packages/gdk-pixbuf2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:04f47f173131365837bda3def572b3a6991c9cf6
Branches Tags
packages:main
...
compare: packages:1096c4133a2e515b56e23be80989a6472c32a99f
Branches Tags
packages:main

10 Commits
04f47f1731 ... 1096c4133a

Author SHA1 Message Date
openeuler-ci-bot
1096c4133a
!56 fix CVE-2022-48622 
From: @zppzhangpan 
Reviewed-by: @open-bot 
Signed-off-by: @open-bot
 2024-09-14 01:20:09 +00:00
zhangpan
cea7e567c3 fix CVE-2022-48622 2024-09-13 11:11:23 +00:00
openeuler-ci-bot
c12f505ae5
!40 fix CVE-2021-44648 
From: @zppzhangpan 
Reviewed-by: @t_feng 
Signed-off-by: @t_feng
 2023-06-25 09:01:38 +00:00
zhangpan
87eaf1e727 fix CVE-2021-44648 2023-06-20 11:30:21 +00:00
openeuler-ci-bot
c583d65907
!35 enable test 
From: @zppzhangpan 
Reviewed-by: @t_feng 
Signed-off-by: @t_feng
 2023-03-17 08:33:57 +00:00
zhangpan
ef0c301aaf enable test 2023-03-17 07:58:44 +00:00
openeuler-ci-bot
0775867309
!24 fix CVE-2021-46829 
From: @kerongw 
Reviewed-by: @t_feng 
Signed-off-by: @t_feng
 2022-08-25 08:30:11 +00:00
wangkerong
88f20277f5 fix CVE-2021-46829 2022-08-25 15:52:35 +08:00
openeuler-ci-bot
911e0704e0
!22 fix CVE-2021-20240 and CVE-2020-29385 
From: @zhouwenpei 
Reviewed-by: @t_feng 
Signed-off-by: @t_feng
 2022-07-19 09:42:36 +00:00
zhouwenpei
4b7d686954 fix CVE-2021-20240 and CVE-2020-29385 2022-07-19 15:25:57 +08:00
7 changed files with 326 additions and 1 deletions
Show Stats Expand all files Collapse all files

48
backport-CVE-2020-29385.patch Normal file
View File

@ -0,0 +1,48 @@
From 975620255015aa7611fb2d9fbd539de60df4be73 Mon Sep 17 00:00:00 2001
From: Kou Wenqi <kouwenqi@kylinos.cn>
Date: Fri, 15 Jul 2022 09:46:33 +0800
Subject: [PATCH] gif: Fix LZW decoder accepting invalid LZW code.
The code value after a reset wasn't being validated, which means we would
accept invalid codes. This could cause an infinite loop in the decoder.
Fixes CVE-2020-29385
Fixes https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/164
---
gdk-pixbuf/lzw.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/gdk-pixbuf/lzw.c b/gdk-pixbuf/lzw.c
index 9e052a6..105daf2 100644
--- a/gdk-pixbuf/lzw.c
+++ b/gdk-pixbuf/lzw.c
@@ -195,19 +195,20 @@ lzw_decoder_feed (LZWDecoder *self,
if (self->last_code != self->clear_code && self->code_table_size < MAX_CODES) {
if (self->code < self->code_table_size)
add_code (self, self->code);
- else if (self->code == self->code_table_size)
+ else
add_code (self, self->last_code);
- else {
- /* Invalid code received - just stop here */
- self->last_code = self->eoi_code;
- return output_length;
- }
/* When table is full increase code size */
if (self->code_table_size == (1 << self->code_size) && self->code_size < LZW_CODE_MAX)
self->code_size++;
}
+ /* Invalid code received - just stop here */
+ if (self->code >= self->code_table_size) {
+ self->last_code = self->eoi_code;
+ return output_length;
+ }
+
/* Convert codeword into indexes */
n_written += write_indexes (self, output + n_written, output_length - n_written);
}
--
2.33.0

