[jackhill/guix/guix.git] / gnu / packages / patches / freeimage-CVE-2015-0852.patch

Copied from Debian.

Description: fix integer overflow
Origin: upstream
 http://freeimage.cvs.sourceforge.net/viewvc/freeimage/FreeImage/Source/FreeImage/PluginPCX.cpp?view=patch&r1=1.17&r2=1.18&pathrev=MAIN
 http://freeimage.cvs.sourceforge.net/viewvc/freeimage/FreeImage/Source/FreeImage/PluginPCX.cpp?view=patch&r1=1.18&r2=1.19&pathrev=MAIN
Bug-Debian: https://bugs.debian.org/797165
Last-Update: 2015-09-14
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
Index: freeimage/Source/FreeImage/PluginPCX.cpp
===================================================================
--- freeimage.orig/Source/FreeImage/PluginPCX.cpp
+++ freeimage/Source/FreeImage/PluginPCX.cpp
@@ -347,12 +347,14 @@ Load(FreeImageIO *io, fi_handle handle,
 
 	try {
 		// check PCX identifier
-
-		long start_pos = io->tell_proc(handle);
-		BOOL validated = pcx_validate(io, handle);		
-		io->seek_proc(handle, start_pos, SEEK_SET);
-		if(!validated) {
-			throw FI_MSG_ERROR_MAGIC_NUMBER;
+		// (note: should have been already validated using FreeImage_GetFileType but check again)
+		{
+			long start_pos = io->tell_proc(handle);
+			BOOL validated = pcx_validate(io, handle);
+			io->seek_proc(handle, start_pos, SEEK_SET);
+			if(!validated) {
+				throw FI_MSG_ERROR_MAGIC_NUMBER;
+			}
 		}
 
 		// process the header
@@ -366,20 +368,38 @@ Load(FreeImageIO *io, fi_handle handle,
 		SwapHeader(&header);
 #endif
 
-		// allocate a new DIB
+		// process the window
+		const WORD *window = header.window;	// left, upper, right,lower pixel coord.
+		const int left		= window[0];
+		const int top		= window[1];
+		const int right		= window[2];
+		const int bottom	= window[3];
 
-		unsigned width = header.window[2] - header.window[0] + 1;
-		unsigned height = header.window[3] - header.window[1] + 1;
-		unsigned bitcount = header.bpp * header.planes;
-
-		if (bitcount == 24) {
-			dib = FreeImage_AllocateHeader(header_only, width, height, bitcount, FI_RGBA_RED_MASK, FI_RGBA_GREEN_MASK, FI_RGBA_BLUE_MASK);
-		} else {
-			dib = FreeImage_AllocateHeader(header_only, width, height, bitcount);			
+		// check image size
+		if((left >= right) || (top >= bottom)) {
+			throw FI_MSG_ERROR_PARSING;
 		}
 
-		// if the dib couldn't be allocated, throw an error
+		const unsigned width = right - left + 1;
+		const unsigned height = bottom - top + 1;
+		const unsigned bitcount = header.bpp * header.planes;
+
+		// allocate a new DIB
+		switch(bitcount) {
+			case 1:
+			case 4:
+			case 8:
+				dib = FreeImage_AllocateHeader(header_only, width, height, bitcount);
+				break;
+			case 24:
+				dib = FreeImage_AllocateHeader(header_only, width, height, bitcount, FI_RGBA_RED_MASK, FI_RGBA_GREEN_MASK, FI_RGBA_BLUE_MASK);
+				break;
+			default:
+				throw FI_MSG_ERROR_DIB_MEMORY;
+				break;
+		}
 
+		// if the dib couldn't be allocated, throw an error
 		if (!dib) {
 			throw FI_MSG_ERROR_DIB_MEMORY;
 		}
@@ -426,19 +446,23 @@ Load(FreeImageIO *io, fi_handle handle,
 
 				if (palette_id == 0x0C) {
 					BYTE *cmap = (BYTE*)malloc(768 * sizeof(BYTE));
-					io->read_proc(cmap, 768, 1, handle);
 
-					pal = FreeImage_GetPalette(dib);
-					BYTE *pColormap = &cmap[0];
+					if(cmap) {
+						io->read_proc(cmap, 768, 1, handle);
 
-					for(int i = 0; i < 256; i++) {
-						pal[i].rgbRed   = pColormap[0];
-						pal[i].rgbGreen = pColormap[1];
-						pal[i].rgbBlue  = pColormap[2];
-						pColormap += 3;
+						pal = FreeImage_GetPalette(dib);
+						BYTE *pColormap = &cmap[0];
+
+						for(int i = 0; i < 256; i++) {
+							pal[i].rgbRed   = pColormap[0];
+							pal[i].rgbGreen = pColormap[1];
+							pal[i].rgbBlue  = pColormap[2];
+							pColormap += 3;
+						}
+
+						free(cmap);
 					}
 
-					free(cmap);
 				}
 
 				// wrong palette ID, perhaps a gray scale is needed ?
@@ -466,9 +490,9 @@ Load(FreeImageIO *io, fi_handle handle,
 		// calculate the line length for the PCX and the DIB
 
 		// length of raster line in bytes
-		unsigned linelength = header.bytes_per_line * header.planes;
+		const unsigned linelength = header.bytes_per_line * header.planes;
 		// length of DIB line (rounded to DWORD) in bytes
-		unsigned pitch = FreeImage_GetPitch(dib);
+		const unsigned pitch = FreeImage_GetPitch(dib);
 
