Hello dear maintainer(s), the Debian LTS team would like to fix the security issues which are currently open in the Squeeze version of gtk+2.0 and relate to gdk-pixbuf: https://security-tracker.debian.org/tracker/source-package/gtk+2.0 A user have noticed me about these issues, originally filed against, and I have already prepared a package (debdiff attached), backporting the patches from wheezy's gdk-pixbuf. Could you please take a look on it? Would you like to finish the upload and prepared the DLA or do you want me to go ahead? Cheers, Santiago
diff -u gtk+2.0-2.20.1/debian/changelog gtk+2.0-2.20.1/debian/changelog
--- gtk+2.0-2.20.1/debian/changelog
+++ gtk+2.0-2.20.1/debian/changelog
@@ -1,3 +1,16 @@
+gtk+2.0 (2.20.1-2+deb6u2) squeeze-lts; urgency=medium
+
+ * Non-maintainer upload by the Squeeze LTS Team.
+ * Fix CVE-2015-4491: Integer overflow in gdk-pixbuf's pixops/pixops.c
+ allowed to execute arbitrary code or cause a DoS via crafted bitmaps of
+ specific size.
+ * Fix CVE-2015-7673: io-tga.c in gdk-pixbuf was susceptible to a heap
+ overflow, allowing remote attackers to cause a DoS or execute arbitrary
+ code via a crafted Truevision TGA (TARGA) file.
+ * Fix CVE-2015-7674: Heap overflow in gdk-pixbuf when scaling a GIF file.
+
+ -- Santiago Ruano Rincón <santiagorr@riseup.net> Mon, 22 Feb 2016 21:54:36 +0100
+
gtk+2.0 (2.20.1-2+deb6u1) squeeze-lts; urgency=medium
* Non-maintainer upload by the Debian LTS Team.
diff -u gtk+2.0-2.20.1/debian/patches/series gtk+2.0-2.20.1/debian/patches/series
--- gtk+2.0-2.20.1/debian/patches/series
+++ gtk+2.0-2.20.1/debian/patches/series
@@ -24,0 +25,6 @@
+CVE-2015-4491.patch
+CVE-2015-7673/0003-io-tga-Colormaps-are-always-present-so-always-parse-.patch
+CVE-2015-7673/0002-tga-Wrap-TGAColormap-struct-in-its-own-API.patch
+CVE-2015-7673/0001-pixops-Fail-make_weights-functions-on-OOM.patch
+CVE-2015-7674/0001-pixops-Don-t-overflow-variables-when-shifting-them.patch
+CVE-2015-4491-2.patch
only in patch2:
unchanged:
--- gtk+2.0-2.20.1.orig/debian/patches/CVE-2015-4491-2.patch
+++ gtk+2.0-2.20.1/debian/patches/CVE-2015-4491-2.patch
@@ -0,0 +1,39 @@
+From 8dba67cb4f38d62a47757741ad41e3f245b4a32a Mon Sep 17 00:00:00 2001
+From: Benjamin Otte <otte@redhat.com>
+Date: Mon, 17 Aug 2015 18:52:47 +0200
+Subject: [PATCH] pixops: Fix oversight for CVE-2015-4491
+
+The n_x variable could be made large enough to overflow, too.
