File gdk-pixbuf-2-32-overflow-fixes.patch of Package gdk-pixbuf

Overview Repositories Revisions Requests Users Attributes Meta

File gdk-pixbuf-2-32-overflow-fixes.patch of Package gdk-pixbuf

From 3df91dc6c6f8d1421e9c8756959280de792af77a Mon Sep 17 00:00:00 2001
From: Benjamin Otte <otte@redhat.com>
Date: Sat, 22 Aug 2015 17:57:23 +0200
Subject: [PATCH] pixops: Chane variable type

n_weights is used to do overflow checks. So by reducing the size to 32
bits signed we overflow earlier. This is necessary because further down
the code lots of code uses int variables to iterate over this variable
and we don't want those to overflow.

The correct fix would be to make all those variables gsize too, but
that's way more invasive and requires different checks in different
places so I'm not gonna do that now.
And as long as scale factors are not expected to reach G_MAXINT it's not
really necessary to do this change anyway.

https://bugzilla.gnome.org/show_bug.cgi?id=753908
---
 gdk-pixbuf/pixops/pixops.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gdk-pixbuf/pixops/pixops.c b/gdk-pixbuf/pixops/pixops.c
index 7f2cbff..b7951c7 100644
--- a/gdk-pixbuf/pixops/pixops.c
+++ b/gdk-pixbuf/pixops/pixops.c
@@ -1272,7 +1272,7 @@ make_filter_table (PixopsFilter *filter)
   int i_offset, j_offset;
   int n_x = filter->x.n;
   int n_y = filter->y.n;
-  gsize n_weights;
+  int n_weights;
   int *weights;
 
   n_weights = SUBSAMPLE * SUBSAMPLE * n_x;
-- 
2.6.2

From dd4b061c27dc0865c8f8987d294de6e04b321c18 Mon Sep 17 00:00:00 2001
From: Benjamin Otte <otte@redhat.com>
Date: Sat, 22 Aug 2015 23:06:23 +0200
Subject: [PATCH] pixops: Be smarter than gcc's optimizer

gcc realizes that the overflow checks aren't necessary. Why not?

Well, if an int overflows, the behavior is undefined. And turning on
-fomit-instructions is valid behavior in an undefined situation.
---
 gdk-pixbuf/pixops/pixops.c | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/gdk-pixbuf/pixops/pixops.c b/gdk-pixbuf/pixops/pixops.c
index b7951c7..5564a40 100644
--- a/gdk-pixbuf/pixops/pixops.c
+++ b/gdk-pixbuf/pixops/pixops.c
@@ -1272,18 +1272,17 @@ make_filter_table (PixopsFilter *filter)
   int i_offset, j_offset;
   int n_x = filter->x.n;
   int n_y = filter->y.n;
-  int n_weights;
   int *weights;
 
-  n_weights = SUBSAMPLE * SUBSAMPLE * n_x;
-  if (n_weights / (SUBSAMPLE * SUBSAMPLE) != n_x)
-    return NULL; /* overflow, bail */
+  /* check n_x doesn't overflow */
+  if (G_MAXINT / (SUBSAMPLE * SUBSAMPLE) < n_x)
+    return NULL;
 
-  n_weights *= n_y;
-  if (n_weights / (SUBSAMPLE * SUBSAMPLE * n_x) != n_y)
-    return NULL; /* overflow, bail */
+  /* check n_y doesn't overflow */
+  if (G_MAXINT / (SUBSAMPLE * SUBSAMPLE * n_x) < n_y)
+    return NULL;
 
-  weights = g_try_new (int, n_weights);
+  weights = g_try_new (int, SUBSAMPLE * SUBSAMPLE * n_x * n_y);
   if (!weights)
     return NULL; /* overflow, bail */
 
-- 
2.6.2

From 8714ab407c54d5989d15a78eb15550c2d52d95b8 Mon Sep 17 00:00:00 2001
From: Matthias Clasen <mclasen@redhat.com>
Date: Mon, 24 Aug 2015 14:13:37 -0400
Subject: [PATCH] png: Fix some integer overflows

The png loader was not careful enough in some places. Width * height
can overflow an integer.

This should fix http://bugzilla.gnome.org/734556.

