fix CVE-2021-20240 and CVE-2020-29385

2022-07-19 15:25:57 +08:00 · 2022-07-19 15:25:57 +08:00 · 4b7d686954
commit 4b7d686954
parent 04f47f1731
3 changed files with 90 additions and 1 deletions
--- a/backport-CVE-2020-29385.patch
+++ b/backport-CVE-2020-29385.patch
@ -0,0 +1,48 @@
+From 975620255015aa7611fb2d9fbd539de60df4be73 Mon Sep 17 00:00:00 2001
+From: Kou Wenqi <kouwenqi@kylinos.cn>
+Date: Fri, 15 Jul 2022 09:46:33 +0800
+Subject: [PATCH] gif: Fix LZW decoder accepting invalid LZW code.
+
+The code value after a reset wasn't being validated, which means we would
+accept invalid codes. This could cause an infinite loop in the decoder.
+
+Fixes CVE-2020-29385
+
+Fixes https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/164
+---
+ gdk-pixbuf/lzw.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/gdk-pixbuf/lzw.c b/gdk-pixbuf/lzw.c
+index 9e052a6..105daf2 100644
+--- a/gdk-pixbuf/lzw.c
+++ b/gdk-pixbuf/lzw.c
+@@ -195,19 +195,20 @@ lzw_decoder_feed (LZWDecoder *self,
+                                 if (self->last_code != self->clear_code && self->code_table_size < MAX_CODES) {
+                                         if (self->code < self->code_table_size)
+                                                 add_code (self, self->code);
+-                                        else if (self->code == self->code_table_size)
+                                        else
+                                                 add_code (self, self->last_code);
+-                                        else {
+-                                                /* Invalid code received - just stop here */
+-                                                self->last_code = self->eoi_code;
+-                                                return output_length;
+-                                        }
+ 
+                                         /* When table is full increase code size */
+                                         if (self->code_table_size == (1 << self->code_size) && self->code_size < LZW_CODE_MAX)
+                                                 self->code_size++;
+                                 }
+ 
+                                /* Invalid code received - just stop here */
+                                if (self->code >= self->code_table_size) {
+                                        self->last_code = self->eoi_code;
+                                        return output_length;
+                                }
+
+                                 /* Convert codeword into indexes */
+                                 n_written += write_indexes (self, output + n_written, output_length - n_written);
+                         }
+-- 
+2.33.0
--- a/backport-CVE-2021-20240.patch
+++ b/backport-CVE-2021-20240.patch
@ -0,0 +1,35 @@
+From 086e8adf4cc352cd11572f96066b001b545f354e Mon Sep 17 00:00:00 2001
+From: Emmanuele Bassi <ebassi@gnome.org>
+Date: Wed, 1 Apr 2020 18:11:55 +0100
+Subject: [PATCH] Check the memset length argument
+
+Avoid overflows by using the checked multiplication macro for gsize.
+
+Fixes: #132
+---
+ gdk-pixbuf/io-gif-animation.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/gdk-pixbuf/io-gif-animation.c b/gdk-pixbuf/io-gif-animation.c
+index c9db3c66e..49674fd2e 100644
+--- a/gdk-pixbuf/io-gif-animation.c
+++ b/gdk-pixbuf/io-gif-animation.c
+@@ -412,11 +412,15 @@ gdk_pixbuf_gif_anim_iter_get_pixbuf (GdkPixbufAnimationIter *anim_iter)
+ 
+         /* If no rendered frame, render the first frame */
+         if (anim->last_frame == NULL) {
+                gsize len = 0;
+                 if (anim->last_frame_data == NULL)
+                         anim->last_frame_data = gdk_pixbuf_new (GDK_COLORSPACE_RGB, TRUE, 8, anim->width, anim->height);
+                 if (anim->last_frame_data == NULL)
+                         return NULL;
+-                memset (gdk_pixbuf_get_pixels (anim->last_frame_data), 0, gdk_pixbuf_get_rowstride (anim->last_frame_data) * anim->height);
+                if (g_size_checked_mul (&len, gdk_pixbuf_get_rowstride (anim->last_frame_data), anim->height))
+                        memset (gdk_pixbuf_get_pixels (anim->last_frame_data), 0, len);
+                else
+                        return NULL;
+                 composite_frame (anim, g_list_nth_data (anim->frames, 0));
+         }
+ 
+-- 
+GitLab
--- a/gdk-pixbuf2.spec
+++ b/gdk-pixbuf2.spec
@ -1,12 +1,15 @@
 Name:           gdk-pixbuf2
 Version:        2.40.0
-Release:        1
+Release:        2
 Summary:        gdk is a multi-platform toolkit for creating graphical user interfaces.

 License:        LGPLv2+
 URL:            http://www.gtk.org
 Source0:        http://download.gnome.org/sources/gdk-pixbuf/2.40/gdk-pixbuf-%{version}.tar.xz

+Patch0001:	backport-CVE-2021-20240.patch
+Patch0002:	backport-CVE-2020-29385.patch
+
 BuildRequires:  gettext gtk-doc pkgconfig(gio-2.0) >= 2.48.0 libpng-devel libjpeg-devel libtiff-devel shared-mime-info
 BuildRequires:  meson pkgconfig(x11) pkgconfig(gobject-introspection-1.0) >= 0.9.3 gobject-introspection-devel libxslt gdb

@ -95,6 +98,9 @@ gdk-pixbuf-query-loaders-%{__isa_bits} --update-cache
 %{_mandir}/man1/gdk-pixbuf-csource.1*

 %changelog
+* Tue Jul 19 2022 zhouwenpei <zhouwenpei@h-partners.com> - 2.40.0-2
+- fix CVE-2021-20240 and CVE-2020-29385
+
 * Mon Jul 20 2020 wangye <wangye70@huawei.com> - 2.40.0-1
 - version update 2.40.0