diff options
Diffstat (limited to 'multimedia/gnash/patch/gnash-0.8.10-cve-2012-1175.patch')
| -rw-r--r-- | multimedia/gnash/patch/gnash-0.8.10-cve-2012-1175.patch | 63 |
1 files changed, 63 insertions, 0 deletions
diff --git a/multimedia/gnash/patch/gnash-0.8.10-cve-2012-1175.patch b/multimedia/gnash/patch/gnash-0.8.10-cve-2012-1175.patch new file mode 100644 index 0000000000..9a218d9216 --- /dev/null +++ b/multimedia/gnash/patch/gnash-0.8.10-cve-2012-1175.patch @@ -0,0 +1,63 @@ +From bb4dc77eecb6ed1b967e3ecbce3dac6c5e6f1527 Mon Sep 17 00:00:00 2001 +From: Benjamin Wolsey <bwy@benjaminwolsey.de> +Date: Sat, 10 Mar 2012 14:52:50 +0000 +Subject: Fix crash in GnashImage.cpp + +--- +diff --git a/libbase/GnashImage.cpp b/libbase/GnashImage.cpp +index 11c6956..03a6939 100644 +--- a/libbase/GnashImage.cpp ++++ b/libbase/GnashImage.cpp +@@ -26,6 +26,7 @@ + #include <boost/scoped_array.hpp> + #include <boost/shared_ptr.hpp> + #include <algorithm> ++#include <cassert> + + #ifdef USE_PNG + # include "GnashImagePng.h" +@@ -44,6 +45,21 @@ namespace image { + + namespace { + void processAlpha(GnashImage::iterator imageData, size_t pixels); ++ bool checkValidSize(size_t width, size_t height, size_t channels) { ++ ++ if (width == 0 || height == 0) return false; ++ ++ assert(channels > 0); ++ ++ boost::uint32_t maxSize = std::numeric_limits<boost::int32_t>::max(); ++ if (width >= maxSize || height >= maxSize) return false; ++ ++ maxSize /= channels; ++ maxSize /= width; ++ maxSize /= height; ++ ++ return maxSize > 0; ++ } + } + + GnashImage::GnashImage(iterator data, size_t width, size_t height, +@@ -55,6 +71,8 @@ GnashImage::GnashImage(iterator data, size_t width, size_t height, + _height(height), + _data(data) + { ++ // Callers should check dimensions ++ assert(checkValidSize(_width, _height, channels())); + } + + /// Create an image allocating a buffer of height*pitch bytes +@@ -66,8 +84,9 @@ GnashImage::GnashImage(size_t width, size_t height, ImageType type, + _width(width), + _height(height) + { +- const size_t max = std::numeric_limits<boost::int32_t>::max(); +- if (size() > max) { ++ // Constructed from external input, so restrict dimensions to avoid ++ // overflow in size calculations ++ if (!checkValidSize(_width, _height, channels())) { + throw std::bad_alloc(); + } + _data.reset(new value_type[size()]); +-- +cgit v0.9.0.2 |