Bug#1003841: buster-pu: package cimg/2.4.5+dfsg-1+deb10u1
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
* CVE-2020-25693: Fix multiple heap buffer overflows.
(Closes: #973770)
This is a headers-only library, the only user in buster needs
to be rebuilt:
nmu beads_1.1.18+dfsg-3 . ANY . buster . 'Rebuild with cimg-dev 2.4.5+dfsg-1+deb10u1'
dw beads_1.1.18+dfsg-3 . ANY . buster . -m 'cimg-dev (>= 2.4.5+dfsg-1+deb10u1)'
diff -Nru cimg-2.4.5+dfsg/debian/changelog cimg-2.4.5+dfsg/debian/changelog
--- cimg-2.4.5+dfsg/debian/changelog 2019-01-30 12:43:23.000000000 +0200
+++ cimg-2.4.5+dfsg/debian/changelog 2022-01-16 16:24:14.000000000 +0200
@@ -1,3 +1,11 @@
+cimg (2.4.5+dfsg-1+deb10u1) buster; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2020-25693: Fix multiple heap buffer overflows.
+ (Closes: #973770)
+
+ -- Adrian Bunk <bunk@debian.org> Sun, 16 Jan 2022 16:24:14 +0200
+
cimg (2.4.5+dfsg-1) unstable; urgency=medium
[ Jelmer Vernooij ]
diff -Nru cimg-2.4.5+dfsg/debian/patches/0001-Fix-multiple-heap-buffer-overflows.patch cimg-2.4.5+dfsg/debian/patches/0001-Fix-multiple-heap-buffer-overflows.patch
--- cimg-2.4.5+dfsg/debian/patches/0001-Fix-multiple-heap-buffer-overflows.patch 1970-01-01 02:00:00.000000000 +0200
+++ cimg-2.4.5+dfsg/debian/patches/0001-Fix-multiple-heap-buffer-overflows.patch 2022-01-16 16:24:14.000000000 +0200
@@ -0,0 +1,184 @@
+From d21c5afc86536154bacab02decc38ead2c77189f Mon Sep 17 00:00:00 2001
+From: Kai Dietrich <kai.dietrich@meelogic.com>
+Date: Thu, 22 Oct 2020 08:16:07 +0200
+Subject: Fix multiple heap buffer overflows
+
+The size calculation pattern (size_t)size_x*size_y*size_z*size_c can
+overflow the resulting size_t. Especially on 32bit size_t platforms this
+is trivial and can be achieved using a simple PNM image, e.g. the
+following ASCII PNM would allocate only 6 byte and result in a trivial
+arbitrary heap write:
+P3
+2147483649 2
+255
+255
+255
+255
+255
+255
+255
+255
+255
+255
+255
+255
+255
+255
+255
+...
+---
+ CImg.h | 47 ++++++++++++++++++++++++++++++++++-------------
+ 1 file changed, 34 insertions(+), 13 deletions(-)
+
+diff --git a/CImg.h b/CImg.h
+index 20f1fc6..62be2ce 100644
+--- a/CImg.h
++++ b/CImg.h
+@@ -11459,6 +11459,27 @@ namespace cimg_library_suffixed {
+ **/
+ CImg():_width(0),_height(0),_depth(0),_spectrum(0),_is_shared(false),_data(0) {}
+
++ size_t _safe_size(const unsigned int size_x, const unsigned int size_y,
++ const unsigned int size_z, const unsigned int size_c) const
++ {
++ const unsigned int dim[4] = {size_x, size_y, size_z, size_c};
++ size_t size = 1;
++ int overflows = 0;
++ for (int d = 0; d < sizeof(dim)/sizeof(dim[0]); d++) {
++ if (dim[d]>1 && size*dim[d] <= size) { overflows++; }
++ size *= dim[d];
++ }
++ if (sizeof(T)>1 && size*sizeof(T) <= size) { overflows++; }
++ if (overflows != 0) {
++ throw CImgArgumentException(_cimg_instance
++ "_safe_size(): Invalid size - size_t overflow"
++ "(%u,%u,%u,%u).",
++ cimg_instance,
++ size_x, size_y, size_z, size_c);
++ }
++ return size;
++ }
++
+ //! Construct image with specified size.
