Attachment #91698 for bug #129128

View | Details | Raw Unified | Return to bug 129128
Collapse All | Expand All

Lines 6-13 Link Here

(-)/usr/ports/graphics/sdl_image.new/Makefile (-2 / +1 lines)
6	#	6	#
7		7
8	PORTNAME= sdl_image	8	PORTNAME= sdl_image
9	PORTVERSION= 1.2.6	9	PORTVERSION= 1.2.7
10	PORTREVISION= 1
11	CATEGORIES= graphics	10	CATEGORIES= graphics
12	MASTER_SITES= http://www.libsdl.org/projects/SDL_image/release/	11	MASTER_SITES= http://www.libsdl.org/projects/SDL_image/release/
13	DISTNAME= SDL_image-${PORTVERSION}	12	DISTNAME= SDL_image-${PORTVERSION}

Lines 1-3 Link Here

(-)/usr/ports/graphics/sdl_image.new/distinfo (-3 / +3 lines)
1	MD5 (SDL_image-1.2.6.tar.gz) = b866dc4f647517bdaf57f6ffdefd013e	1	MD5 (SDL_image-1.2.7.tar.gz) = a729ff61f74f0a45ec7fe36354cf938e
2	SHA256 (SDL_image-1.2.6.tar.gz) = 88fcb1dbf934af33163667a6677312065c7d0a7f01cd764e3374c4c19b386ec4	2	SHA256 (SDL_image-1.2.7.tar.gz) = 14e4d9932ae2af03d814cca9e56ab9ba0091ffe06c9387dde74dfb03a4dde3b3
3	SIZE (SDL_image-1.2.6.tar.gz) = 1308812	3	SIZE (SDL_image-1.2.7.tar.gz) = 1315517




--- IMG_gif.c	2007/02/13 10:09:17	2970
+++ IMG_gif.c	2007/12/28 16:43:56	3462
@@ -418,6 +418,10 @@
     static int stack[(1 << (MAX_LWZ_BITS)) * 2], *sp;
     register int i;
 
+    /* Fixed buffer overflow found by Michael Skladnikiewicz */
+    if (input_code_size > MAX_LWZ_BITS)
+        return -1;
+
     if (flag) {
 	set_code_size = input_code_size;
 	code_size = set_code_size + 1;




--- IMG_lbm.c	2007/07/20 04:37:11	3341
+++ IMG_lbm.c	2008/01/03 20:05:34	3521
@@ -28,6 +28,7 @@
    EHB and HAM (specific Amiga graphic chip modes) support added by Marc Le Douarain
    (http://www.multimania.com/mavati) in December 2003.
    Stencil and colorkey fixes by David Raulo (david.raulo AT free DOT fr) in February 2004.
+   Buffer overflow fix in RLE decompression by David Raulo in January 2008.
 */
 
 #include <stdio.h>
@@ -328,7 +329,7 @@
 						count ^= 0xFF;
 						count += 2; /* now it */
 
-						if ( !SDL_RWread( src, &color, 1, 1 ) )
+						if ( ( count > remainingbytes ) || !SDL_RWread( src, &color, 1, 1 ) )
 						{
 						   error="error reading BODY chunk";
 							goto done;
@@ -339,7 +340,7 @@
 					{
 						++count;
 
-						if ( !SDL_RWread( src, ptr, count, 1 ) )
+						if ( ( count > remainingbytes ) || !SDL_RWread( src, ptr, count, 1 ) )
 						{
 						   error="error reading BODY chunk";
 							goto done;

Return to bug 129128

Lines 1-13 Link Here

(-)/usr/ports/graphics/sdl_image.new/files/patch-IMG_gif.c (-13 lines)
1	--- IMG_gif.c 2007/02/13 10:09:17 2970
2	+++ IMG_gif.c 2007/12/28 16:43:56 3462
3	@@ -418,6 +418,10 @@
4	static int stack[(1 << (MAX_LWZ_BITS)) * 2], *sp;
5	register int i;
6
7	+ /* Fixed buffer overflow found by Michael Skladnikiewicz */
8	+ if (input_code_size > MAX_LWZ_BITS)
9	+ return -1;
10	+
11	if (flag) {
12	set_code_size = input_code_size;
13	code_size = set_code_size + 1;

Lines 1-28 Link Here

(-)/usr/ports/graphics/sdl_image.new/files/patch-IMG_lbm.c (-28 lines)
1	--- IMG_lbm.c 2007/07/20 04:37:11 3341
2	+++ IMG_lbm.c 2008/01/03 20:05:34 3521
3	@@ -28,6 +28,7 @@
4	EHB and HAM (specific Amiga graphic chip modes) support added by Marc Le Douarain
5	(http://www.multimania.com/mavati) in December 2003.
6	Stencil and colorkey fixes by David Raulo (david.raulo AT free DOT fr) in February 2004.
7	+ Buffer overflow fix in RLE decompression by David Raulo in January 2008.
8	*/
9
10	#include <stdio.h>
11	@@ -328,7 +329,7 @@
12	count ^= 0xFF;
13	count += 2; /* now it */
14
15	- if ( !SDL_RWread( src, &color, 1, 1 ) )
16	+ if ( ( count > remainingbytes ) \|\| !SDL_RWread( src, &color, 1, 1 ) )
17	{
18	error="error reading BODY chunk";
19	goto done;
20	@@ -339,7 +340,7 @@
21	{
22	++count;
23
24	- if ( !SDL_RWread( src, ptr, count, 1 ) )
25	+ if ( ( count > remainingbytes ) \|\| !SDL_RWread( src, ptr, count, 1 ) )
26	{
27	error="error reading BODY chunk";
28	goto done;