diff --git a/gimp-2.6.11-gif-load.patch b/gimp-2.6.11-gif-load.patch new file mode 100644 index 0000000..ac9e6cd --- /dev/null +++ b/gimp-2.6.11-gif-load.patch @@ -0,0 +1,108 @@ +From 631856a2021d60d29e96d07872c06246eff25a96 Mon Sep 17 00:00:00 2001 +From: Nils Philippsen +Date: Fri, 12 Aug 2011 14:44:52 +0200 +Subject: [PATCH] patch: gif-load + +Squashed commit of the following: + +commit 366d6b546e8fb91909550a61abeafc11672667c4 +Author: Nils Philippsen +Date: Thu Aug 4 12:51:42 2011 +0200 + + file-gif-load: fix heap corruption and buffer overflow (CVE-2011-2896) + (cherry picked from commit 376ad788c1a1c31d40f18494889c383f6909ebfc) + +commit 3c5864851ea5fe8f89d273ee8ac4df0c1101b315 +Author: Nils Philippsen +Date: Thu Aug 4 12:47:44 2011 +0200 + + file-gif-load: ensure return value of LZWReadByte() is <= 255 + (cherry picked from commit b1a3de761362db982c0ddfaff60ab4a3c4267f32) +--- + plug-ins/common/file-gif-load.c | 25 ++++++++++++++----------- + 1 files changed, 14 insertions(+), 11 deletions(-) + +diff --git a/plug-ins/common/file-gif-load.c b/plug-ins/common/file-gif-load.c +index 9a0720b..8460ec0 100644 +--- a/plug-ins/common/file-gif-load.c ++++ b/plug-ins/common/file-gif-load.c +@@ -697,7 +697,8 @@ LZWReadByte (FILE *fd, + static gint firstcode, oldcode; + static gint clear_code, end_code; + static gint table[2][(1 << MAX_LZW_BITS)]; +- static gint stack[(1 << (MAX_LZW_BITS)) * 2], *sp; ++#define STACK_SIZE ((1 << (MAX_LZW_BITS)) * 2) ++ static gint stack[STACK_SIZE], *sp; + gint i; + + if (just_reset_LZW) +@@ -743,11 +744,11 @@ LZWReadByte (FILE *fd, + } + while (firstcode == clear_code); + +- return firstcode; ++ return firstcode & 255; + } + + if (sp > stack) +- return *--sp; ++ return (*--sp) & 255; + + while ((code = GetCode (fd, code_size, FALSE)) >= 0) + { +@@ -770,9 +771,9 @@ LZWReadByte (FILE *fd, + sp = stack; + firstcode = oldcode = GetCode (fd, code_size, FALSE); + +- return firstcode; ++ return firstcode & 255; + } +- else if (code == end_code) ++ else if (code == end_code || code > max_code) + { + gint count; + guchar buf[260]; +@@ -791,13 +792,14 @@ LZWReadByte (FILE *fd, + + incode = code; + +- if (code >= max_code) ++ if (code == max_code) + { +- *sp++ = firstcode; ++ if (sp < &(stack[STACK_SIZE])) ++ *sp++ = firstcode; + code = oldcode; + } + +- while (code >= clear_code) ++ while (code >= clear_code && sp < &(stack[STACK_SIZE])) + { + *sp++ = table[1][code]; + if (code == table[0][code]) +@@ -808,7 +810,8 @@ LZWReadByte (FILE *fd, + code = table[0][code]; + } + +- *sp++ = firstcode = table[1][code]; ++ if (sp < &(stack[STACK_SIZE])) ++ *sp++ = firstcode = table[1][code]; + + if ((code = max_code) < (1 << MAX_LZW_BITS)) + { +@@ -826,10 +829,10 @@ LZWReadByte (FILE *fd, + oldcode = incode; + + if (sp > stack) +- return *--sp; ++ return (*--sp) & 255; + } + +- return code; ++ return code & 255; + } + + static gint32 +-- +1.7.6 + diff --git a/gimp.spec b/gimp.spec index 86817f3..9f569e5 100644 --- a/gimp.spec +++ b/gimp.spec @@ -153,6 +153,8 @@ Patch9: gimp-2.6.11-CVE-2010-4540,4541,4542.patch Patch10: gimp-2.6.11-shell-dnd-quit-crash.patch # backport: fix goption warning on startup Patch11: gimp-2.6.11-startup-warning.patch +# CVE-2011-2896: fix heap corruption and buffer overflow, upstreamed +Patch12: gimp-2.6.11-gif-load.patch # files changed by autoreconf after applying the above Patch100: gimp-2.6.11-11-autoreconf.patch.bz2 @@ -245,6 +247,7 @@ EOF %patch9 -p1 -b .CVE-2010-4540,4541,4542 %patch10 -p1 -b .shell-dnd-quit-crash %patch11 -p1 -b .startup-warning +%patch12 -p1 -b .gif-load %patch100 -p1 -b .autoreconf @@ -514,6 +517,8 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || : %changelog * Fri Aug 12 2011 Nils Philippsen - 2:2.6.11-21 - actually apply startup-warning patch +- fix heap corruption and buffer overflow in file-gif-load plugin + (CVE-2011-2896) * Thu Aug 04 2011 Nils Philippsen - 2:2.6.11-20 - fix goption warning on startup, patch by Mikael Magnusson