35
backport-CVE-2021-20240.patch Normal file
View File

@ -0,0 +1,35 @@
From 086e8adf4cc352cd11572f96066b001b545f354e Mon Sep 17 00:00:00 2001
From: Emmanuele Bassi <ebassi@gnome.org>
Date: Wed, 1 Apr 2020 18:11:55 +0100
Subject: [PATCH] Check the memset length argument
Avoid overflows by using the checked multiplication macro for gsize.
Fixes: #132
---
gdk-pixbuf/io-gif-animation.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/gdk-pixbuf/io-gif-animation.c b/gdk-pixbuf/io-gif-animation.c
index c9db3c66e..49674fd2e 100644
--- a/gdk-pixbuf/io-gif-animation.c
+++ b/gdk-pixbuf/io-gif-animation.c
@@ -412,11 +412,15 @@ gdk_pixbuf_gif_anim_iter_get_pixbuf (GdkPixbufAnimationIter *anim_iter)
/* If no rendered frame, render the first frame */
if (anim->last_frame == NULL) {
+ gsize len = 0;
if (anim->last_frame_data == NULL)
anim->last_frame_data = gdk_pixbuf_new (GDK_COLORSPACE_RGB, TRUE, 8, anim->width, anim->height);
if (anim->last_frame_data == NULL)
return NULL;
- memset (gdk_pixbuf_get_pixels (anim->last_frame_data), 0, gdk_pixbuf_get_rowstride (anim->last_frame_data) * anim->height);
+ if (g_size_checked_mul (&len, gdk_pixbuf_get_rowstride (anim->last_frame_data), anim->height))
+ memset (gdk_pixbuf_get_pixels (anim->last_frame_data), 0, len);
+ else
+ return NULL;
composite_frame (anim, g_list_nth_data (anim->frames, 0));
}
--
GitLab

40
backport-CVE-2021-44648.patch Normal file
View File

@ -0,0 +1,40 @@
From 19ebba03117aefc9d0312f675f3a210ffdcc4907 Mon Sep 17 00:00:00 2001
From: Robert Ancell <Robert Ancell @robert.ancell>
Date: Tue, 24 May 2022 14:36:15 +0800
Subject: [PATCH] Fix overflow when reading GIF images with invalid LZW initial code size.
Conflict:NA
Reference:https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/merge_requests/130/diffs?commit_id=19ebba03117aefc9d0312f675f3a210ffdcc4907
---
gdk-pixbuf/io-gif.c | 2 +-
gdk-pixbuf/lzw.c | 2 ++
2 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/gdk-pixbuf/io-gif.c b/gdk-pixbuf/io-gif.c
index 1befba1..3d2a7a9 100644
--- a/gdk-pixbuf/io-gif.c
+++ b/gdk-pixbuf/io-gif.c
@@ -500,7 +500,7 @@ gif_prepare_lzw (GifContext *context)
return -1;
}
- if (context->lzw_set_code_size > 12) {
+ if (context->lzw_set_code_size >= 12) {
g_set_error_literal (context->error,
GDK_PIXBUF_ERROR,
GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
diff --git a/gdk-pixbuf/lzw.c b/gdk-pixbuf/lzw.c
index 105daf2..f3fae17 100644
--- a/gdk-pixbuf/lzw.c
+++ b/gdk-pixbuf/lzw.c
@@ -121,6 +121,8 @@ lzw_decoder_new (guint8 code_size)
LZWDecoder *self;
int i;
+ g_return_val_if_fail (code_size <= LZW_CODE_MAX, NULL);
+
self = g_object_new (lzw_decoder_get_type (), NULL);
self->min_code_size = code_size;
--
2.27.0

