head 1.2; access; symbols pkgsrc-2015Q2:1.1.0.22 pkgsrc-2015Q2-base:1.1 pkgsrc-2015Q1:1.1.0.20 pkgsrc-2015Q1-base:1.1 pkgsrc-2014Q4:1.1.0.18 pkgsrc-2014Q4-base:1.1 pkgsrc-2014Q3:1.1.0.16 pkgsrc-2014Q3-base:1.1 pkgsrc-2014Q2:1.1.0.14 pkgsrc-2014Q2-base:1.1 pkgsrc-2014Q1:1.1.0.12 pkgsrc-2014Q1-base:1.1 pkgsrc-2013Q4:1.1.0.10 pkgsrc-2013Q4-base:1.1 pkgsrc-2013Q3:1.1.0.8 pkgsrc-2013Q3-base:1.1 pkgsrc-2013Q2:1.1.0.6 pkgsrc-2013Q2-base:1.1 pkgsrc-2013Q1:1.1.0.4 pkgsrc-2013Q1-base:1.1 pkgsrc-2012Q4:1.1.0.2 pkgsrc-2012Q4-base:1.1; locks; strict; comment @# @; 1.2 date 2015.08.25.13.25.54; author wiz; state dead; branches; next 1.1; commitid HHyODTwlUrDtyEyy; 1.1 date 2012.11.06.14.03.00; author drochner; state Exp; branches; next ; desc @@ 1.2 log @Update to 0.3.0. Header location and library names changed, so bump API version. No users in pkgsrc (yet). Changes in GEGL 0.3.0 --------------------- • Improvements to thread safety and parallelism. • Lower overhead graph travesal due from rewrite of visitors • OpenCL support now enabled by default when detected. • Experimental multithreading, enable by setting GEGL_THREADS= in the environment. • Experimental mipmap rendering, which permits transparent rendering of previews on smaller sized versions, enable by setting GEGL_MIPMAP_RENDERING=true in the environment. • Operations: • new operations: alien-map, antialias, apply-lens, bilateral-filter, bump.map, cartoon, channel-mixer, color-enhance, color-exchange, color-reduction, color-rotate, convolution-matrix, copy-buffer, cubism, deinterlace, diffraction-patterns, distance-transform, displace, edge, emboss, engrave, exposure, fractal-trace, high-pass, image-compare, illusion, invert-gamma, lens-flare, linear, linear-gradient, mosaic, motion-blur-circular, motion-blur-zoom, noise-cell noise-cie-lch, noise-hsv, noise-hurl, noise-pick, noise-rgb, noise-simplex, noise-spread, n-point deformation ops, oilify, panorama-projection, photocopy, plasma, radial-gradient, red-eye-removal, scale-size-keep-aspect, softglow, stretch-contrast, texturize-canvas, tile-glass, tile-seamless, tile-paper, tile, warp, whirl-pinch, wind, cache, cast-format, lcms-from-profile, npy-save, webp-load, webp-save, scale-ratio, scale-size, seamless-clone, sinus, supernova, value-propagate, video-degradation • reimplementation of gaussian-blur faster and more accurate • support for using URIs in image loaders • Buffer: • New default tile backend, doing disk writes in a separate thread. @ text @$NetBSD: patch-CVE-2012-4433,v 1.1 2012/11/06 14:03:00 drochner Exp $ see https://bugzilla.redhat.com/show_bug.cgi?id=856300 --- operations/external/ppm-load.c.orig 2012-03-29 20:05:50.000000000 +0000 +++ operations/external/ppm-load.c @@@@ -36,6 +36,7 @@@@ gegl_chant_file_path (path, _("File"), " #include "gegl-chant.h" #include #include +#include typedef enum { PIXMAP_ASCII = 51, @@@@ -44,8 +45,8 @@@@ typedef enum { typedef struct { map_type type; - gint width; - gint height; + glong width; + glong height; gsize numsamples; /* width * height * channels */ gsize bpc; /* bytes per channel */ guchar *data; @@@@ -82,12 +83,33 @@@@ ppm_load_read_header(FILE *fp, } /* Get Width and Height */ - img->width = strtol (header,&ptr,0); - img->height = atoi (ptr); - img->numsamples = img->width * img->height * CHANNEL_COUNT; + errno = 0; + img->width = strtol (header,&ptr,10); + if (errno) + { + g_warning ("Error reading width: %s", strerror(errno)); + return FALSE; + } + else if (img->width < 0) + { + g_warning ("Error: width is negative"); + return FALSE; + } + + img->height = strtol (ptr,&ptr,10); + if (errno) + { + g_warning ("Error reading height: %s", strerror(errno)); + return FALSE; + } + else if (img->width < 0) + { + g_warning ("Error: height is negative"); + return FALSE; + } fgets (header,MAX_CHARS_IN_ROW,fp); - maxval = strtol (header,&ptr,0); + maxval = strtol (header,&ptr,10); if ((maxval != 255) && (maxval != 65535)) { @@@@ -109,6 +131,16 @@@@ ppm_load_read_header(FILE *fp, g_warning ("%s: Programmer stupidity error", G_STRLOC); } + /* Later on, img->numsamples is multiplied with img->bpc to allocate + * memory. Ensure it doesn't overflow. */ + if (!img->width || !img->height || + G_MAXSIZE / img->width / img->height / CHANNEL_COUNT < img->bpc) + { + g_warning ("Illegal width/height: %ld/%ld", img->width, img->height); + return FALSE; + } + img->numsamples = img->width * img->height * CHANNEL_COUNT; + return TRUE; } @@@@ -229,12 +261,24 @@@@ process (GeglOperation *operation, if (!ppm_load_read_header (fp, &img)) goto out; - rect.height = img.height; - rect.width = img.width; - /* Allocating Array Size */ + + /* Should use g_try_malloc(), but this causes crashes elsewhere because the + * error signalled by returning FALSE isn't properly acted upon. Therefore + * g_malloc() is used here which aborts if the requested memory size can't be + * allocated causing a controlled crash. */ img.data = (guchar*) g_malloc (img.numsamples * img.bpc); + /* No-op without g_try_malloc(), see above. */ + if (! img.data) + { + g_warning ("Couldn't allocate %" G_GSIZE_FORMAT " bytes, giving up.", ((gsize)img.numsamples * img.bpc)); + goto out; + } + + rect.height = img.height; + rect.width = img.width; + switch (img.bpc) { case 1: @ 1.1 log @add 2 patches from upstream: 1e92e5235ded0415d555aa86066b8e4041ee5a53 and 4757cdf73d3675478d645a3ec8250ba02168a230 to fix integer overflow, leading to heap-based buffer overflow in the ppm image reader (CVE-2012-4433) bump PKGREV @ text @d1 1 a1 1 $NetBSD$ @