dcraw.c
+@@ -768,7 +768,8 @@ struct jhead {
+
+ int CLASS ljpeg_start (struct jhead *jh, int info_only)
+ {
+-  int c, tag, len;
++  int c, tag;
++  ushort len;
+   uchar data[0x10000];
+   const uchar *dp;
+
+--- freeimage-3.15.4.orig/Source/LibRawLite/internal/dcraw_common.cpp
++++ Source/LibRawLite/internal/dcraw_common.cpp
+@@ -630,7 +630,8 @@ void CLASS canon_compressed_load_raw()
+
+ int CLASS ljpeg_start (struct jhead *jh, int info_only)
+ {
+-  int c, tag, len;
++  int c, tag;
++  ushort len;
+   uchar data[0x10000];
+   const uchar *dp;
+
author	Koop Mast <kwm@FreeBSD.org>	2015-12-13 20:26:24 +0000
committer	Koop Mast <kwm@FreeBSD.org>	2015-12-13 20:26:24 +0000
commit	1efaab26442d22a2db9f036dda9cc39ddfb93285 (patch)
tree	0e4b5c0ffef04651b736689ed98c96d022125b5c /graphics
parent	3970d847b034fa562cc2b2157d87670b8d90ad1a (diff)