 		// run-length encoding ?
Commit	Line	Data
93bd4a37 MW	1	Copied from Debian.
	2
	3	Description: fix integer overflow
	4	Origin: upstream
	5	http://freeimage.cvs.sourceforge.net/viewvc/freeimage/FreeImage/Source/FreeImage/PluginPCX.cpp?view=patch&r1=1.17&r2=1.18&pathrev=MAIN
	6	http://freeimage.cvs.sourceforge.net/viewvc/freeimage/FreeImage/Source/FreeImage/PluginPCX.cpp?view=patch&r1=1.18&r2=1.19&pathrev=MAIN
	7	Bug-Debian: https://bugs.debian.org/797165
	8	Last-Update: 2015-09-14
	9	---
	10	This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
	11	Index: freeimage/Source/FreeImage/PluginPCX.cpp
	12	===================================================================
	13	--- freeimage.orig/Source/FreeImage/PluginPCX.cpp
	14	+++ freeimage/Source/FreeImage/PluginPCX.cpp
	15	@@ -347,12 +347,14 @@ Load(FreeImageIO *io, fi_handle handle,
	16
	17	try {
	18	// check PCX identifier
	19	-
	20	- long start_pos = io->tell_proc(handle);
	21	- BOOL validated = pcx_validate(io, handle);
	22	- io->seek_proc(handle, start_pos, SEEK_SET);
	23	- if(!validated) {
	24	- throw FI_MSG_ERROR_MAGIC_NUMBER;
	25	+ // (note: should have been already validated using FreeImage_GetFileType but check again)
	26	+ {
	27	+ long start_pos = io->tell_proc(handle);
	28	+ BOOL validated = pcx_validate(io, handle);
	29	+ io->seek_proc(handle, start_pos, SEEK_SET);
	30	+ if(!validated) {
	31	+ throw FI_MSG_ERROR_MAGIC_NUMBER;
	32	+ }
	33	}
	34
	35	// process the header
	36	@@ -366,20 +368,38 @@ Load(FreeImageIO *io, fi_handle handle,
	37	SwapHeader(&header);
	38	#endif
	39
	40	- // allocate a new DIB
	41	+ // process the window
	42	+ const WORD *window = header.window; // left, upper, right,lower pixel coord.
	43	+ const int left = window[0];
	44	+ const int top = window[1];
	45	+ const int right = window[2];
	46	+ const int bottom = window[3];
	47
	48	- unsigned width = header.window[2] - header.window[0] + 1;
	49	- unsigned height = header.window[3] - header.window[1] + 1;
	50	- unsigned bitcount = header.bpp * header.planes;
	51	-
	52	- if (bitcount == 24) {
	53	- dib = FreeImage_AllocateHeader(header_only, width, height, bitcount, FI_RGBA_RED_MASK, FI_RGBA_GREEN_MASK, FI_RGBA_BLUE_MASK);
	54	- } else {
	55	- dib = FreeImage_AllocateHeader(header_only, width, height, bitcount);
	56	+ // check image size
	57	+ if((left >= right) \|\| (top >= bottom)) {
	58	+ throw FI_MSG_ERROR_PARSING;
	59	}
	60
	61	- // if the dib couldn't be allocated, throw an error
	62	+ const unsigned width = right - left + 1;
	63	+ const unsigned height = bottom - top + 1;
	64	+ const unsigned bitcount = header.bpp * header.planes;
65	+
66	+ // allocate a new DIB
67	+ switch(bitcount) {
68	+ case 1:
69	+ case 4:
70	+ case 8:
71	+ dib = FreeImage_AllocateHeader(header_only, width, height, bitcount);
72	+ break;
73	+ case 24:
74	+ dib = FreeImage_AllocateHeader(header_only, width, height, bitcount, FI_RGBA_RED_MASK, FI_RGBA_GREEN_MASK, FI_RGBA_BLUE_MASK);
75	+ break;
76	+ default:
77	+ throw FI_MSG_ERROR_DIB_MEMORY;
78	+ break;
79	+ }
80
81	+ // if the dib couldn't be allocated, throw an error
82	if (!dib) {
83	throw FI_MSG_ERROR_DIB_MEMORY;
84	}
85	@@ -426,19 +446,23 @@ Load(FreeImageIO *io, fi_handle handle,
86
87	if (palette_id == 0x0C) {
88	BYTE cmap = (BYTE)malloc(768 * sizeof(BYTE));
89	- io->read_proc(cmap, 768, 1, handle);
90
91	- pal = FreeImage_GetPalette(dib);
92	- BYTE *pColormap = &cmap[0];
93	+ if(cmap) {
94	+ io->read_proc(cmap, 768, 1, handle);
95
96	- for(int i = 0; i < 256; i++) {
97	- pal[i].rgbRed = pColormap[0];
98	- pal[i].rgbGreen = pColormap[1];
99	- pal[i].rgbBlue = pColormap[2];
100	- pColormap += 3;
101	+ pal = FreeImage_GetPalette(dib);
102	+ BYTE *pColormap = &cmap[0];
103	+
104	+ for(int i = 0; i < 256; i++) {
105	+ pal[i].rgbRed = pColormap[0];
106	+ pal[i].rgbGreen = pColormap[1];
107	+ pal[i].rgbBlue = pColormap[2];
108	+ pColormap += 3;
109	+ }
110	+
111	+ free(cmap);
112	}
113
114	- free(cmap);
115	}
116
117	// wrong palette ID, perhaps a gray scale is needed ?
118	@@ -466,9 +490,9 @@ Load(FreeImageIO *io, fi_handle handle,
119	// calculate the line length for the PCX and the DIB
120
121	// length of raster line in bytes
122	- unsigned linelength = header.bytes_per_line * header.planes;
123	+ const unsigned linelength = header.bytes_per_line * header.planes;
124	// length of DIB line (rounded to DWORD) in bytes
125	- unsigned pitch = FreeImage_GetPitch(dib);
126	+ const unsigned pitch = FreeImage_GetPitch(dib);
127
128	// run-length encoding ?
129