61
backport-CVE-2021-46829.patch Normal file
View File

@ -0,0 +1,61 @@
From 6976bdc8ee9dd2c2954f91066f7b0f643769a379 Mon Sep 17 00:00:00 2001
From: Robert Ancell <robert.ancell@canonical.com>
Date: Thu, 3 Jun 2021 11:05:56 +1200
Subject: [PATCH] gif: Check for overflow when compositing or clearing frames.
Fixes: #190
Similar to fix in 086e8adf4cc352cd11572f96066b001b545f354e
---
gdk-pixbuf/io-gif-animation.c | 21 +++++++++++++--------
1 file changed, 13 insertions(+), 8 deletions(-)
diff --git a/gdk-pixbuf/io-gif-animation.c b/gdk-pixbuf/io-gif-animation.c
index 8335cdd76..71d9265e6 100644
--- a/gdk-pixbuf/io-gif-animation.c
+++ b/gdk-pixbuf/io-gif-animation.c
@@ -369,7 +369,7 @@ composite_frame (GdkPixbufGifAnim *anim, GdkPixbufFrame *frame)
for (i = 0; i < n_indexes; i++) {
guint8 index = index_buffer[i];
guint x, y;
- int offset;
+ gsize offset;
if (index == frame->transparent_index)
continue;
@@ -379,11 +379,13 @@ composite_frame (GdkPixbufGifAnim *anim, GdkPixbufFrame *frame)
if (x >= anim->width || y >= anim->height)
continue;
- offset = y * gdk_pixbuf_get_rowstride (anim->last_frame_data) + x * 4;
- pixels[offset + 0] = frame->color_map[index * 3 + 0];
- pixels[offset + 1] = frame->color_map[index * 3 + 1];
- pixels[offset + 2] = frame->color_map[index * 3 + 2];
- pixels[offset + 3] = 255;
+ if (g_size_checked_mul (&offset, gdk_pixbuf_get_rowstride (anim->last_frame_data), y) &&
+ g_size_checked_add (&offset, offset, x * 4)) {
+ pixels[offset + 0] = frame->color_map[index * 3 + 0];
+ pixels[offset + 1] = frame->color_map[index * 3 + 1];
+ pixels[offset + 2] = frame->color_map[index * 3 + 2];
+ pixels[offset + 3] = 255;
+ }
}
out:
@@ -448,8 +450,11 @@ gdk_pixbuf_gif_anim_iter_get_pixbuf (GdkPixbufAnimationIter *anim_iter)
x_end = MIN (anim->last_frame->x_offset + anim->last_frame->width, anim->width);
y_end = MIN (anim->last_frame->y_offset + anim->last_frame->height, anim->height);
for (y = anim->last_frame->y_offset; y < y_end; y++) {
- guchar *line = pixels + y * gdk_pixbuf_get_rowstride (anim->last_frame_data) + anim->last_frame->x_offset * 4;
- memset (line, 0, (x_end - anim->last_frame->x_offset) * 4);
+ gsize offset;
+ if (g_size_checked_mul (&offset, gdk_pixbuf_get_rowstride (anim->last_frame_data), y) &&
+ g_size_checked_add (&offset, offset, anim->last_frame->x_offset * 4)) {
+ memset (pixels + offset, 0, (x_end - anim->last_frame->x_offset) * 4);
+ }
}
break;
case GDK_PIXBUF_FRAME_REVERT:
--
GitLab

113
backport-CVE-2022-48622.patch Normal file
View File

@ -0,0 +1,113 @@
From 00c071dd11f723ca608608eef45cb1aa98da89cc Mon Sep 17 00:00:00 2001
From: Benjamin Gilbert <bgilbert@backtick.net>
Date: Tue, 30 Apr 2024 07:26:54 -0500
Subject: [PATCH 1/3] ANI: Reject files with multiple anih chunks
An anih chunk causes us to initialize a bunch of state, which we only
expect to do once per file.
Fixes: #202
Fixes: CVE-2022-48622
---
gdk-pixbuf/io-ani.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/gdk-pixbuf/io-ani.c b/gdk-pixbuf/io-ani.c
index c6c4642cf4..a78ea7ace4 100644
--- a/gdk-pixbuf/io-ani.c
+++ b/gdk-pixbuf/io-ani.c
@@ -295,6 +295,15 @@ ani_load_chunk (AniLoaderContext *context, GError **error)
if (context->chunk_id == TAG_anih)
{
+ if (context->animation)
+ {
+ g_set_error_literal (error,
+ GDK_PIXBUF_ERROR,
+ GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+ _("Invalid header in animation"));
+ return FALSE;
+ }
+
context->HeaderSize = read_int32 (context);
context->NumFrames = read_int32 (context);
context->NumSteps = read_int32 (context);
--
GitLab
From d52134373594ff76614fb415125b0d1c723ddd56 Mon Sep 17 00:00:00 2001
From: Benjamin Gilbert <bgilbert@backtick.net>
Date: Tue, 30 Apr 2024 07:13:37 -0500
Subject: [PATCH 2/3] ANI: Reject files with multiple INAM or IART chunks
There should be at most one chunk each. These would cause memory leaks
otherwise.
---
gdk-pixbuf/io-ani.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gdk-pixbuf/io-ani.c b/gdk-pixbuf/io-ani.c
index a78ea7ace4..8e8414117c 100644
--- a/gdk-pixbuf/io-ani.c
+++ b/gdk-pixbuf/io-ani.c
@@ -445,7 +445,7 @@ ani_load_chunk (AniLoaderContext *context, GError **error)
}
else if (context->chunk_id == TAG_INAM)
{
- if (!context->animation)
+ if (!context->animation || context->title)
{
g_set_error_literal (error,
GDK_PIXBUF_ERROR,
@@ -472,7 +472,7 @@ ani_load_chunk (AniLoaderContext *context, GError **error)
}
else if (context->chunk_id == TAG_IART)
{
- if (!context->animation)
+ if (!context->animation || context->author)
{
g_set_error_literal (error,
GDK_PIXBUF_ERROR,
--
GitLab
From 91b8aa5cd8a0eea28acb51f0e121827ca2e7eb78 Mon Sep 17 00:00:00 2001
From: Benjamin Gilbert <bgilbert@backtick.net>
Date: Tue, 30 Apr 2024 08:17:25 -0500
Subject: [PATCH 3/3] ANI: Validate anih chunk size
Before reading a chunk, we verify that enough bytes are available to match
the chunk size declared by the file. However, uniquely, the anih chunk
loader doesn't verify that this size matches the number of bytes it
actually intends to read. Thus, if the chunk size is too small and the
file ends in the middle of the chunk, we populate some context fields with
stack garbage. (But we'd still fail later on because the file doesn't
contain any images.) Fix this.
---
gdk-pixbuf/io-ani.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/gdk-pixbuf/io-ani.c b/gdk-pixbuf/io-ani.c
index 8e8414117c..cfafd7b196 100644
--- a/gdk-pixbuf/io-ani.c
+++ b/gdk-pixbuf/io-ani.c
@@ -295,6 +295,14 @@ ani_load_chunk (AniLoaderContext *context, GError **error)
if (context->chunk_id == TAG_anih)
{
+ if (context->chunk_size < 36)
+ {
+ g_set_error_literal (error,
+ GDK_PIXBUF_ERROR,
+ GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+ _("Malformed chunk in animation"));
+ return FALSE;
+ }
if (context->animation)
{
g_set_error_literal (error,
--
GitLab