+
+Also included are various testcases for this vulnerability:
+- The original exploit (adapted for the testsuite)
+- Causing overflow by making both X and Y variables large
+- Causing overflow using only the X variable
+- Causing overflow using only the Y variable
+
+https://bugzilla.gnome.org/show_bug.cgi?id=752297
+---
+ gdk-pixbuf/pixops/pixops.c | 6 ++-
+ tests/Makefile.am | 7 ++++
+ tests/cve-2015-4491.bmp | Bin 0 -> 82 bytes
+ tests/cve-2015-4491.c | 87 ++++++++++++++++++++++++++++++++++++++++++
+ tests/resources.gresource.xml | 1 +
+ 5 files changed, 100 insertions(+), 1 deletion(-)
+ create mode 100644 tests/cve-2015-4491.bmp
+ create mode 100644 tests/cve-2015-4491.c
+
+--- a/gdk-pixbuf/pixops/pixops.c
++++ b/gdk-pixbuf/pixops/pixops.c
+@@ -1197,7 +1197,11 @@
+ gsize n_weights;
+ int *weights;
+
+- n_weights = SUBSAMPLE * SUBSAMPLE * n_x * n_y;
++ n_weights = SUBSAMPLE * SUBSAMPLE * n_x;
++ if (n_weights / (SUBSAMPLE * SUBSAMPLE) != n_x)
++ return NULL; /* overflow, bail */
++
++ n_weights *= n_y;
+ if (n_weights / (SUBSAMPLE * SUBSAMPLE * n_x) != n_y)
+ return NULL; /* overflow, bail */
+
only in patch2:
unchanged:
--- gtk+2.0-2.20.1.orig/debian/patches/CVE-2015-4491.patch
+++ gtk+2.0-2.20.1/debian/patches/CVE-2015-4491.patch
@@ -0,0 +1,77 @@
+From ffec86ed5010c5a2be14f47b33bcf4ed3169a199 Mon Sep 17 00:00:00 2001
+From: Matthias Clasen <mclasen@redhat.com>
+Date: Mon, 13 Jul 2015 00:33:40 -0400
+Subject: pixops: Be more careful about integer overflow
+
+Our loader code is supposed to handle out-of-memory and overflow
+situations gracefully, reporting errors instead of aborting. But
+if you load an image at a specific size, we also execute our
+scaling code, which was not careful enough about overflow in some
+places.
+
+This commit makes the scaling code silently return if it fails to
+allocate filter tables. This is the best we can do, since
+gdk_pixbuf_scale() is not taking a GError.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=752297
+
+--- a/gdk-pixbuf/pixops/pixops.c
++++ b/gdk-pixbuf/pixops/pixops.c
+@@ -1194,7 +1194,16 @@
+ int i_offset, j_offset;
+ int n_x = filter->x.n;
+ int n_y = filter->y.n;
+- int *weights = g_new (int, SUBSAMPLE * SUBSAMPLE * n_x * n_y);
++ gsize n_weights;
++ int *weights;
++
++ n_weights = SUBSAMPLE * SUBSAMPLE * n_x * n_y;
++ if (n_weights / (SUBSAMPLE * SUBSAMPLE * n_x) != n_y)
++ return NULL; /* overflow, bail */
++
++ weights = g_try_new (int, n_weights);
++ if (!weights)
++ return NULL; /* overflow, bail */
+
+ for (i_offset=0; i_offset < SUBSAMPLE; i_offset++)
+ for (j_offset=0; j_offset < SUBSAMPLE; j_offset++)
+@@ -1269,8 +1278,11 @@
+ if (x_step == 0 || y_step == 0)
+ return; /* overflow, bail out */
+
+- line_bufs = g_new (guchar *, filter->y.n);
+ filter_weights = make_filter_table (filter);
++ if (!filter_weights)
++ return; /* overflow, bail out */
++
++ line_bufs = g_new (guchar *, filter->y.n);
+
+ check_shift = check_size ? get_check_shift (check_size) : 0;
+
+@@ -1390,7 +1402,7 @@
+ double scale)
+ {
+ int n = ceil (1 / scale + 1);
+- double *pixel_weights = g_new (double, SUBSAMPLE * n);
++ double *pixel_weights = g_malloc_n (sizeof (double) * SUBSAMPLE, n);
+ int offset;
+ int i;
+
+@@ -1448,7 +1460,7 @@
+ }
+
+ dim->n = n;
+- dim->weights = g_new (double, SUBSAMPLE * n);
++ dim->weights = g_malloc_n (sizeof (double) * SUBSAMPLE, n);
+
+ pixel_weights = dim->weights;
+
+@@ -1539,7 +1551,7 @@
+ double scale)
+ {
+ int n = ceil (1/scale + 3.0);
+- double *pixel_weights = g_new (double, SUBSAMPLE * n);
++ double *pixel_weights = g_malloc_n (sizeof (double) * SUBSAMPLE, n);
+ double w;
+ int offset, i;
+
only in patch2:
unchanged:
--- gtk+2.0-2.20.1.orig/debian/patches/CVE-2015-7673/0001-pixops-Fail-make_weights-functions-on-OOM.patch
+++ gtk+2.0-2.20.1/debian/patches/CVE-2015-7673/0001-pixops-Fail-make_weights-functions-on-OOM.patch
@@ -0,0 +1,190 @@
+From 19f9685dbff7d1f929c61cf99188df917a18811d Mon Sep 17 00:00:00 2001
+From: Benjamin Otte <otte@redhat.com>
+Date: Sat, 19 Sep 2015 21:24:34 +0200
+Subject: [PATCH] pixops: Fail make_weights functions on OOM
+
+The weights could grow very large under certain circumstances, in
+particular in security-relevant conditions, including the testsuite.