Rebased by Mike Gorse <mgorse@suse.com>
---
 gdk-pixbuf/io-png.c | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/gdk-pixbuf/io-png.c b/gdk-pixbuf/io-png.c
index 3336b1e..5690875 100644
--- a/gdk-pixbuf/io-png.c
+++ b/gdk-pixbuf/io-png.c
@@ -262,6 +262,7 @@ gdk_pixbuf__png_image_load (FILE *f, GEr
         png_uint_32 icc_profile_size;
         guint32 retval;
         gint compression_type;
+        gpointer ptr;
 
 #ifdef PNG_USER_MEM_SUPPORTED
 	png_ptr = png_create_read_struct_2 (PNG_LIBPNG_VER_STRING,
@@ -321,8 +322,8 @@ gdk_pixbuf__png_image_load (FILE *f, GEr
 
 	rows = g_new (png_bytep, h);
 
-	for (i = 0; i < h; i++)
-		rows[i] = pixbuf->pixels + i * pixbuf->rowstride;
+        for (i = 0, ptr = pixbuf->pixels; i < h; i++, ptr += pixbuf->rowstride)
+		rows[i] = ptr;
 
 	png_read_image (png_ptr, rows);
         png_read_end (png_ptr, info_ptr);
@@ -703,6 +704,7 @@ png_row_callback   (png_structp png_read
 {
         LoadContext* lc;
         guchar* old_row = NULL;
+        gsize rowstride;
 
         lc = png_get_progressive_ptr(png_read_ptr);
 
@@ -728,8 +730,9 @@ png_row_callback   (png_structp png_read
         lc->max_row_seen_in_chunk = MAX(lc->max_row_seen_in_chunk, ((gint)row_num));
         lc->last_row_seen_in_chunk = row_num;
         lc->last_pass_seen_in_chunk = pass_num;
-        
-        old_row = lc->pixbuf->pixels + (row_num * lc->pixbuf->rowstride);
+
+        rowstride = lc->pixbuf->rowstride;
+        old_row = lc->pixbuf->pixels + (row_num * rowstride);
 
         png_progressive_combine_row(lc->png_read_ptr, old_row, new_row);
 }
@@ -1034,11 +1037,9 @@ static gboolean real_save_png (GdkPixbuf
        png_set_shift (png_ptr, &sig_bit);
        png_set_packing (png_ptr);
 
-       ptr = pixels;
-       for (y = 0; y < h; y++) {
+       for (y = 0, ptr = pixels; y < h; y++, ptr += rowstride) {
                row_ptr = (png_bytep)ptr;
                png_write_rows (png_ptr, &row_ptr, 1);
-               ptr += rowstride;
        }
 
        png_write_end (png_ptr, info_ptr);
From fde8d1d12a32740770253e97ddc9602654e16865 Mon Sep 17 00:00:00 2001
From: Matthias Clasen <mclasen@redhat.com>
Date: Mon, 24 Aug 2015 15:48:51 -0400
Subject: [PATCH] jpeg: Fix some integer overflows

Similar to the previous commit.
---
 gdk-pixbuf/io-jpeg.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gdk-pixbuf/io-jpeg.c b/gdk-pixbuf/io-jpeg.c
index fa6bec1..eb48aed 100644
--- a/gdk-pixbuf/io-jpeg.c
+++ b/gdk-pixbuf/io-jpeg.c
@@ -886,7 +886,7 @@ gdk_pixbuf__jpeg_image_load_lines (JpegProgContext  *context,
                         return FALSE;
                 }
 
-                context->dptr += nlines * context->pixbuf->rowstride;
+                context->dptr += (gsize)nlines * context->pixbuf->rowstride;
 
                 /* send updated signal */
 		if (context->updated_func)
@@ -1494,7 +1494,7 @@ real_save_jpeg (GdkPixbuf          *pixbuf,
        while (cinfo.next_scanline < cinfo.image_height) {
                /* convert scanline from ARGB to RGB packed */
                for (j = 0; j < w; j++)
-                       memcpy (&(buf[j*3]), &(ptr[i*rowstride + j*n_channels]), 3);
+                       memcpy (&(buf[j*3]), &(ptr[(gsize)i*rowstride + j*n_channels]), 3);
 
                /* write scanline */
                jbuf = (JSAMPROW *)(&buf);
-- 
2.6.2

From 7012b9a0b6263310fc7d57f0b06583c8404599af Mon Sep 17 00:00:00 2001
From: Matthias Clasen <mclasen@redhat.com>
Date: Mon, 24 Aug 2015 14:44:50 -0400
Subject: [PATCH] Fix some more integer overflows

The scaling code had a similar problem to the one fixed in the
previous commit: Expressions like ptr = base + y * rowstride are
prone to overflow if y and rowstride are (possibly large) integers.

