# HG changeset patch # User Pascal Bellard # Date 1647184408 0 # Node ID aba2c5ca9a669ed7674d40297d241974debfe00f # Parent 52649f27a0dae66ebbab4bf031da3484291df1fd advancecomp: CVE-2019-8383 & CVE-2019-9210 diff -r 52649f27a0da -r aba2c5ca9a66 abiword/receipt --- a/abiword/receipt Sun Mar 13 12:06:14 2022 +0000 +++ b/abiword/receipt Sun Mar 13 15:13:28 2022 +0000 @@ -25,10 +25,9 @@ current_version() { wget -O - http://www.abisource.com/downloads/abiword/ 2>/dev/null | \ - sed "/latest/d;/\[DIR/!d;s|.*href=.\\([0-9\.]*\\)/.*|http://www.abisource.com/downloads/abiword/\\1/source/|" | sort -Vr | sed q > /tmp/url$$ - cat /tmp/url$$ | xargs wget -O - 2>/dev/null | \ + sed "/latest/d;/\[DIR/!d;s|.*href=.\\([0-9\.]*\\)/.*|http://www.abisource.com/downloads/abiword/\\1/source/|" | \ + sort -Vr | sed q | xargs wget -O - 2>/dev/null | \ sed "/latest/d;/$PACKAGE-/!d;/tar/!d;s|.*$PACKAGE-\\(.*\\).tar.*\".*|\\1|" | sort -Vr | sed q - rm -f /tmp/url$$ } # Rules to configure and make the package. diff -r 52649f27a0da -r aba2c5ca9a66 advancecomp/receipt --- a/advancecomp/receipt Sun Mar 13 12:06:14 2022 +0000 +++ b/advancecomp/receipt Sun Mar 13 15:13:28 2022 +0000 @@ -23,7 +23,9 @@ # Rules to configure and make the package. compile_rules() { - patch -p1 -i $stuff/advancecomp.patch + for patch in $stuff/*.patch ; do + patch -p1 -i $patch + done ./autogen.sh && ./configure $CONFIGURE_ARGS && make && make install diff -r 52649f27a0da -r aba2c5ca9a66 advancecomp/stuff/CVE-2019-8383.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/advancecomp/stuff/CVE-2019-8383.patch Sun Mar 13 15:13:28 2022 +0000 @@ -0,0 +1,44 @@ +commit 78a56b21340157775be2462a19276b4d31d2bd01 +Author: Andrea Mazzoleni +Date: Fri Jan 4 20:49:25 2019 +0100 + + Fix a buffer overflow caused by invalid images + +diff --git a/lib/png.c b/lib/png.c +index 0939a5a..cbf140b 100644 +--- a/lib/png.c ++++ b/lib/png.c +@@ -603,6 +603,7 @@ adv_error adv_png_read_ihdr( + unsigned pixel; + unsigned width; + unsigned width_align; ++ unsigned scanline; + unsigned height; + unsigned depth; + int r; +@@ -719,9 +720,23 @@ adv_error adv_png_read_ihdr( + goto err_ptr; + } + +- *dat_size = height * (width_align * pixel + 1); ++ /* check for overflow */ ++ if (pixel == 0 || width_align >= UINT_MAX / pixel) { ++ error_set("Invalid image size"); ++ goto err_ptr; ++ } ++ ++ scanline = width_align * pixel + 1; ++ ++ /* check for overflow */ ++ if (scanline == 0 || height >= UINT_MAX / scanline) { ++ error_set("Invalid image size"); ++ goto err_ptr; ++ } ++ ++ *dat_size = height * scanline; + *dat_ptr = malloc(*dat_size); +- *pix_scanline = width_align * pixel + 1; ++ *pix_scanline = scanline; + *pix_ptr = *dat_ptr + 1; + + z.zalloc = 0; diff -r 52649f27a0da -r aba2c5ca9a66 advancecomp/stuff/CVE-2019-9210.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/advancecomp/stuff/CVE-2019-9210.patch Sun Mar 13 15:13:28 2022 +0000 @@ -0,0 +1,100 @@ +commit 7894a6e684ce68ddff9f4f4919ab8e3911ac8040 +Author: Andrea Mazzoleni +Date: Fri Jan 4 20:49:48 2019 +0100 + + Fix a buffer overflow caused by invalid chunks + +diff --git a/pngex.cc b/pngex.cc +index 55d16f5..3f5b49f 100644 +--- a/pngex.cc ++++ b/pngex.cc +@@ -163,6 +163,10 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size) + + switch (type) { + case ADV_MNG_CN_MHDR : ++ if (size < 28) { ++ cout << " invalid chunk size"; ++ break; ++ } + cout << " width:" << be_uint32_read(data+0) << " height:" << be_uint32_read(data+4) << " frequency:" << be_uint32_read(data+8); + cout << " simplicity:" << be_uint32_read(data+24); + cout << "(bit"; +@@ -174,6 +178,10 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size) + cout << ")"; + break; + case ADV_MNG_CN_DHDR : ++ if (size < 4) { ++ cout << " invalid chunk size"; ++ break; ++ } + cout << " id:" << be_uint16_read(data+0); + switch (data[2]) { + case 0 : cout << " img:unspecified"; break; +@@ -243,6 +251,10 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size) + } + break; + case ADV_MNG_CN_DEFI : ++ if (size < 2) { ++ cout << " invalid chunk size"; ++ break; ++ } + cout << " id:" << be_uint16_read(data+0); + if (size >= 3) { + switch (data[2]) { +@@ -266,6 +278,10 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size) + } + break; + case ADV_MNG_CN_MOVE : ++ if (size < 13) { ++ cout << " invalid chunk size"; ++ break; ++ } + cout << " id_from:" << be_uint16_read(data+0) << " id_to:" << be_uint16_read(data+2); + switch (data[4]) { + case 0 : cout << " type:replace"; break; +@@ -275,6 +291,10 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size) + cout << " x:" << (int)be_uint32_read(data + 5) << " y:" << (int)be_uint32_read(data + 9); + break; + case ADV_MNG_CN_PPLT : ++ if (size < 1) { ++ cout << " invalid chunk size"; ++ break; ++ } + switch (data[0]) { + case 0 : cout << " type:replacement_rgb"; break; + case 1 : cout << " type:delta_rgb"; break; +@@ -285,7 +305,7 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size) + default : cout << " type:?"; break; + } + i = 1; +- while (i/dev/null | \ - sed "/latest/d;/\[DIR/!d;s|.*href=.\\(.*\\)/.*\".*|https://download.gimp.org/pub/$PACKAGE/\\1|" | sort -Vr | sed q > /tmp/url$$ - cat /tmp/url$$ | xargs wget -O - 2>/dev/null | \ + sed "/latest/d;/\[DIR/!d;s|.*href=.\\(.*\\)/.*\".*|https://download.gimp.org/pub/$PACKAGE/\\1|" | \ + sort -Vr | sed q | xargs wget -O - 2>/dev/null | \ sed "/latest/d;/$PACKAGE-/!d;/tar/!d;s|.*$PACKAGE-\\(.*\\).tar.*\".*|\\1|" | sort -Vr | sed q - rm -f /tmp/url$$ } # Rules to configure and make the package. diff -r 52649f27a0da -r aba2c5ca9a66 gegl/receipt --- a/gegl/receipt Sun Mar 13 12:06:14 2022 +0000 +++ b/gegl/receipt Sun Mar 13 15:13:28 2022 +0000 @@ -19,10 +19,9 @@ current_version() { wget -O - https://download.gimp.org/pub/$PACKAGE/ 2>/dev/null | \ - sed "/latest/d;/\[DIR/!d;s|.*href=.\\(.*\\)/.*\".*|https://download.gimp.org/pub/$PACKAGE/\\1/|" | sort -Vr | sed q > /tmp/url$$ - cat /tmp/url$$ | xargs wget -O - 2>/dev/null | \ + sed "/latest/d;/\[DIR/!d;s|.*href=.\\(.*\\)/.*\".*|https://download.gimp.org/pub/$PACKAGE/\\1/|" | \ + sort -Vr | sed q | xargs wget -O - 2>/dev/null | \ sed "/latest/d;/$PACKAGE-/!d;/tar/!d;s|.*$PACKAGE-\\(.*\\).tar.*\".*|\\1|" | sort -Vr | sed q - rm -f /tmp/url$$ } # Rules to configure and make the package. diff -r 52649f27a0da -r aba2c5ca9a66 gimp/receipt --- a/gimp/receipt Sun Mar 13 12:06:14 2022 +0000 +++ b/gimp/receipt Sun Mar 13 15:13:28 2022 +0000 @@ -22,10 +22,9 @@ current_version() { wget -O - https://download.gimp.org/pub/$PACKAGE/ 2>/dev/null | \ - sed "/latest/d;/\[DIR/!d;/v[0-9]/!d;s|.*href=.\\(.*\\)/.*\".*|https://download.gimp.org/pub/$PACKAGE/\\1|" | sort -Vr | sed q > /tmp/url$$ - cat /tmp/url$$ | xargs wget -O - 2>/dev/null | \ + sed "/latest/d;/\[DIR/!d;/v[0-9]/!d;s|.*href=.\\(.*\\)/.*\".*|https://download.gimp.org/pub/$PACKAGE/\\1|" | \ + sort -Vr | sed q | xargs wget -O - 2>/dev/null | \ sed "/latest/d;/$PACKAGE-/!d;/tar/!d;s|.*$PACKAGE-\\(.*\\).tar.*\".*|\\1|" | sort -Vr | sed q - rm -f /tmp/url$$ } # Rules to configure and make the package.