aboutsummaryrefslogtreecommitdiff
path: root/graphics/xzgv/files/patch-security-1
diff options
context:
space:
mode:
Diffstat (limited to 'graphics/xzgv/files/patch-security-1')
-rw-r--r--graphics/xzgv/files/patch-security-1197
1 files changed, 0 insertions, 197 deletions
diff --git a/graphics/xzgv/files/patch-security-1 b/graphics/xzgv/files/patch-security-1
deleted file mode 100644
index 4beba6fadc89..000000000000
--- a/graphics/xzgv/files/patch-security-1
+++ /dev/null
@@ -1,197 +0,0 @@
-diff -urN xzgv-0.8/ChangeLog xzgv/ChangeLog
---- xzgv-0.8/ChangeLog Tue Sep 16 15:08:42 2003
-+++ ChangeLog Wed Dec 15 03:30:46 2004
-@@ -1,3 +1,13 @@
-+2004-11-03 Russell Marks <russell.marks@ntlworld.com>
-+
-+ * Added width/height limits to all native picture readers. This is
-+ a crude (albeit effective) fix for heap overflow bugs - there may
-+ yet be more subtle problems, but I can't really fix them until I
-+ know they're there. :-) Thanks to Luke Macken for letting me know
-+ about the heap overflow problems (in zgv). I suppose I should also
-+ thank "infamous41md" for publishing the original advisory/exploit
-+ (again for zgv), even if he didn't bother emailing me or anything.
-+
- 2003-09-16 Russell Marks <russell.marks@ntlworld.com>
-
- * Version 0.8.
-diff -urN xzgv-0.8/src/Makefile xzgv/src/Makefile
---- xzgv-0.8/src/Makefile Tue Jan 1 05:37:45 2002
-+++ src/Makefile Wed Dec 15 03:30:46 2004
-@@ -84,18 +84,19 @@
- logo.o: logo.c logodata.h
- logoconv.o: logoconv.c
- main.o: main.c backend.h readmrf.h readgif.h readpng.h readjpeg.h \
-- readtiff.h resizepic.h rcfile.h filedetails.h gotodir.h updatetn.h \
-- confirm.h misc.h copymove.h rename.h help.h dir_icon.xpm \
-+ readtiff.h readprf.h resizepic.h rcfile.h filedetails.h gotodir.h \
-+ updatetn.h confirm.h misc.h copymove.h rename.h help.h dir_icon.xpm \
- dir_icon_small.xpm file_icon.xpm file_icon_small.xpm logo.h \
- icon-48.xpm main.h
- misc.o: misc.c misc.h
- rcfile.o: rcfile.c getopt.h rcfile.h rcfile_opt.h rcfile_var.h \
- rcfile_short.h
--readgif.o: readgif.c readgif.h
--readjpeg.o: readjpeg.c rcfile.h readjpeg.h
--readmrf.o: readmrf.c readmrf.h
-+readgif.o: readgif.c reader.h readgif.h
-+readjpeg.o: readjpeg.c rcfile.h reader.h readjpeg.h
-+readmrf.o: readmrf.c reader.h readmrf.h
- readpng.o: readpng.c readpng.h
--readtiff.o: readtiff.c readtiff.h
-+readprf.o: readprf.c reader.h readprf.h
-+readtiff.o: readtiff.c reader.h readtiff.h
- rename.o: rename.c backend.h main.h rename.h
- resizepic.o: resizepic.c resizepic.h
- updatetn.o: updatetn.c backend.h main.h rcfile.h dither.h resizepic.h \
-diff -urN xzgv-0.8/src/reader.h xzgv/src/reader.h
---- xzgv-0.8/src/reader.h Thu Jan 1 01:00:00 1970
-+++ src/reader.h Wed Dec 15 03:30:46 2004
-@@ -0,0 +1,15 @@
-+/* xzgv 0.8 - picture viewer for X, with file selector.
-+ * Copyright (C) 1999-2004 Russell Marks. See main.c for license details.
-+ *
-+ * reader.h
-+ */
-+
-+/* range check on width and height as a crude way of avoiding overflows
-+ * when calling malloc/calloc. 32767 is the obvious limit to use given that
-+ * xzgv effectively imposes such a limit anyway.
-+ * Adds an extra 2 to height for max-height check, partly to reflect what
-+ * the check in zgv does but also to allow for readtiff.c allocating an
-+ * extra line (so at least an extra 1 would have been needed in any case).