+By allowing the weight allocation to fail, this can be worked around.
+
+https://bugzilla.gnome.org/show_bug.cgi?id=754387
+---
+ gdk-pixbuf/pixops/pixops.c | 75 +++++++++++++++++++++++++++++++++-------------
+ 1 file changed, 55 insertions(+), 20 deletions(-)
+
+--- a/gdk-pixbuf/pixops/pixops.c
++++ b/gdk-pixbuf/pixops/pixops.c
+@@ -1397,15 +1397,19 @@
+ /* Compute weights for reconstruction by replication followed by
+ * sampling with a box filter
+ */
+-static void
++static gboolean
+ tile_make_weights (PixopsFilterDimension *dim,
+ double scale)
+ {
+ int n = ceil (1 / scale + 1);
+- double *pixel_weights = g_malloc_n (sizeof (double) * SUBSAMPLE, n);
++ double *pixel_weights;
+ int offset;
+ int i;
+
++ pixel_weights = g_try_malloc_n (sizeof (double) * SUBSAMPLE, n);
++ if (pixel_weights == NULL)
++ return FALSE;
++
+ dim->n = n;
+ dim->offset = 0;
+ dim->weights = pixel_weights;
+@@ -1433,13 +1437,15 @@
+ }
+ }
+ }
++
++ return TRUE;
+ }
+
+ /* Compute weights for a filter that, for minification
+ * is the same as 'tiles', and for magnification, is bilinear
+ * reconstruction followed by a sampling with a delta function.
+ */
+-static void
++static gboolean
+ bilinear_magnify_make_weights (PixopsFilterDimension *dim,
+ double scale)
+ {
+@@ -1460,7 +1466,9 @@
+ }
+
+ dim->n = n;
+- dim->weights = g_malloc_n (sizeof (double) * SUBSAMPLE, n);
++ dim->weights = g_try_malloc_n (sizeof (double) * SUBSAMPLE, n);
++ if (dim->weights == NULL)
++ return FALSE;
+
+ pixel_weights = dim->weights;
+
+@@ -1500,6 +1508,8 @@
+ }
+ }
+ }
++
++ return TRUE;
+ }
+
+ /* Computes the integral from b0 to b1 of
+@@ -1546,15 +1556,19 @@
+ /* Compute weights for reconstructing with bilinear
+ * interpolation, then sampling with a box filter
+ */
+-static void
++static gboolean
+ bilinear_box_make_weights (PixopsFilterDimension *dim,
+ double scale)
+ {
+ int n = ceil (1/scale + 3.0);
+- double *pixel_weights = g_malloc_n (sizeof (double) * SUBSAMPLE, n);
++ double *pixel_weights;
+ double w;
+ int offset, i;
+
++ pixel_weights = g_malloc_n (sizeof (double) * SUBSAMPLE, n);
++ if (pixel_weights == NULL)
++ return FALSE;
++
+ dim->offset = -1.0;
+ dim->n = n;
+ dim->weights = pixel_weights;
+@@ -1572,9 +1586,11 @@
+ *(pixel_weights++) = w * scale;
+ }
+ }
++
++ return TRUE;
+ }
+
+-static void
++static gboolean
+ make_weights (PixopsFilter *filter,
+ PixopsInterpType interp_type,
+ double scale_x,
+@@ -1583,23 +1599,39 @@
+ switch (interp_type)
+ {
+ case PIXOPS_INTERP_NEAREST:
