From c10dad187df2912a5e00070ecfc1f24d1ae65c8c Mon Sep 17 00:00:00 2001
From: Dan Horák <sharkcz@fedoraproject.org>
Date: Jul 15 2009 17:50:48 +0000
Subject: add patch


---

diff --git a/wxGTK-2.8.10-CVE-2009-2369.patch b/wxGTK-2.8.10-CVE-2009-2369.patch
new file mode 100644
index 0000000..49a932c
--- /dev/null
+++ b/wxGTK-2.8.10-CVE-2009-2369.patch
@@ -0,0 +1,75 @@
+Index: src/common/imagpng.cpp
+===================================================================
+--- src/common/imagpng.cpp	(revision 60874)
++++ src/common/imagpng.cpp	(revision 60875)
+@@ -568,18 +568,16 @@
+     if (!image->Ok())
+         goto error;
+ 
+-    lines = (unsigned char **)malloc( (size_t)(height * sizeof(unsigned char *)) );
++    // initialize all line pointers to NULL to ensure that they can be safely
++    // free()d if an error occurs before all of them could be allocated
++    lines = (unsigned char **)calloc(height, sizeof(unsigned char *));
+     if ( !lines )
+         goto error;
+ 
+     for (i = 0; i < height; i++)
+     {
+         if ((lines[i] = (unsigned char *)malloc( (size_t)(width * (sizeof(unsigned char) * 4)))) == NULL)
+-        {
+-            for ( unsigned int n = 0; n < i; n++ )
+-                free( lines[n] );
+             goto error;
+-        }
+     }
+ 
+     png_read_image( png_ptr, lines );
+Index: src/common/imagtiff.cpp
+===================================================================
+--- src/common/imagtiff.cpp	(revision 60875)
++++ src/common/imagtiff.cpp	(revision 60876)
+@@ -261,7 +261,6 @@
+     }
+ 
+     uint32 w, h;
+-    uint32 npixels;
+     uint32 *raster;
+ 
+     TIFFGetField( tif, TIFFTAG_IMAGEWIDTH, &w );
+@@ -275,10 +274,21 @@
+                            (samplesInfo[0] == EXTRASAMPLE_ASSOCALPHA ||
+                             samplesInfo[0] == EXTRASAMPLE_UNASSALPHA));
+ 
+-    npixels = w * h;
++    // guard against integer overflow during multiplication which could result
++    // in allocating a too small buffer and then overflowing it
++    const double bytesNeeded = w * h * sizeof(uint32);
++    if ( bytesNeeded >= 4294967295U /* UINT32_MAX */ )
++    {
++        if ( verbose )
++            wxLogError( _("TIFF: Image size is abnormally big.") );
+ 
+-    raster = (uint32*) _TIFFmalloc( npixels * sizeof(uint32) );
++        TIFFClose(tif);
+ 
++        return false;
++    }
++
++    raster = (uint32*) _TIFFmalloc( bytesNeeded );
++
+     if (!raster)
+     {
+         if (verbose)
+Index: src/common/imagtiff.cpp
+===================================================================
+--- src/common/imagtiff.cpp	(revision 60896)
++++ src/common/imagtiff.cpp	(revision 60897)
+@@ -276,7 +276,7 @@
+ 
+     // guard against integer overflow during multiplication which could result
+     // in allocating a too small buffer and then overflowing it
+-    const double bytesNeeded = w * h * sizeof(uint32);
++    const double bytesNeeded = (double)w * (double)h * sizeof(uint32);
+     if ( bytesNeeded >= 4294967295U /* UINT32_MAX */ )
+     {
+         if ( verbose )