+ /**
+ \param size_x Image width().
+@@ -11485,7 +11506,7 @@ namespace cimg_library_suffixed {
+ explicit CImg(const unsigned int size_x, const unsigned int size_y=1,
+ const unsigned int size_z=1, const unsigned int size_c=1):
+ _is_shared(false) {
+- size_t siz = (size_t)size_x*size_y*size_z*size_c;
++ size_t siz = _safe_size(size_x,size_y,size_z,size_c);
+ if (siz) {
+ _width = size_x; _height = size_y; _depth = size_z; _spectrum = size_c;
+ try { _data = new T[siz]; } catch (...) {
+@@ -11517,7 +11538,7 @@ namespace cimg_library_suffixed {
+ CImg(const unsigned int size_x, const unsigned int size_y,
+ const unsigned int size_z, const unsigned int size_c, const T& value):
+ _is_shared(false) {
+- const size_t siz = (size_t)size_x*size_y*size_z*size_c;
++ const size_t siz = _safe_size(size_x,size_y,size_z,size_c);
+ if (siz) {
+ _width = size_x; _height = size_y; _depth = size_z; _spectrum = size_c;
+ try { _data = new T[siz]; } catch (...) {
+@@ -11578,7 +11599,7 @@ namespace cimg_library_suffixed {
+ } \
+ }
+ assign(size_x,size_y,size_z,size_c);
+- _CImg_stdarg(*this,value0,value1,(size_t)size_x*size_y*size_z*size_c,int);
++ _CImg_stdarg(*this,value0,value1,_safe_size(size_x,size_y,size_z,size_c),int);
+ }
+
+ #if cimg_use_cpp11==1
+@@ -11707,7 +11728,7 @@ namespace cimg_library_suffixed {
+ const double value0, const double value1, ...):
+ _width(0),_height(0),_depth(0),_spectrum(0),_is_shared(false),_data(0) {
+ assign(size_x,size_y,size_z,size_c);
+- _CImg_stdarg(*this,value0,value1,(size_t)size_x*size_y*size_z*size_c,double);
++ _CImg_stdarg(*this,value0,value1,_safe_size(size_x,size_y,size_z,size_c),double);
+ }
+
+ //! Construct image with specified size and initialize pixel values from a value string.
+@@ -11742,7 +11763,7 @@ namespace cimg_library_suffixed {
+ **/
+ CImg(const unsigned int size_x, const unsigned int size_y, const unsigned int size_z, const unsigned int size_c,
+ const char *const values, const bool repeat_values):_is_shared(false) {
+- const size_t siz = (size_t)size_x*size_y*size_z*size_c;
++ const size_t siz = _safe_size(size_x,size_y,size_z,size_c);
+ if (siz) {
+ _width = size_x; _height = size_y; _depth = size_z; _spectrum = size_c;
+ try { _data = new T[siz]; } catch (...) {
+@@ -11798,7 +11819,7 @@ namespace cimg_library_suffixed {
+ cimg_instance,
+ size_x,size_y,size_z,size_c,CImg<t>::pixel_type());
+ }
+- const size_t siz = (size_t)size_x*size_y*size_z*size_c;
++ const size_t siz = _safe_size(size_x,size_y,size_z,size_c);
+ if (values && siz) {
+ _width = size_x; _height = size_y; _depth = size_z; _spectrum = size_c;
+ try { _data = new T[siz]; } catch (...) {
+@@ -11817,7 +11838,7 @@ namespace cimg_library_suffixed {
+ //! Construct image with specified size and initialize pixel values from a memory buffer \specialization.