Rebased by Mike Gorse <mgorse@suse.com>
---
 gdk-pixbuf/pixops/pixops.c | 48 +++++++++++++++++++++++-----------------------
 1 file changed, 24 insertions(+), 24 deletions(-)

diff --git a/gdk-pixbuf/pixops/pixops.c b/gdk-pixbuf/pixops/pixops.c
index 5564a40..e41b286 100644
--- a/gdk-pixbuf/pixops/pixops.c
+++ b/gdk-pixbuf/pixops/pixops.c
@@ -304,8 +304,8 @@ pixops_scale_nearest (guchar        *dest_buf,
       guchar       *dest;
       y_pos = ((i + render_y0) * y_step + y_step / 2) >> SCALE_SHIFT;
       y_pos = CLAMP (y_pos, 0, src_height - 1);
-      src  = src_buf + y_pos * src_rowstride;
-      dest = dest_buf + i * dest_rowstride;
+      src  = src_buf + (gsize)y_pos * src_rowstride;
+      dest = dest_buf + (gsize)i * dest_rowstride;
 
       x = render_x0 * x_step + x_step / 2;
 
@@ -368,8 +368,8 @@ pixops_composite_nearest (guchar        *dest_buf,
       guchar       *dest;
       y_pos = ((i + render_y0) * y_step + y_step / 2) >> SCALE_SHIFT;
       y_pos = CLAMP (y_pos, 0, src_height - 1);
-      src  = src_buf + y_pos * src_rowstride;
-      dest = dest_buf + i * dest_rowstride;
+      src  = src_buf + (gsize)y_pos * src_rowstride;
+      dest = dest_buf + (gsize)i * dest_rowstride;
 
       x = render_x0 * x_step + x_step / 2;
       
@@ -540,8 +540,8 @@ pixops_composite_color_nearest (guchar        *dest_buf,
       guchar       *dest;
       y_pos = ((i + render_y0) * y_step + y_step / 2) >> SCALE_SHIFT;
       y_pos = CLAMP (y_pos, 0, src_height - 1);
-      src  = src_buf + y_pos * src_rowstride;
-      dest = dest_buf + i * dest_rowstride;
+      src  = src_buf + (gsize)y_pos * src_rowstride;
+      dest = dest_buf + (gsize)i * dest_rowstride;
 
       x = render_x0 * x_step + x_step / 2;
       
@@ -1398,7 +1398,7 @@ pixops_process (guchar         *dest_buf,
       guchar *new_outbuf;
       guint32 tcolor1, tcolor2;
 
-      guchar *outbuf = dest_buf + dest_rowstride * i;
+      guchar *outbuf = dest_buf + (gsize)dest_rowstride * i;
       guchar *outbuf_end = outbuf + dest_channels * (render_x1 - render_x0);
 
       if (((i + check_y) >> check_shift) & 1)
@@ -1417,9 +1417,9 @@ pixops_process (guchar         *dest_buf,
 	  if (y_start <  0)
 	    line_bufs[j] = (guchar *)src_buf;
 	  else if (y_start < src_height)
-	    line_bufs[j] = (guchar *)src_buf + src_rowstride * y_start;
+	    line_bufs[j] = (guchar *)src_buf + (gsize)src_rowstride * y_start;
 	  else
-	    line_bufs[j] = (guchar *)src_buf + src_rowstride * (src_height - 1);
+	    line_bufs[j] = (guchar *)src_buf + (gsize)src_rowstride * (src_height - 1);
 
 	  y_start++;
 	}
@@ -1443,7 +1443,7 @@ pixops_process (guchar         *dest_buf,
 	}
 
       new_outbuf = (*line_func) (run_weights, filter->x.n, filter->y.n,
-				 outbuf, dest_x, dest_buf + dest_rowstride *
+				 outbuf, dest_x, dest_buf + (gsize)dest_rowstride *
 				 i + run_end_index * dest_channels,
 				 dest_channels, dest_has_alpha,
 				 line_bufs, src_channels, src_has_alpha,
@@ -1966,7 +1966,7 @@ _pixops_composite (guchar          *dest_buf,
   return;
 #endif
 