++ default:
+ g_assert_not_reached ();
+- break;
++ return FALSE;
+
+ case PIXOPS_INTERP_TILES:
+- tile_make_weights (&filter->x, scale_x);
+- tile_make_weights (&filter->y, scale_y);
+- break;
++ if (!tile_make_weights (&filter->x, scale_x))
++ return FALSE;
++ if (!tile_make_weights (&filter->y, scale_y))
++ {
++ g_free (filter->x.weights);
++ return FALSE;
++ }
++ return TRUE;
+
+ case PIXOPS_INTERP_BILINEAR:
+- bilinear_magnify_make_weights (&filter->x, scale_x);
+- bilinear_magnify_make_weights (&filter->y, scale_y);
+- break;
++ if (!bilinear_magnify_make_weights (&filter->x, scale_x))
++ return FALSE;
++ if (!bilinear_magnify_make_weights (&filter->y, scale_y))
++ {
++ g_free (filter->x.weights);
++ return FALSE;
++ }
++ return TRUE;
+
+ case PIXOPS_INTERP_HYPER:
+- bilinear_box_make_weights (&filter->x, scale_x);
+- bilinear_box_make_weights (&filter->y, scale_y);
+- break;
++ if (!bilinear_box_make_weights (&filter->x, scale_x))
++ return FALSE;
++ if (!bilinear_box_make_weights (&filter->y, scale_y))
++ {
++ g_free (filter->x.weights);
++ return FALSE;
++ }
++ return TRUE;
+ }
+ }
+
+@@ -1654,7 +1686,8 @@
+ }
+
+ filter.overall_alpha = overall_alpha / 255.;
+- make_weights (&filter, interp_type, scale_x, scale_y);
++ if (!make_weights (&filter, interp_type, scale_x, scale_y))
++ return;
+
+ #ifdef USE_MMX
+ if (filter.x.n == 2 && filter.y.n == 2 &&
+@@ -1804,7 +1837,8 @@
+ }
+
+ filter.overall_alpha = overall_alpha / 255.;
+- make_weights (&filter, interp_type, scale_x, scale_y);
++ if (!make_weights (&filter, interp_type, scale_x, scale_y))
++ return;
+
+ if (filter.x.n == 2 && filter.y.n == 2 && dest_channels == 4 &&
+ src_channels == 4 && src_has_alpha && !dest_has_alpha)
+@@ -2211,7 +2245,8 @@
+ }
+
+ filter.overall_alpha = 1.0;
+- make_weights (&filter, interp_type, scale_x, scale_y);
++ if (!make_weights (&filter, interp_type, scale_x, scale_y))
++ return;
+
+ if (filter.x.n == 2 && filter.y.n == 2 && dest_channels == 3 && src_channels == 3)
+ {
only in patch2:
unchanged:
--- gtk+2.0-2.20.1.orig/debian/patches/CVE-2015-7673/0002-tga-Wrap-TGAColormap-struct-in-its-own-API.patch
+++ gtk+2.0-2.20.1/debian/patches/CVE-2015-7673/0002-tga-Wrap-TGAColormap-struct-in-its-own-API.patch
@@ -0,0 +1,227 @@
+From edf6fb8d856574bc3bb3a703037f56533229267c Mon Sep 17 00:00:00 2001
+From: Benjamin Otte <otte@redhat.com>
+Date: Sun, 20 Sep 2015 00:22:42 +0200
+Subject: [PATCH] tga: Wrap TGAColormap struct in its own API
+
+Instead of poking into it directly.
+---
+ gdk-pixbuf/io-tga.c | 124 ++++++++++++++++++++++++++++++++++------------------
+ 1 file changed, 82 insertions(+), 42 deletions(-)
+
+--- a/gdk-pixbuf/io-tga.c
++++ b/gdk-pixbuf/io-tga.c
+@@ -66,8 +66,8 @@
+ typedef struct _TGAHeader TGAHeader;
+ typedef struct _TGAFooter TGAFooter;
+
+-typedef struct _TGAColormap TGAColormap;
+ typedef struct _TGAColor TGAColor;
++typedef struct _TGAColormap TGAColormap;
+
+ typedef struct _TGAContext TGAContext;
+
+@@ -104,15 +104,15 @@
+ } sig;
+ };
+
+-struct _TGAColormap {
+- gint size;
+- TGAColor *cols;
+-};
+-
+ struct _TGAColor {
+ guchar r, g, b, a;
+ };
+
++struct _TGAColormap {
++ guint n_colors;
++ TGAColor colors[1];
++};
++
+ struct _TGAContext {
+ TGAHeader *hdr;
+ guint rowstride;
+@@ -237,6 +237,51 @@
+ g_free(pixels);
+ }
+
++static TGAColormap *
++colormap_new (guint n_colors)
++{
++ TGAColormap *cmap;
++
++ g_assert (n_colors <= G_MAXUINT16);
++
++ cmap = g_try_malloc0 (sizeof (TGAColormap) + (MAX (n_colors, 1) - 1) * sizeof (TGAColor));
++ if (cmap == NULL)
++ return NULL;
++
++ cmap->n_colors = n_colors;
++
++ return cmap;
++}
++
++static const TGAColor *
++colormap_get_color (TGAColormap *cmap,
++ guint id)
++{
++ static const TGAColor transparent_black = { 0, 0, 0, 0 };
++
++ if (id >= cmap->n_colors)
++ return &transparent_black;
++
++ return &cmap->colors[id];
++}
++
++static void
++colormap_set_color (TGAColormap *cmap,
++ guint id,
++ const TGAColor *color)
++{
++ if (id >= cmap->n_colors)
++ return;
++
++ cmap->colors[id] = *color;
++}
++
++static void
++colormap_free (TGAColormap *cmap)
++{
++ g_free (cmap);
++}
++
+ static GdkPixbuf *get_contiguous_pixbuf (guint width,
+ guint height,
+ gboolean has_alpha)
+@@ -371,11 +416,12 @@
+ guchar *p = ctx->pptr;
+
+ for (; upper_bound; upper_bound--, s++) {
+- *p++ = ctx->cmap->cols[*s].r;
+- *p++ = ctx->cmap->cols[*s].g;
+- *p++ = ctx->cmap->cols[*s].b;
++ const TGAColor *color = colormap_get_color (ctx->cmap, *s);
++ *p++ = color->r;
++ *p++ = color->g;
++ *p++ = color->b;
+ if (ctx->hdr->cmap_bpp == 32)
+- *p++ = ctx->cmap->cols[*s].a;
++ *p++ = color->a;
+ }
+ }
+
+@@ -442,7 +488,7 @@
+ return TRUE;
+ }
+
+-static void write_rle_data(TGAContext *ctx, TGAColor *color, guint *rle_count)
++static void write_rle_data(TGAContext *ctx, const TGAColor *color, guint *rle_count)
+ {
+ for (; *rle_count; (*rle_count)--) {
+ g_memmove(ctx->pptr, (guchar *) color, ctx->pbuf->n_channels);
+@@ -470,7 +516,7 @@
+ return --n;
+ } else {
+ rle_num = (tag & 0x7f) + 1;
+- write_rle_data(ctx, &ctx->cmap->cols[*s], &rle_num);
++ write_rle_data(ctx, colormap_get_color (ctx->cmap, *s), &rle_num);
+ s++, n++;
+ if (ctx->pbuf_bytes_done == ctx->pbuf_bytes) {
+ ctx->done = TRUE;
+@@ -483,14 +529,12 @@
+ return --n;
+ } else {
+ for (; raw_num; raw_num--) {
+- *ctx->pptr++ =
+- ctx->cmap->cols[*s].r;
+- *ctx->pptr++ =
+- ctx->cmap->cols[*s].g;
+- *ctx->pptr++ =
+- ctx->cmap->cols[*s].b;
++ const TGAColor *color = colormap_get_color (ctx->cmap, *s);
++ *ctx->pptr++ = color->r;
++ *ctx->pptr++ = color->g;
++ *ctx->pptr++ = color->b;
+ if (ctx->pbuf->n_channels == 4)
+- *ctx->pptr++ = ctx->cmap->cols[*s].a;
++ *ctx->pptr++ = color->a;
+ s++, n++;
+ ctx->pbuf_bytes_done += ctx->pbuf->n_channels;
+ if (ctx->pbuf_bytes_done == ctx->pbuf_bytes) {
+@@ -674,46 +718,44 @@
+
+ static gboolean try_colormap(TGAContext *ctx, GError **err)
+ {
+- static guchar *p;
+- static guint n;
++ TGAColor color;
++ guchar *p;
++ guint i, n_colors;
+
+ g_return_val_if_fail(ctx != NULL, FALSE);
+
+- ctx->cmap = g_try_malloc(sizeof(TGAColormap));
++ n_colors = LE16(ctx->hdr->cmap_n_colors);
++ ctx->cmap = colormap_new (n_colors);
+ if (!ctx->cmap) {
+ g_set_error_literal(err, GDK_PIXBUF_ERROR, GDK_PIXBUF_ERROR_INSUFFICIENT_MEMORY,
+- _("Cannot allocate colormap structure"));
+- return FALSE;
+- }
+- ctx->cmap->size = LE16(ctx->hdr->cmap_n_colors);
+- ctx->cmap->cols = g_try_malloc(sizeof(TGAColor) * ctx->cmap->size);
+- if (!ctx->cmap->cols) {
+- g_set_error_literal(err, GDK_PIXBUF_ERROR, GDK_PIXBUF_ERROR_INSUFFICIENT_MEMORY,
+- _("Cannot allocate colormap entries"));
++ _("Cannot allocate colormap"));
+ return FALSE;
+ }
+
+ p = ctx->in->data;
+- for (n = 0; n < ctx->cmap->size; n++) {
++ color.a = 255;
++
++ for (i = 0; i < n_colors; i++) {
+ if ((ctx->hdr->cmap_bpp == 15) || (ctx->hdr->cmap_bpp == 16)) {
+ guint16 col = p[0] + (p[1] << 8);
+- ctx->cmap->cols[n].b = (col >> 7) & 0xf8;
+- ctx->cmap->cols[n].g = (col >> 2) & 0xf8;
+- ctx->cmap->cols[n].r = col << 3;
++ color.b = (col >> 7) & 0xf8;
++ color.g = (col >> 2) & 0xf8;
++ color.r = col << 3;
+ p += 2;
+ }
+ else if ((ctx->hdr->cmap_bpp == 24) || (ctx->hdr->cmap_bpp == 32)) {
+- ctx->cmap->cols[n].b = *p++;
+- ctx->cmap->cols[n].g = *p++;
+- ctx->cmap->cols[n].r = *p++;
++ color.b = *p++;
++ color.g = *p++;
++ color.r = *p++;
+ if (ctx->hdr->cmap_bpp == 32)
+- ctx->cmap->cols[n].a = *p++;
++ color.a = *p++;
+ } else {
+ g_set_error_literal(err, GDK_PIXBUF_ERROR,
+ GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+ _("Unexpected bitdepth for colormap entries"));
+ return FALSE;
+ }
++ colormap_set_color (ctx->cmap, i, &color);
+ }
+ ctx->in = io_buffer_free_segment(ctx->in, ctx->cmap_size, err);
+ if (!ctx->in)
+@@ -944,10 +986,8 @@
+ ctx->udata);
+ }
+ g_free (ctx->hdr);
+- if (ctx->cmap) {
+- g_free (ctx->cmap->cols);
+- g_free (ctx->cmap);
+- }
++ if (ctx->cmap)
++ colormap_free (ctx->cmap);
+ if (ctx->pbuf)
+ g_object_unref (ctx->pbuf);
+ if (ctx->in && ctx->in->size)
only in patch2:
unchanged:
--- gtk+2.0-2.20.1.orig/debian/patches/CVE-2015-7673/0003-io-tga-Colormaps-are-always-present-so-always-parse-.patch
+++ gtk+2.0-2.20.1/debian/patches/CVE-2015-7673/0003-io-tga-Colormaps-are-always-present-so-always-parse-.patch
@@ -0,0 +1,48 @@
+From 6ddca835100107e6b5841ce9d56074f6d98c387e Mon Sep 17 00:00:00 2001
+From: Benjamin Otte <otte@redhat.com>
+Date: Sun, 20 Sep 2015 00:29:59 +0200
+Subject: [PATCH] io-tga: Colormaps are always present, so always parse them.
