head 1.2; access; symbols pkgsrc-2015Q3:1.1.0.48 pkgsrc-2015Q3-base:1.1 pkgsrc-2015Q2:1.1.0.46 pkgsrc-2015Q2-base:1.1 pkgsrc-2015Q1:1.1.0.44 pkgsrc-2015Q1-base:1.1 pkgsrc-2014Q4:1.1.0.42 pkgsrc-2014Q4-base:1.1 pkgsrc-2014Q3:1.1.0.40 pkgsrc-2014Q3-base:1.1 pkgsrc-2014Q2:1.1.0.38 pkgsrc-2014Q2-base:1.1 pkgsrc-2014Q1:1.1.0.36 pkgsrc-2014Q1-base:1.1 pkgsrc-2013Q4:1.1.0.34 pkgsrc-2013Q4-base:1.1 pkgsrc-2013Q3:1.1.0.32 pkgsrc-2013Q3-base:1.1 pkgsrc-2013Q2:1.1.0.30 pkgsrc-2013Q2-base:1.1 pkgsrc-2013Q1:1.1.0.28 pkgsrc-2013Q1-base:1.1 pkgsrc-2012Q4:1.1.0.26 pkgsrc-2012Q4-base:1.1 pkgsrc-2012Q3:1.1.0.24 pkgsrc-2012Q3-base:1.1 pkgsrc-2012Q2:1.1.0.22 pkgsrc-2012Q2-base:1.1 pkgsrc-2012Q1:1.1.0.20 pkgsrc-2012Q1-base:1.1 pkgsrc-2011Q4:1.1.0.18 pkgsrc-2011Q4-base:1.1 pkgsrc-2011Q3:1.1.0.16 pkgsrc-2011Q3-base:1.1 pkgsrc-2011Q2:1.1.0.14 pkgsrc-2011Q2-base:1.1 pkgsrc-2011Q1:1.1.0.12 pkgsrc-2011Q1-base:1.1 pkgsrc-2010Q4:1.1.0.10 pkgsrc-2010Q4-base:1.1 pkgsrc-2010Q3:1.1.0.8 pkgsrc-2010Q3-base:1.1 pkgsrc-2010Q2:1.1.0.6 pkgsrc-2010Q2-base:1.1 pkgsrc-2010Q1:1.1.0.4 pkgsrc-2010Q1-base:1.1 pkgsrc-2009Q4:1.1.0.2; locks; strict; comment @# @; 1.2 date 2015.10.24.19.14.16; author joerg; state dead; branches; next 1.1; commitid MGizk3NMP7tIyoGy; 1.1 date 2010.02.16.17.33.39; author taca; state Exp; branches 1.1.2.1; next ; 1.1.2.1 date 2010.02.16.17.33.39; author spz; state dead; branches; next 1.1.2.2; 1.1.2.2 date 2010.02.28.13.15.02; author spz; state Exp; branches; next ; desc @@ 1.2 log @Retire wxGTK24. @ text @$NetBSD: patch-ap,v 1.1 2010/02/16 17:33:39 taca Exp $ deal with CVE-2009-2369. --- src/common/imagtiff.cpp.orig 2003-09-21 11:31:39.000000000 +0000 +++ src/common/imagtiff.cpp @@@@ -188,15 +188,25 @@@@ bool wxTIFFHandler::LoadFile( wxImage *i } uint32 w, h; - uint32 npixels; uint32 *raster; TIFFGetField( tif, TIFFTAG_IMAGEWIDTH, &w ); TIFFGetField( tif, TIFFTAG_IMAGELENGTH, &h ); - npixels = w * h; + // guard against integer overflow during multiplication which could result + // in allocating a too small buffer and then overflowing it + const double bytesNeeded = (double)w * (double)h * sizeof(uint32); + if ( bytesNeeded >= 4294967295U /* UINT32_MAX */ ) + { + if ( verbose ) + wxLogError( _("TIFF: Image size is abnormally big.") ); + + TIFFClose(tif); + + return false; + } - raster = (uint32*) _TIFFmalloc( npixels * sizeof(uint32) ); + raster = (uint32*) _TIFFmalloc( bytesNeeded ); if (!raster) { @ 1.1 log @Add patches for CVE-2009-2625 and CVE-2009-2369. Bump PKGREVISION. @ text @d1 1 a1 1 $NetBSD$ @ 1.1.2.1 log @file patch-ap was added on branch pkgsrc-2009Q4 on 2010-02-28 13:15:02 +0000 @ text @d1 35 @ 1.1.2.2 log @Pullup ticket 3027 - requested by taca security patch Revisions pulled up: - pkgsrc/x11/wxGTK24/Makefile 1.11 - pkgsrc/x11/wxGTK24/distinfo 1.10 Files added: pkgsrc/x11/wxGTK24/patches/patch-am pkgsrc/x11/wxGTK24/patches/patch-an pkgsrc/x11/wxGTK24/patches/patch-ao pkgsrc/x11/wxGTK24/patches/patch-ap -------------------------------------------------------------------- Module Name: pkgsrc Committed By: taca Date: Tue Feb 16 17:33:39 UTC 2010 Modified Files: pkgsrc/x11/wxGTK24: Makefile distinfo Added Files: pkgsrc/x11/wxGTK24/patches: patch-am patch-an patch-ao patch-ap Log Message: Add patches for CVE-2009-2625 and CVE-2009-2369. Bump PKGREVISION. To generate a diff of this commit: cvs rdiff -u -r1.10 -r1.11 pkgsrc/x11/wxGTK24/Makefile cvs rdiff -u -r1.9 -r1.10 pkgsrc/x11/wxGTK24/distinfo cvs rdiff -u -r0 -r1.1 pkgsrc/x11/wxGTK24/patches/patch-am \ pkgsrc/x11/wxGTK24/patches/patch-an pkgsrc/x11/wxGTK24/patches/patch-ao \ pkgsrc/x11/wxGTK24/patches/patch-ap @ text @a0 35 $NetBSD: patch-ap,v 1.1 2010/02/16 17:33:39 taca Exp $ deal with CVE-2009-2369. --- src/common/imagtiff.cpp.orig 2003-09-21 11:31:39.000000000 +0000 +++ src/common/imagtiff.cpp @@@@ -188,15 +188,25 @@@@ bool wxTIFFHandler::LoadFile( wxImage *i } uint32 w, h; - uint32 npixels; uint32 *raster; TIFFGetField( tif, TIFFTAG_IMAGEWIDTH, &w ); TIFFGetField( tif, TIFFTAG_IMAGELENGTH, &h ); - npixels = w * h; + // guard against integer overflow during multiplication which could result + // in allocating a too small buffer and then overflowing it + const double bytesNeeded = (double)w * (double)h * sizeof(uint32); + if ( bytesNeeded >= 4294967295U /* UINT32_MAX */ ) + { + if ( verbose ) + wxLogError( _("TIFF: Image size is abnormally big.") ); + + TIFFClose(tif); + + return false; + } - raster = (uint32*) _TIFFmalloc( npixels * sizeof(uint32) ); + raster = (uint32*) _TIFFmalloc( bytesNeeded ); if (!raster) { @