-  new_dest_buf = dest_buf + dest_y * dest_rowstride + dest_x * dest_channels;
+  new_dest_buf = dest_buf + (gsize)dest_y * dest_rowstride + (gsize)dest_x * dest_channels;
   render_x0 = dest_x - offset_x;
   render_y0 = dest_y - offset_y;
   render_x1 = dest_x + dest_region_width  - offset_x;
@@ -2126,7 +2126,7 @@ pixops_medialib_composite (guchar          *dest_buf,
   if (!use_medialib)
     {
       /* Use non-mediaLib version */
-      _pixops_composite_real (dest_buf + dest_y * dest_rowstride + dest_x *
+      _pixops_composite_real (dest_buf + (gsize)dest_y * dest_rowstride + (gsize)dest_x *
 			      dest_channels, dest_x - offset_x, dest_y -
 			      offset_y, dest_x + dest_region_width - offset_x,
 			      dest_y + dest_region_height - offset_y,
@@ -2168,8 +2168,8 @@ pixops_medialib_composite (guchar          *dest_buf,
         }
       else
         {
-	  mlib_u8 *data = dest_buf + (dest_y * dest_rowstride) + 
-				     (dest_x * dest_channels);
+	  mlib_u8 *data = dest_buf + (gsize)dest_y * dest_rowstride +
+				     (gsize)dest_x * dest_channels;
 
           mlib_ImageSetStruct (&img_dest, MLIB_BYTE, dest_channels,
 			       dest_region_width, dest_region_height,
@@ -2236,8 +2236,8 @@ pixops_medialib_composite (guchar          *dest_buf,
               else
                 {
                   /* Should not happen - Use non-mediaLib version */
-                  _pixops_composite_real (dest_buf + dest_y * dest_rowstride +
-                                          dest_x * dest_channels,
+                  _pixops_composite_real (dest_buf + (gsize)dest_y * dest_rowstride +
+                                          (gsize)dest_x * dest_channels,
                                           dest_x - offset_x, dest_y - offset_y,
                                           dest_x + dest_region_width - offset_x,
                                           dest_y + dest_region_height - offset_y,
@@ -2360,7 +2360,7 @@ _pixops_scale (guchar          *dest_buf,
   return;
 #endif
 
-  new_dest_buf = dest_buf + dest_y * dest_rowstride + dest_x * dest_channels;
+  new_dest_buf = dest_buf + (gsize)dest_y * dest_rowstride + (gsize)dest_x * dest_channels;
   render_x0    = dest_x - offset_x;
   render_y0    = dest_y - offset_y;
   render_x1    = dest_x + dest_region_width  - offset_x;
@@ -2414,8 +2414,8 @@ pixops_medialib_scale     (guchar          *dest_buf,
    */
   if (!use_medialib)
     {
-      _pixops_scale_real (dest_buf + dest_y * dest_rowstride + dest_x *
-			  dest_channels, dest_x - offset_x, dest_y - offset_y, 
+      _pixops_scale_real (dest_buf + (gsize)dest_y * dest_rowstride + (gsize)dest_x *
+			  dest_channels, dest_x - offset_x, dest_y - offset_y,
 			  dest_x + dest_region_width - offset_x,
 			  dest_y + dest_region_height - offset_y,
 			  dest_rowstride, dest_channels, dest_has_alpha,
@@ -2443,8 +2443,8 @@ pixops_medialib_scale     (guchar          *dest_buf,
         }
       else
         {
-	  mlib_u8 *data = dest_buf + (dest_y * dest_rowstride) + 
-				     (dest_x * dest_channels);
+	  mlib_u8 *data = dest_buf + (gsize)dest_y * dest_rowstride +
+				     (gsize)dest_x * dest_channels;
 
           mlib_ImageSetStruct (&img_dest, MLIB_BYTE, dest_channels,
 			       dest_region_width, dest_region_height,
@@ -2479,7 +2479,7 @@ pixops_medialib_scale     (guchar          *dest_buf,
               int channels  = 3;
               int rowstride = (channels * src_width + 3) & ~3;
         