+
+We might end up with a colormap with 0 entries, but whatever, it's a
+colormap.
+---
+ gdk-pixbuf/io-tga.c | 14 +++-----------
+ 1 file changed, 3 insertions(+), 11 deletions(-)
+
+--- a/gdk-pixbuf/io-tga.c
++++ b/gdk-pixbuf/io-tga.c
+@@ -319,9 +319,8 @@
+ || (ctx->hdr->type == TGA_TYPE_RLE_TRUECOLOR)
+ || (ctx->hdr->type == TGA_TYPE_RLE_GRAYSCALE));
+
+- if (ctx->hdr->has_cmap)
+- ctx->cmap_size = ((ctx->hdr->cmap_bpp + 7) >> 3) *
+- LE16(ctx->hdr->cmap_n_colors);
++ ctx->cmap_size = ((ctx->hdr->cmap_bpp + 7) >> 3) *
++ LE16(ctx->hdr->cmap_n_colors);
+
+ alpha = ((ctx->hdr->bpp == 16) ||
+ (ctx->hdr->bpp == 32) ||
+@@ -680,13 +679,6 @@
+
+ g_return_val_if_fail(ctx != NULL, FALSE);
+
+- if (ctx->cmap_size == 0) {
+- g_set_error_literal(err, GDK_PIXBUF_ERROR,
+- GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+- _("Image is corrupted or truncated"));
+- return FALSE;
+- }
+-
+ ctx->cmap = g_try_malloc(sizeof(TGAColormap));
+ if (!ctx->cmap) {
+ g_set_error_literal(err, GDK_PIXBUF_ERROR, GDK_PIXBUF_ERROR_INSUFFICIENT_MEMORY,
+@@ -831,7 +823,7 @@
+ return TRUE;
+ }
+ }
+- if (ctx->hdr->has_cmap && !ctx->cmap) {
++ if (!ctx->cmap) {
+ if (ctx->in->size >= ctx->cmap_size) {
+ if (!try_colormap(ctx, err))
+ return FALSE;
only in patch2:
unchanged:
--- gtk+2.0-2.20.1.orig/debian/patches/CVE-2015-7674/0001-pixops-Don-t-overflow-variables-when-shifting-them.patch
+++ gtk+2.0-2.20.1/debian/patches/CVE-2015-7674/0001-pixops-Don-t-overflow-variables-when-shifting-them.patch
@@ -0,0 +1,30 @@
+From e9a5704edaa9aee9498f1fbf6e1b70fcce2e55aa Mon Sep 17 00:00:00 2001
+From: Benjamin Otte <otte@redhat.com>
+Date: Tue, 22 Sep 2015 22:44:51 +0200
+Subject: [PATCH] pixops: Don't overflow variables when shifting them
+
+If we shift by 16 bits we need to be sure those 16 bits actually exist.
+They do now.
+---
+ gdk-pixbuf/pixops/pixops.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/gdk-pixbuf/pixops/pixops.c
++++ b/gdk-pixbuf/pixops/pixops.c
+@@ -266,11 +266,11 @@
+ double scale_x,
+ double scale_y)
+ {
+- int i;
+- int x;
+- int x_step = (1 << SCALE_SHIFT) / scale_x;
+- int y_step = (1 << SCALE_SHIFT) / scale_y;
+- int xmax, xstart, xstop, x_pos, y_pos;
++ gint64 i;
++ gint64 x;
++ gint64 x_step = (1 << SCALE_SHIFT) / scale_x;
++ gint64 y_step = (1 << SCALE_SHIFT) / scale_y;
++ gint64 xmax, xstart, xstop, x_pos, y_pos;
+ const guchar *p;
+
+ #define INNER_LOOP(SRC_CHANNELS,DEST_CHANNELS,ASSIGN_PIXEL) \
Attachment:
signature.asc
Description: Digital signature