diff --git a/SOURCES/gif-check-for-overflow.patch b/SOURCES/gif-check-for-overflow.patch new file mode 100644 index 0000000..76054ba --- /dev/null +++ b/SOURCES/gif-check-for-overflow.patch @@ -0,0 +1,61 @@ +From 6976bdc8ee9dd2c2954f91066f7b0f643769a379 Mon Sep 17 00:00:00 2001 +From: Robert Ancell +Date: Thu, 3 Jun 2021 11:05:56 +1200 +Subject: [PATCH] gif: Check for overflow when compositing or clearing frames. + +Fixes: #190 + +Similar to fix in 086e8adf4cc352cd11572f96066b001b545f354e +--- + gdk-pixbuf/io-gif-animation.c | 21 +++++++++++++-------- + 1 file changed, 13 insertions(+), 8 deletions(-) + +diff --git a/gdk-pixbuf/io-gif-animation.c b/gdk-pixbuf/io-gif-animation.c +index 8335cdd76..71d9265e6 100644 +--- a/gdk-pixbuf/io-gif-animation.c ++++ b/gdk-pixbuf/io-gif-animation.c +@@ -369,7 +369,7 @@ composite_frame (GdkPixbufGifAnim *anim, GdkPixbufFrame *frame) + for (i = 0; i < n_indexes; i++) { + guint8 index = index_buffer[i]; + guint x, y; +- int offset; ++ gsize offset; + + if (index == frame->transparent_index) + continue; +@@ -379,11 +379,13 @@ composite_frame (GdkPixbufGifAnim *anim, GdkPixbufFrame *frame) + if (x >= anim->width || y >= anim->height) + continue; + +- offset = y * gdk_pixbuf_get_rowstride (anim->last_frame_data) + x * 4; +- pixels[offset + 0] = frame->color_map[index * 3 + 0]; +- pixels[offset + 1] = frame->color_map[index * 3 + 1]; +- pixels[offset + 2] = frame->color_map[index * 3 + 2]; +- pixels[offset + 3] = 255; ++ if (g_size_checked_mul (&offset, gdk_pixbuf_get_rowstride (anim->last_frame_data), y) && ++ g_size_checked_add (&offset, offset, x * 4)) { ++ pixels[offset + 0] = frame->color_map[index * 3 + 0]; ++ pixels[offset + 1] = frame->color_map[index * 3 + 1]; ++ pixels[offset + 2] = frame->color_map[index * 3 + 2]; ++ pixels[offset + 3] = 255; ++ } + } + + out: +@@ -448,8 +450,11 @@ gdk_pixbuf_gif_anim_iter_get_pixbuf (GdkPixbufAnimationIter *anim_iter) + x_end = MIN (anim->last_frame->x_offset + anim->last_frame->width, anim->width); + y_end = MIN (anim->last_frame->y_offset + anim->last_frame->height, anim->height); + for (y = anim->last_frame->y_offset; y < y_end; y++) { +- guchar *line = pixels + y * gdk_pixbuf_get_rowstride (anim->last_frame_data) + anim->last_frame->x_offset * 4; +- memset (line, 0, (x_end - anim->last_frame->x_offset) * 4); ++ gsize offset; ++ if (g_size_checked_mul (&offset, gdk_pixbuf_get_rowstride (anim->last_frame_data), y) && ++ g_size_checked_add (&offset, offset, anim->last_frame->x_offset * 4)) { ++ memset (pixels + offset, 0, (x_end - anim->last_frame->x_offset) * 4); ++ } + } + break; + case GDK_PIXBUF_FRAME_REVERT: +-- +GitLab + diff --git a/SOURCES/gif-lzw-code-size-overflow.patch b/SOURCES/gif-lzw-code-size-overflow.patch new file mode 100644 index 0000000..6fdaece --- /dev/null +++ b/SOURCES/gif-lzw-code-size-overflow.patch @@ -0,0 +1,224 @@ +From 76eda67dbc3f48c9dd6815a5aaf6014ea4a16771 Mon Sep 17 00:00:00 2001 +From: Robert Ancell +Date: Wed, 2 Feb 2022 12:36:08 +1300 +Subject: [PATCH 1/4] Fix test GIF that was broken in the LZW code size, not + the values of the pixels + +--- + .../test-images/gif-test-suite/invalid-colors.gif | Bin 37 -> 35 bytes + 1 file changed, 0 insertions(+), 0 deletions(-) + +diff --git a/tests/test-images/gif-test-suite/invalid-colors.gif b/tests/test-images/gif-test-suite/invalid-colors.gif +index c3111525ac2d977a0dbedf917f2beae610b614f8..6c3a7240e6ba58c344051351eb3581887fa314c7 100644 +GIT binary patch +delta 11 +ScmY#Yo*>J{%%s7|U=08YGy!b@ + +delta 13 +UcmY#ZogmA>!}4E&fr-Hy01|-$Y5)KL + +-- +GitLab + + +From 0cf97225c9c227d11fc4ddf9cba8e8480672ee1b Mon Sep 17 00:00:00 2001 +From: Robert Ancell +Date: Wed, 2 Feb 2022 12:38:45 +1300 +Subject: [PATCH 2/4] Add an assertion that checks for maximum LZW code size + +--- + gdk-pixbuf/lzw.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/gdk-pixbuf/lzw.c b/gdk-pixbuf/lzw.c +index 105daf2b1..15293560b 100644 +--- a/gdk-pixbuf/lzw.c ++++ b/gdk-pixbuf/lzw.c +@@ -121,6 +121,8 @@ lzw_decoder_new (guint8 code_size) + LZWDecoder *self; + int i; + ++ g_return_val_if_fail (code_size <= LZW_CODE_MAX, NULL); ++ + self = g_object_new (lzw_decoder_get_type (), NULL); + + self->min_code_size = code_size; +-- +GitLab + + +From 19ebba03117aefc9d0312f675f3a210ffdcc4907 Mon Sep 17 00:00:00 2001 +From: Robert Ancell +Date: Wed, 2 Feb 2022 14:03:13 +1300 +Subject: [PATCH 3/4] Fix the check for maximum value of LZW initial code size. + +This value is the number of bits for each symbol (i.e. colour index) decoded via LZW. +The maximum LZW code is specified as 12 bits, so the value here can only be 11 as two additional code words are required (clear and end of information) that immediately uses an additional bit. +This implementation has always been wrong, and the Firefox implementation has the same issue so it seems a common misinterpretation of the spec. +This has been changed here to avoid an assertion later in the LZW decoder. +Note that there is never any reason for a GIF to be encoded with more than 8 bits of colour information, as the colour tables only support up to 8 bits. +--- + gdk-pixbuf/io-gif.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/gdk-pixbuf/io-gif.c b/gdk-pixbuf/io-gif.c +index 1befba155..310bdff6a 100644 +--- a/gdk-pixbuf/io-gif.c ++++ b/gdk-pixbuf/io-gif.c +@@ -499,8 +499,8 @@ gif_prepare_lzw (GifContext *context) + /*g_message (_("GIF: EOF / read error on image data\n"));*/ + return -1; + } +- +- if (context->lzw_set_code_size > 12) { ++ ++ if (context->lzw_set_code_size >= 12) { + g_set_error_literal (context->error, + GDK_PIXBUF_ERROR, + GDK_PIXBUF_ERROR_CORRUPT_IMAGE, +-- +GitLab + + +From 449441210921c8ed417b0c4d5edbccd2d57e23f8 Mon Sep 17 00:00:00 2001 +From: Robert Ancell +Date: Wed, 2 Feb 2022 14:19:06 +1300 +Subject: [PATCH 4/4] Add tests for GIF files with invalid LZW code sizes + +--- + tests/test-images/fail/overflow-codes-max.gif | Bin 0 -> 65 bytes + tests/test-images/fail/overflow-codes.gif | Bin 0 -> 35 bytes + tests/test-images/gif-test-suite/TESTS | 2 ++ + tests/test-images/gif-test-suite/invalid-code.conf | 11 +++++++++++ + tests/test-images/gif-test-suite/invalid-code.gif | Bin 0 -> 35 bytes + .../gif-test-suite/overflow-codes-max.conf | 11 +++++++++++ + .../gif-test-suite/overflow-codes-max.gif | Bin 0 -> 65 bytes + .../test-images/gif-test-suite/overflow-codes.conf | 11 +++++++++++ + .../test-images/gif-test-suite/overflow-codes.gif | Bin 0 -> 35 bytes + 9 files changed, 35 insertions(+) + create mode 100644 tests/test-images/fail/overflow-codes-max.gif + create mode 100644 tests/test-images/fail/overflow-codes.gif + create mode 100644 tests/test-images/gif-test-suite/invalid-code.conf + create mode 100644 tests/test-images/gif-test-suite/invalid-code.gif + create mode 100644 tests/test-images/gif-test-suite/overflow-codes-max.conf + create mode 100644 tests/test-images/gif-test-suite/overflow-codes-max.gif + create mode 100644 tests/test-images/gif-test-suite/overflow-codes.conf + create mode 100644 tests/test-images/gif-test-suite/overflow-codes.gif + +diff --git a/tests/test-images/fail/overflow-codes-max.gif b/tests/test-images/fail/overflow-codes-max.gif +new file mode 100644 +index 0000000000000000000000000000000000000000..3d507ca7daa790c9370e69a2ab277f55d749a013 +GIT binary patch +literal 65 +ncmZ?wbhEHbWMW`q_`m=H|NsBj0ns24hW`ozAU1Bm$Y2csUc3i2 + +literal 0 +HcmV?d00001 + +diff --git a/tests/test-images/fail/overflow-codes.gif b/tests/test-images/fail/overflow-codes.gif +new file mode 100644 +index 0000000000000000000000000000000000000000..c38053872ae2e3378ff6fb8f3eaff839fa5d35ed +GIT binary patch +literal 35 +jcmZ?wbhEHbWMW`q_`m=H|NsBj0ns241|B8>Mh0sDhc^Z! + +literal 0 +HcmV?d00001 + +diff --git a/tests/test-images/gif-test-suite/TESTS b/tests/test-images/gif-test-suite/TESTS +index 1d4a3f13f..bc573acf4 100644 +--- a/tests/test-images/gif-test-suite/TESTS ++++ b/tests/test-images/gif-test-suite/TESTS +@@ -44,6 +44,8 @@ max-height + 255-codes + large-codes + max-codes ++#overflow-codes ++#overflow-codes-max + transparent + invalid-transparent + disabled-transparent +diff --git a/tests/test-images/gif-test-suite/invalid-code.conf b/tests/test-images/gif-test-suite/invalid-code.conf +new file mode 100644 +index 000000000..3bf287b4e +--- /dev/null ++++ b/tests/test-images/gif-test-suite/invalid-code.conf +@@ -0,0 +1,11 @@ ++# Automatically generated, do not edit! ++[config] ++input = invalid-code.gif ++version = GIF89a ++width = 2 ++height = 2 ++background = #000000 ++loop-count = 0 ++force-animation = no ++frames = ++ +diff --git a/tests/test-images/gif-test-suite/invalid-code.gif b/tests/test-images/gif-test-suite/invalid-code.gif +new file mode 100644 +index 0000000000000000000000000000000000000000..7d929c9431c0c5b7cd53f636f7711d47385f88b2 +GIT binary patch +literal 35 +jcmZ?wbhEHbWMW`q_`m=H|NsBj0ns241}3Ke{~4?Sjj;#^ + +literal 0 +HcmV?d00001 + +diff --git a/tests/test-images/gif-test-suite/overflow-codes-max.conf b/tests/test-images/gif-test-suite/overflow-codes-max.conf +new file mode 100644 +index 000000000..f6d3f38d8 +--- /dev/null ++++ b/tests/test-images/gif-test-suite/overflow-codes-max.conf +@@ -0,0 +1,11 @@ ++# Automatically generated, do not edit! ++[config] ++input = overflow-codes-max.gif ++version = GIF89a ++width = 2 ++height = 2 ++background = #000000 ++loop-count = 0 ++force-animation = no ++frames = ++ +diff --git a/tests/test-images/gif-test-suite/overflow-codes-max.gif b/tests/test-images/gif-test-suite/overflow-codes-max.gif +new file mode 100644 +index 0000000000000000000000000000000000000000..3d507ca7daa790c9370e69a2ab277f55d749a013 +GIT binary patch +literal 65 +ncmZ?wbhEHbWMW`q_`m=H|NsBj0ns24hW`ozAU1Bm$Y2csUc3i2 + +literal 0 +HcmV?d00001 + +diff --git a/tests/test-images/gif-test-suite/overflow-codes.conf b/tests/test-images/gif-test-suite/overflow-codes.conf +new file mode 100644 +index 000000000..19f57fa74 +--- /dev/null ++++ b/tests/test-images/gif-test-suite/overflow-codes.conf +@@ -0,0 +1,11 @@ ++# Automatically generated, do not edit! ++[config] ++input = overflow-codes.gif ++version = GIF89a ++width = 2 ++height = 2 ++background = #000000 ++loop-count = 0 ++force-animation = no ++frames = ++ +diff --git a/tests/test-images/gif-test-suite/overflow-codes.gif b/tests/test-images/gif-test-suite/overflow-codes.gif +new file mode 100644 +index 0000000000000000000000000000000000000000..c38053872ae2e3378ff6fb8f3eaff839fa5d35ed +GIT binary patch +literal 35 +jcmZ?wbhEHbWMW`q_`m=H|NsBj0ns241|B8>Mh0sDhc^Z! + +literal 0 +HcmV?d00001 + +-- +GitLab + diff --git a/SPECS/gdk-pixbuf2.spec b/SPECS/gdk-pixbuf2.spec index 3e9d839..18a23e6 100644 --- a/SPECS/gdk-pixbuf2.spec +++ b/SPECS/gdk-pixbuf2.spec @@ -2,15 +2,19 @@ Name: gdk-pixbuf2 Version: 2.42.6 -Release: 2%{?dist} +Release: 3%{?dist} Summary: An image loading library License: LGPLv2+ URL: https://gitlab.gnome.org/GNOME/gdk-pixbuf Source0: https://download.gnome.org/sources/gdk-pixbuf/2.42/gdk-pixbuf-%{version}.tar.xz +Patch0: gif-check-for-overflow.patch +Patch1: gif-lzw-code-size-overflow.patch + BuildRequires: docbook-style-xsl BuildRequires: gettext +BuildRequires: git BuildRequires: pkgconfig(gio-2.0) >= %{glib2_version} BuildRequires: libpng-devel BuildRequires: libjpeg-devel @@ -57,7 +61,7 @@ The %{name}-tests package contains tests that can be used to verify the functionality of the installed %{name} package. %prep -%autosetup -n gdk-pixbuf-%{version} -p1 +%autosetup -n gdk-pixbuf-%{version} -p1 -Sgit %build %meson \ @@ -117,6 +121,11 @@ gdk-pixbuf-query-loaders-%{__isa_bits} --update-cache %{_datadir}/installed-tests %changelog +* Mon Oct 31 2022 Tomas Popela - 2.42.6-3 +- Backport fixes for CVE-2021-46829 and CVE-2021-44648 +- Resolves: rhbz#2115213 +- Resolves: rhbz#2044346 + * Mon Aug 09 2021 Mohan Boddu - 2.42.6-2 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688