-              tmp_buf = g_malloc (src_rowstride * src_height);
+              tmp_buf = g_malloc_n (src_rowstride, src_height);
 
               if (src_buf != NULL)
                 {
-- 
2.6.2

From ca3c56421c075e729750cf80c3438b283232cce8 Mon Sep 17 00:00:00 2001
From: Matthias Clasen <mclasen@redhat.com>
Date: Mon, 24 Aug 2015 15:20:08 -0400
Subject: [PATCH] Avoid integer overflow in gdk_pixbuf_add_alpha

Same as before: don't do ptr = base + y * rowstride if y and
rowstride are integers.

This should fix http://bugzilla.gnome/org/753569

Rebased by Mike Gorse @mgorse@suse.com>
---
 gdk-pixbuf/gdk-pixbuf-util.c | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/gdk-pixbuf/gdk-pixbuf-util.c b/gdk-pixbuf/gdk-pixbuf-util.c
index 6abe9b9..3600450 100644
--- a/gdk-pixbuf/gdk-pixbuf-util.c
+++ b/gdk-pixbuf/gdk-pixbuf-util.c
@@ -65,6 +65,10 @@ gdk_pixbuf_add_alpha (const GdkPixbuf *p
 {
 	GdkPixbuf *new_pixbuf;
 	int x, y;
+	const guint8 *src_pixels;
+	guint8 *ret_pixels;
+	const guchar *src;
+	guchar *dest;
 
 	g_return_val_if_fail (GDK_IS_PIXBUF (pixbuf), NULL);
 	g_return_val_if_fail (pixbuf->colorspace == GDK_COLORSPACE_RGB, NULL);
@@ -85,13 +89,14 @@ gdk_pixbuf_add_alpha (const GdkPixbuf *p
 	if (!new_pixbuf)
 		return NULL;
 
-	for (y = 0; y < pixbuf->height; y++) {
-		guchar *src, *dest;
+	src_pixels = pixbuf->pixels;
+	ret_pixels = new_pixbuf->pixels;
+	for (y = 0; y < pixbuf->height; y++, src_pixels += pixbuf->rowstride, ret_pixels += new_pixbuf->rowstride) {
 		guchar tr, tg, tb;
 
-		src = pixbuf->pixels + y * pixbuf->rowstride;
-		dest = new_pixbuf->pixels + y * new_pixbuf->rowstride;
-                
+                src = src_pixels;
+                dest = ret_pixels;
+
                 if (pixbuf->has_alpha) {
                         /* Just subst color, we already copied everything else */
                         for (x = 0; x < pixbuf->width; x++) {
From 4f68cb78a5277f169b9531e6998c00c7976594e4 Mon Sep 17 00:00:00 2001
From: Matthias Clasen <mclasen@redhat.com>
Date: Mon, 24 Aug 2015 15:29:36 -0400
Subject: [PATCH] Avoid integer overflow in gdk_pixbuf_rotate_simple

Same as before: don't do ptr = base + y * rowstride if y and
rowstride are integers.
---
 gdk-pixbuf/gdk-pixbuf-scale.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gdk-pixbuf/gdk-pixbuf-scale.c b/gdk-pixbuf/gdk-pixbuf-scale.c
index 4288c65..475126a 100644
--- a/gdk-pixbuf/gdk-pixbuf-scale.c
+++ b/gdk-pixbuf/gdk-pixbuf-scale.c
@@ -396,7 +396,7 @@ gdk_pixbuf_composite_color_simple (const GdkPixbuf *src,
   return dest;
 }
 
-#define OFFSET(pb, x, y) ((x) * (pb)->n_channels + (y) * (pb)->rowstride)
+#define OFFSET(pb, x, y) ((x) * (pb)->n_channels + (gsize)(y) * (pb)->rowstride)
 
 /**
  * gdk_pixbuf_rotate_simple:
-- 
2.6.2

Places

File gdk-pixbuf-2-32-overflow-fixes.patch of Package gdk-pixbuf

Places