summary refs log tree commit diff
path: root/gnu/packages/patches/freeimage-CVE-2015-0852.patch
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/packages/patches/freeimage-CVE-2015-0852.patch')
-rw-r--r--gnu/packages/patches/freeimage-CVE-2015-0852.patch129
1 files changed, 0 insertions, 129 deletions
diff --git a/gnu/packages/patches/freeimage-CVE-2015-0852.patch b/gnu/packages/patches/freeimage-CVE-2015-0852.patch
deleted file mode 100644
index 34d538e925..0000000000
--- a/gnu/packages/patches/freeimage-CVE-2015-0852.patch
+++ /dev/null
@@ -1,129 +0,0 @@
-Copied from Debian.
-
-Description: fix integer overflow
-Origin: upstream
- http://freeimage.cvs.sourceforge.net/viewvc/freeimage/FreeImage/Source/FreeImage/PluginPCX.cpp?view=patch&r1=1.17&r2=1.18&pathrev=MAIN
- http://freeimage.cvs.sourceforge.net/viewvc/freeimage/FreeImage/Source/FreeImage/PluginPCX.cpp?view=patch&r1=1.18&r2=1.19&pathrev=MAIN
-Bug-Debian: https://bugs.debian.org/797165
-Last-Update: 2015-09-14
----
-This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
-Index: freeimage/Source/FreeImage/PluginPCX.cpp
-===================================================================
---- freeimage.orig/Source/FreeImage/PluginPCX.cpp
-+++ freeimage/Source/FreeImage/PluginPCX.cpp
-@@ -347,12 +347,14 @@ Load(FreeImageIO *io, fi_handle handle,
- 
- 	try {
- 		// check PCX identifier
--
--		long start_pos = io->tell_proc(handle);
--		BOOL validated = pcx_validate(io, handle);		
--		io->seek_proc(handle, start_pos, SEEK_SET);
--		if(!validated) {
--			throw FI_MSG_ERROR_MAGIC_NUMBER;
-+		// (note: should have been already validated using FreeImage_GetFileType but check again)
-+		{
-+			long start_pos = io->tell_proc(handle);
-+			BOOL validated = pcx_validate(io, handle);
-+			io->seek_proc(handle, start_pos, SEEK_SET);
-+			if(!validated) {
-+				throw FI_MSG_ERROR_MAGIC_NUMBER;
-+			}
- 		}
- 
- 		// process the header
-@@ -366,20 +368,38 @@ Load(FreeImageIO *io, fi_handle handle,
- 		SwapHeader(&header);
- #endif
- 
--		// allocate a new DIB
-+		// process the window
-+		const WORD *window = header.window;	// left, upper, right,lower pixel coord.
-+		const int left		= window[0];
-+		const int top		= window[1];
-+		const int right		= window[2];
-+		const int bottom	= window[3];
- 
--		unsigned width = header.window[2] - header.window[0] + 1;
--		unsigned height = header.window[3] - header.window[1] + 1;
--		unsigned bitcount = header.bpp * header.planes;
--
--		if (bitcount == 24) {
--			dib = FreeImage_AllocateHeader(header_only, width, height, bitcount, FI_RGBA_RED_MASK, FI_RGBA_GREEN_MASK, FI_RGBA_BLUE_MASK);
--		} else {
--			dib = FreeImage_AllocateHeader(header_only, width, height, bitcount);			
-+		// check image size
-+		if((left >= right) || (top >= bottom)) {
-+			throw FI_MSG_ERROR_PARSING;
- 		}
- 
--		// if the dib couldn't be allocated, throw an error
-+		const unsigned width = right - left + 1;
-+		const unsigned height = bottom - top + 1;
-+		const unsigned bitcount = header.bpp * header.planes;
-+
-+		// allocate a new DIB
-+		switch(bitcount) {
-+			case 1:
-+			case 4:
-+			case 8:
-+				dib = FreeImage_AllocateHeader(header_only, width, height, bitcount);
-+				break;
-+			case 24:
-+				dib = FreeImage_AllocateHeader(header_only, width, height, bitcount, FI_RGBA_RED_MASK, FI_RGBA_GREEN_MASK, FI_RGBA_BLUE_MASK);
-+				break;
-+			default:
-+				throw FI_MSG_ERROR_DIB_MEMORY;
-+				break;
-+		}
- 
-+		// if the dib couldn't be allocated, throw an error
- 		if (!dib) {
- 			throw FI_MSG_ERROR_DIB_MEMORY;
- 		}
-@@ -426,19 +446,23 @@ Load(FreeImageIO *io, fi_handle handle,
- 
- 				if (palette_id == 0x0C) {
- 					BYTE *cmap = (BYTE*)malloc(768 * sizeof(BYTE));
--					io->read_proc(cmap, 768, 1, handle);
- 
--					pal = FreeImage_GetPalette(dib);
--					BYTE *pColormap = &cmap[0];
-+					if(cmap) {
-+						io->read_proc(cmap, 768, 1, handle);
- 
--					for(int i = 0; i < 256; i++) {
--						pal[i].rgbRed   = pColormap[0];
--						pal[i].rgbGreen = pColormap[1];
--						pal[i].rgbBlue  = pColormap[2];
--						pColormap += 3;
-+						pal = FreeImage_GetPalette(dib);
-+						BYTE *pColormap = &cmap[0];
-+
-+						for(int i = 0; i < 256; i++) {
-+							pal[i].rgbRed   = pColormap[0];
-+							pal[i].rgbGreen = pColormap[1];
-+							pal[i].rgbBlue  = pColormap[2];
-+							pColormap += 3;
-+						}
-+
-+						free(cmap);
- 					}
- 
--					free(cmap);
- 				}
- 
- 				// wrong palette ID, perhaps a gray scale is needed ?
-@@ -466,9 +490,9 @@ Load(FreeImageIO *io, fi_handle handle,
- 		// calculate the line length for the PCX and the DIB
- 
- 		// length of raster line in bytes
--		unsigned linelength = header.bytes_per_line * header.planes;
-+		const unsigned linelength = header.bytes_per_line * header.planes;
- 		// length of DIB line (rounded to DWORD) in bytes
--		unsigned pitch = FreeImage_GetPitch(dib);
-+		const unsigned pitch = FreeImage_GetPitch(dib);
- 
- 		// run-length encoding ?
-
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-12-21 06:48:45 +0000