30
gdk-pixbuf2.spec
View File

@ -1,11 +1,18 @@
Name: gdk-pixbuf2
Version: 2.40.0
Release: 1
Release: 6
Summary: gdk is a multi-platform toolkit for creating graphical user interfaces.
License: LGPLv2+
URL: http://www.gtk.org
Source0: http://download.gnome.org/sources/gdk-pixbuf/2.40/gdk-pixbuf-%{version}.tar.xz
Source1: invalid-colors.gif
Patch0001: backport-CVE-2021-20240.patch
Patch0002: backport-CVE-2020-29385.patch
Patch0003: backport-CVE-2021-46829.patch
Patch0004: backport-CVE-2021-44648.patch
Patch0005: backport-CVE-2022-48622.patch
BuildRequires: gettext gtk-doc pkgconfig(gio-2.0) >= 2.48.0 libpng-devel libjpeg-devel libtiff-devel shared-mime-info
BuildRequires: meson pkgconfig(x11) pkgconfig(gobject-introspection-1.0) >= 0.9.3 gobject-introspection-devel libxslt gdb
@ -42,13 +49,19 @@ developing applications that uses gdk-pixbuf2 xlib and test.
%prep
%autosetup -n gdk-pixbuf-%{version} -p1
cp %{SOURCE1} ./tests/test-images/gif-test-suite/invalid-colors.gif
%build
# remove bug793470-crasher.png to resolve pixbuf-fail use case failure
rm -rf tests/test-images/fail/bug793470-crasher.png
%meson -Dbuiltin_loaders=png -Ddocs=true
%global _smp_mflags -j1
%meson_build
%check
%meson_test
%install
%meson_install
@ -95,6 +108,21 @@ gdk-pixbuf-query-loaders-%{__isa_bits} --update-cache
%{_mandir}/man1/gdk-pixbuf-csource.1*
%changelog
* Fri Sep 13 2024 zhangpan <zhangpan103@h-partners.com> - 2.40.0-6
- fix CVE-2022-48622
* Tue Jun 20 2023 zhangpan <zhangpan103@h-partners.com> - 2.40.0-5
- fix CVE-2021-44648
* Fri Mar 17 2023 zhangpan <zhangpan103@h-partners.com> - 2.40.0-4
- enable test
* Thu Aug 25 2022 wangkerong <wangkerong@h-partners.com> - 2.40.0-3
- fix CVE-2021-46829
* Tue Jul 19 2022 zhouwenpei <zhouwenpei@h-partners.com> - 2.40.0-2
- fix CVE-2021-20240 and CVE-2020-29385
* Mon Jul 20 2020 wangye <wangye70@huawei.com> - 2.40.0-1
- version update 2.40.0

BIN
invalid-colors.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 35 B