Bug#781542: pu: package hp2xx/3.4.4-8
Adam,
On Tue, Mar 31, 2015 at 07:44:37AM +0100, Adam D. Barratt wrote:
> Control: tags -1 + moreinfo
>
> On 2015-03-30 20:17, Christian T. Steigies wrote:
> >I received a report for crashes in hp2xx which were found with American
> >fuzzy lop (afl). For unstable I already uploaded -10 with the
> >following
> >patch. It should apply to the version in stable as well since nothing
> >changed in the code in between. Please advise how to proceed.
>
> The patches look okay, thanks.
>
> Before we confirm the upload, please could you provide a full source
> debdiff for a package (versioned as 3.4.4-8+deb7u1) which has been
> built against and tested on wheezy.
I have built this in a stable chroot on barriere.debian.org and tested at
home on a wheezy system. The debdiff (includes only the patch and a
changelog entry) is attached. The (unsigned) files still lie in my homedir
on barriere, but I can also put signed files there, or upload from home.
Or will you perform the upload?
thanks,
Christian
diff -Nru hp2xx-3.4.4/debian/changelog hp2xx-3.4.4/debian/changelog
--- hp2xx-3.4.4/debian/changelog 2015-03-31 10:26:15.000000000 +0000
+++ hp2xx-3.4.4/debian/changelog 2015-03-31 10:26:15.000000000 +0000
@@ -1,3 +1,9 @@
+hp2xx (3.4.4-8+deb7u1) stable; urgency=high
+
+ * include patch by Martin Kroeker to fix crashes found by Jodie Cunningham
+
+ -- Christian T. Steigies <cts@debian.org> Mon, 30 Mar 2015 21:08:51 +0200
+
hp2xx (3.4.4-8) unstable; urgency=low
* build-Depend on libjpeg-dev, not libjpeg62-dev (closes: #634029)
diff -Nru hp2xx-3.4.4/debian/patches/006_afl.diff hp2xx-3.4.4/debian/patches/006_afl.diff
--- hp2xx-3.4.4/debian/patches/006_afl.diff 1970-01-01 00:00:00.000000000 +0000
+++ hp2xx-3.4.4/debian/patches/006_afl.diff 2015-03-31 10:26:15.000000000 +0000
@@ -0,0 +1,63 @@
+diff -uwr hp2xx-3.4.4a/sources/hpgl.c hp2xx-3.4.4afl//sources/hpgl.c
+--- hp2xx-3.4.4a/sources/hpgl.c 2003-06-21 19:54:45.000000000 +0200
++++ hp2xx-3.4.4afl//sources/hpgl.c 2015-03-28 16:01:10.000000000 +0100
+@@ -1297,9 +1297,14 @@
+ ** EOF if EOF met
+ **/
+ {
+- int c;
++ volatile int c; /* Keep compilers from optimizing out the initial EOF check */
++ int i;
+ char *ptr, numbuf[80];
+
++ c = getc(hd);
++ if (c == EOF) return EOF;
++ ungetc (c, hd);
++
+ for (c = getc(hd);
+ (c != '.') && (c != '+') && (c != '-') && ((c < '0')
+ || (c > '9'));
+@@ -1316,9 +1321,13 @@
+ }
+ /* Number found: Get it */
+ ptr = numbuf;
++ i = 0;
+ for (*ptr++ = c, c = getc(hd);
+- ((c >= '0') && (c <= '9')) || (c == '.'); c = getc(hd))
++ ((c >= '0') && (c <= '9')) || (c == '.') || (c == '\n'); c = getc(hd))
++ if (c != '\n') {
+ *ptr++ = c; /* Read number */
++ i++; if (i == 79) break; /* until buffer full */
++ }
+ *ptr = '\0';
+ if (c != EOF)
+ ungetc(c, hd);
+diff -uwr hp2xx-3.4.4a/sources/lindef.c hp2xx-3.4.4afl//sources/lindef.c
+--- hp2xx-3.4.4a/sources/lindef.c 2003-06-21 17:31:51.000000000 +0200
++++ hp2xx-3.4.4afl//sources/lindef.c 2015-03-28 15:55:29.000000000 +0100
+@@ -92,6 +92,11 @@
+ return;
+ } else {
+ index = (int) tmp;
++ if (index > LT_MAX || index < -LT_MAX) {
++ if (!silent_mode)
++ fprintf(stderr,"UL command for invalid linetype %d ignored\n",index);
++ return;
++ }
+ }
+
+ pos_index = index - LT_MIN;
+diff -uwr hp2xx-3.4.4a/sources/picbuf.c hp2xx-3.4.4afl//sources/picbuf.c
+--- hp2xx-3.4.4a/sources/picbuf.c 2003-06-21 17:31:51.000000000 +0200
++++ hp2xx-3.4.4afl//sources/picbuf.c 2015-03-28 15:55:29.000000000 +0100
+@@ -340,6 +340,10 @@
+ return NULL;
+ }
+
++ if (n_rows <= 0 || n_cols <= 0) {
++ Eprintf("Invalid image dimensions: %d x %d\n",n_rows,n_cols);
++ return NULL;
++ }
+ pb->nr = n_rows;
+ pb->nc = n_cols;
+ pb->sd = NULL;
Reply to: