diff --git a/wxGTK-2.8.10-CVE-2009-2369.patch b/wxGTK-2.8.10-CVE-2009-2369.patch new file mode 100644 index 0000000..49a932c --- /dev/null +++ b/wxGTK-2.8.10-CVE-2009-2369.patch @@ -0,0 +1,75 @@ +Index: src/common/imagpng.cpp +=================================================================== +--- src/common/imagpng.cpp (revision 60874) ++++ src/common/imagpng.cpp (revision 60875) +@@ -568,18 +568,16 @@ + if (!image->Ok()) + goto error; + +- lines = (unsigned char **)malloc( (size_t)(height * sizeof(unsigned char *)) ); ++ // initialize all line pointers to NULL to ensure that they can be safely ++ // free()d if an error occurs before all of them could be allocated ++ lines = (unsigned char **)calloc(height, sizeof(unsigned char *)); + if ( !lines ) + goto error; + + for (i = 0; i < height; i++) + { + if ((lines[i] = (unsigned char *)malloc( (size_t)(width * (sizeof(unsigned char) * 4)))) == NULL) +- { +- for ( unsigned int n = 0; n < i; n++ ) +- free( lines[n] ); + goto error; +- } + } + + png_read_image( png_ptr, lines ); +Index: src/common/imagtiff.cpp +=================================================================== +--- src/common/imagtiff.cpp (revision 60875) ++++ src/common/imagtiff.cpp (revision 60876) +@@ -261,7 +261,6 @@ + } + + uint32 w, h; +- uint32 npixels; + uint32 *raster; + + TIFFGetField( tif, TIFFTAG_IMAGEWIDTH, &w ); +@@ -275,10 +274,21 @@ + (samplesInfo[0] == EXTRASAMPLE_ASSOCALPHA || + samplesInfo[0] == EXTRASAMPLE_UNASSALPHA)); + +- npixels = w * h; ++ // guard against integer overflow during multiplication which could result ++ // in allocating a too small buffer and then overflowing it ++ const double bytesNeeded = w * h * sizeof(uint32); ++ if ( bytesNeeded >= 4294967295U /* UINT32_MAX */ ) ++ { ++ if ( verbose ) ++ wxLogError( _("TIFF: Image size is abnormally big.") ); + +- raster = (uint32*) _TIFFmalloc( npixels * sizeof(uint32) ); ++ TIFFClose(tif); + ++ return false; ++ } ++ ++ raster = (uint32*) _TIFFmalloc( bytesNeeded ); ++ + if (!raster) + { + if (verbose) +Index: src/common/imagtiff.cpp +=================================================================== +--- src/common/imagtiff.cpp (revision 60896) ++++ src/common/imagtiff.cpp (revision 60897) +@@ -276,7 +276,7 @@ + + // guard against integer overflow during multiplication which could result + // in allocating a too small buffer and then overflowing it +- const double bytesNeeded = w * h * sizeof(uint32); ++ const double bytesNeeded = (double)w * (double)h * sizeof(uint32); + if ( bytesNeeded >= 4294967295U /* UINT32_MAX */ ) + { + if ( verbose )