-+ */
-+#define WH_MAX 32767
-+#define WH_BAD(w,h) ((w)<=0 || (w)>WH_MAX || (h)<=0 || ((h)+2)>WH_MAX)
-diff -urN xzgv-0.8/src/readgif.c xzgv/src/readgif.c
---- xzgv-0.8/src/readgif.c Sun Mar 3 04:34:32 2002
-+++ src/readgif.c Wed Dec 15 03:30:46 2004
-@@ -8,6 +8,7 @@
- #include <string.h>
- #include <unistd.h>
- #include <stdlib.h>
-+#include "reader.h"
- #include "readgif.h"
-
-
-@@ -103,7 +104,7 @@
-
- if(local_colour_map) readcolmap(in);
-
-- if((image=malloc(width*height*3))==NULL)
-+ if(WH_BAD(width,height) || (image=malloc(width*height*3))==NULL)
- {
- fclose(in);
- return(0);
-diff -urN xzgv-0.8/src/readjpeg.c xzgv/src/readjpeg.c
---- xzgv-0.8/src/readjpeg.c Tue Sep 16 12:52:04 2003
-+++ src/readjpeg.c Wed Dec 15 03:30:46 2004
-@@ -13,6 +13,7 @@
- #include <jpeglib.h>
-
- #include "rcfile.h"
-+#include "reader.h"
-
- #include "readjpeg.h"
-
-@@ -265,7 +266,7 @@
- /* this one shouldn't hurt */
- cinfo.do_block_smoothing=FALSE;
-
--if((*imagep=image=malloc(width*height*3))==NULL)
-+if(WH_BAD(width,height) || (*imagep=image=malloc(width*height*3))==NULL)
- longjmp(jerr.setjmp_buffer,1);
-
- jpeg_start_decompress(&cinfo);
-diff -urN xzgv-0.8/src/readmrf.c xzgv/src/readmrf.c
---- xzgv-0.8/src/readmrf.c Sat Oct 7 14:26:55 2000
-+++ src/readmrf.c Wed Dec 15 03:30:46 2004
-@@ -7,6 +7,7 @@
- #include <stdio.h>
- #include <string.h>
- #include <stdlib.h>
-+#include "reader.h"
- #include "readmrf.h"
-
-
-@@ -91,7 +92,8 @@
- w64=(w+63)/64;
- h64=(h+63)/64;
-
--if((*bmap=malloc(w*h*3))==NULL ||
-+if(WH_BAD(w64*64,h64*64) || WH_BAD(w,h) ||
-+ (*bmap=malloc(w*h*3))==NULL ||
- (image=calloc(w64*h64*64*64,1))==NULL)
- {
- if(*bmap) free(*bmap),*bmap=NULL;
-diff -urN xzgv-0.8/src/readpng.c xzgv/src/readpng.c
---- xzgv-0.8/src/readpng.c Thu Jul 10 16:13:43 2003
-+++ src/readpng.c Wed Dec 15 03:32:46 2004
-@@ -16,6 +16,7 @@
- #include <stdlib.h>
- #include <png.h>
- #include <setjmp.h> /* after png.h to avoid horrible thing in pngconf.h */
-+#include "reader.h"
- #include "readpng.h"
-
-
-@@ -129,7 +130,8 @@
- }
-
- /* allocate image memory */
--if((*theimageptr=theimage=malloc(width*height*3))==NULL)
-+if(WH_BAD(width,height) ||
-+ (*theimageptr=theimage=malloc(width*height*3))==NULL)
- {
- png_read_end(png_ptr,info_ptr);
- png_destroy_read_struct(&png_ptr,&info_ptr,NULL);
-diff -urN xzgv-0.8/src/readprf.c xzgv/src/readprf.c
---- xzgv-0.8/src/readprf.c Mon Apr 9 19:08:19 2001
-+++ src/readprf.c Wed Dec 15 03:30:46 2004
-@@ -7,6 +7,7 @@
- #include <stdio.h>
- #include <string.h>
- #include <stdlib.h>
-+#include "reader.h"
- #include "readprf.h"
-
- #define squaresize 64
-@@ -164,7 +165,7 @@
- bytepp=1;
-
- n=width*squaresize;
--if((planebuf[0]=calloc(n,planes))==NULL)
-+if(WH_BAD(width,height) || (planebuf[0]=calloc(n,planes))==NULL)
- {
- fclose(in);
- return(0);
-@@ -173,6 +174,7 @@
- for(f=1;f<planes;f++)
- planebuf[f]=planebuf[f-1]+n;
-
-+/* width/height already checked above */
- if((*theimageptr=malloc(width*height*3))==NULL)
- {
- free(planebuf[0]);
-diff -urN xzgv-0.8/src/readtiff.c xzgv/src/readtiff.c
---- xzgv-0.8/src/readtiff.c Thu Dec 28 03:20:55 2000
-+++ src/readtiff.c Wed Dec 15 03:30:46 2004
-@@ -11,7 +11,7 @@
- #include <setjmp.h>
- #include <sys/file.h> /* for open et al */
- #include <tiffio.h>
--
-+#include "reader.h"
- #include "readtiff.h"
-
-
-@@ -36,7 +36,8 @@
- * spare for the flip afterwards.
- */
- numpix=width*height;
--if((image=malloc(numpix*sizeof(uint32)+width*3))==NULL)
-+if(WH_BAD(width,height) ||
-+ (image=malloc(numpix*sizeof(uint32)+width*3))==NULL)
- {
- TIFFClose(in);
- return(0);
generated by cgit v1.2.3 (git 2.25.1) at 2024-10-15 17:23:16 +0000