+ CImg(const T *const values, const unsigned int size_x, const unsigned int size_y=1,
+ const unsigned int size_z=1, const unsigned int size_c=1, const bool is_shared=false) {
+- const size_t siz = (size_t)size_x*size_y*size_z*size_c;
++ const size_t siz = _safe_size(size_x,size_y,size_z,size_c);
+ if (values && siz) {
+ _width = size_x; _height = size_y; _depth = size_z; _spectrum = size_c; _is_shared = is_shared;
+ if (_is_shared) _data = const_cast<T*>(values);
+@@ -12063,7 +12084,7 @@ namespace cimg_library_suffixed {
+ **/
+ CImg<T>& assign(const unsigned int size_x, const unsigned int size_y=1,
+ const unsigned int size_z=1, const unsigned int size_c=1) {
+- const size_t siz = (size_t)size_x*size_y*size_z*size_c;
++ const size_t siz = _safe_size(size_x,size_y,size_z,size_c);
+ if (!siz) return assign();
+ const size_t curr_siz = (size_t)size();
+ if (siz!=curr_siz) {
+@@ -12106,7 +12127,7 @@ namespace cimg_library_suffixed {
+ const unsigned int size_z, const unsigned int size_c,
+ const int value0, const int value1, ...) {
+ assign(size_x,size_y,size_z,size_c);
+- _CImg_stdarg(*this,value0,value1,(size_t)size_x*size_y*size_z*size_c,int);
++ _CImg_stdarg(*this,value0,value1,_safe_size(size_x,size_y,size_z,size_c),int);
+ return *this;
+ }
+
+@@ -12118,7 +12139,7 @@ namespace cimg_library_suffixed {
+ const unsigned int size_z, const unsigned int size_c,
+ const double value0, const double value1, ...) {
+ assign(size_x,size_y,size_z,size_c);
+- _CImg_stdarg(*this,value0,value1,(size_t)size_x*size_y*size_z*size_c,double);
++ _CImg_stdarg(*this,value0,value1,_safe_size(size_x,size_y,size_z,size_c),double);
+ return *this;
+ }
+
+@@ -12139,7 +12160,7 @@ namespace cimg_library_suffixed {
+ template<typename t>
+ CImg<T>& assign(const t *const values, const unsigned int size_x, const unsigned int size_y=1,
+ const unsigned int size_z=1, const unsigned int size_c=1) {
+- const size_t siz = (size_t)size_x*size_y*size_z*size_c;
++ const size_t siz = _safe_size(size_x,size_y,size_z,size_c);
+ if (!values || !siz) return assign();
+ assign(size_x,size_y,size_z,size_c);
+ const t *ptrs = values; cimg_for(*this,ptrd,T) *ptrd = (T)*(ptrs++);
+@@ -12149,7 +12170,7 @@ namespace cimg_library_suffixed {
+ //! Construct image with specified size and initialize pixel values from a memory buffer \specialization.
+ CImg<T>& assign(const T *const values, const unsigned int size_x, const unsigned int size_y=1,
+ const unsigned int size_z=1, const unsigned int size_c=1) {
+- const size_t siz = (size_t)size_x*size_y*size_z*size_c;
++ const size_t siz = _safe_size(size_x,size_y,size_z,size_c);
+ if (!values || !siz) return assign();
+ const size_t curr_siz = (size_t)size();
+ if (values==_data && siz==curr_siz) return assign(size_x,size_y,size_z,size_c);
+@@ -12189,7 +12210,7 @@ namespace cimg_library_suffixed {
+ //! Construct image with specified size and initialize pixel values from a memory buffer \overloading.
+ CImg<T>& assign(const T *const values, const unsigned int size_x, const unsigned int size_y,
+ const unsigned int size_z, const unsigned int size_c, const bool is_shared) {
+- const size_t siz = (size_t)size_x*size_y*size_z*size_c;
++ const size_t siz = _safe_size(size_x,size_y,size_z,size_c);
+ if (!values || !siz) return assign();
+ if (!is_shared) { if (_is_shared) assign(); assign(values,size_x,size_y,size_z,size_c); }
+ else {
+--
+2.20.1
+
diff -Nru cimg-2.4.5+dfsg/debian/patches/series cimg-2.4.5+dfsg/debian/patches/series
--- cimg-2.4.5+dfsg/debian/patches/series 2019-01-30 12:43:23.000000000 +0200
+++ cimg-2.4.5+dfsg/debian/patches/series 2022-01-16 16:24:14.000000000 +0200
@@ -1,2 +1,3 @@
30_do_not_build_minc2_examples.patch
# fix_privacy_breach.patch
+0001-Fix-multiple-heap-buffer-overflows.patch
Reply to: