gdk-pixbuf: security bump to version 2.32.1

From ffec86ed5010c5a2be14f47b33bcf4ed3169a199 Mon Sep 17 00:00:00 2001

From: Matthias Clasen <mclasen@redhat.com>

Date: Mon, 13 Jul 2015 00:33:40 -0400

Subject: pixops: Be more careful about integer overflow

Our loader code is supposed to handle out-of-memory and overflow

situations gracefully, reporting errors instead of aborting. But

if you load an image at a specific size, we also execute our

scaling code, which was not careful enough about overflow in some

places.

This commit makes the scaling code silently return if it fails to

allocate filter tables. This is the best we can do, since

gdk_pixbuf_scale() is not taking a GError.

https://bugzilla.gnome.org/show_bug.cgi?id=752297

Signed-off-by: Gustavo Zacarisa <gustavo@zacarias.com.ar>

diff --git a/gdk-pixbuf/pixops/pixops.c b/gdk-pixbuf/pixops/pixops.c

index 29a1c14..ce51745 100644

--- a/gdk-pixbuf/pixops/pixops.c

+++ b/gdk-pixbuf/pixops/pixops.c

@@ -1272,7 +1272,16 @@ make_filter_table (PixopsFilter *filter)

   int i_offset, j_offset;

   int n_x = filter->x.n;

   int n_y = filter->y.n;

-  int *weights = g_new (int, SUBSAMPLE * SUBSAMPLE * n_x * n_y);

+  gsize n_weights;

+  int *weights;

+

+  n_weights = SUBSAMPLE * SUBSAMPLE * n_x * n_y;

+  if (n_weights / (SUBSAMPLE * SUBSAMPLE * n_x) != n_y)

+    return NULL; /* overflow, bail */

+

+  weights = g_try_new (int, n_weights);

+  if (!weights)

+    return NULL; /* overflow, bail */

   for (i_offset=0; i_offset < SUBSAMPLE; i_offset++)

     for (j_offset=0; j_offset < SUBSAMPLE; j_offset++)

@@ -1347,8 +1356,11 @@ pixops_process (guchar         *dest_buf,

   if (x_step == 0 || y_step == 0)

     return; /* overflow, bail out */

-  line_bufs = g_new (guchar *, filter->y.n);

   filter_weights = make_filter_table (filter);

+  if (!filter_weights)

+    return; /* overflow, bail out */

+

+  line_bufs = g_new (guchar *, filter->y.n);

   check_shift = check_size ? get_check_shift (check_size) : 0;

@@ -1468,7 +1480,7 @@ tile_make_weights (PixopsFilterDimension *dim,

 		   double                 scale)

 {

   int n = ceil (1 / scale + 1);

-  double *pixel_weights = g_new (double, SUBSAMPLE * n);

+  double *pixel_weights = g_malloc_n (sizeof (double) * SUBSAMPLE, n);

   int offset;

   int i;

@@ -1526,7 +1538,7 @@ bilinear_magnify_make_weights (PixopsFilterDimension *dim,

     }

   dim->n = n;

-  dim->weights = g_new (double, SUBSAMPLE * n);

+  dim->weights = g_malloc_n (sizeof (double) * SUBSAMPLE, n);

   pixel_weights = dim->weights;

@@ -1617,7 +1629,7 @@ bilinear_box_make_weights (PixopsFilterDimension *dim,

 			   double                 scale)

 {

   int n = ceil (1/scale + 3.0);

-  double *pixel_weights = g_new (double, SUBSAMPLE * n);

+  double *pixel_weights = g_malloc_n (sizeof (double) * SUBSAMPLE, n);

   double w;

   int offset, i;

-- 

cgit v0.10.2

# From http://ftp.gnome.org/pub/gnome/sources/gdk-pixbuf/2.30/gdk-pixbuf-2.30.8.sha256sum

sha256	4853830616113db4435837992c0aebd94cbb993c44dc55063cee7f72a7bef8be	gdk-pixbuf-2.30.8.tar.xz

# From http://ftp.gnome.org/pub/gnome/sources/gdk-pixbuf/2.32/gdk-pixbuf-2.32.1.sha256sum

sha256	4432b74f25538c7d6bcb3ca51adabdd666168955f25812a2568dc9637697f3bc	gdk-pixbuf-2.32.1.tar.xz

#

################################################################################

GDK_PIXBUF_VERSION_MAJOR = 2.30

GDK_PIXBUF_VERSION = $(GDK_PIXBUF_VERSION_MAJOR).8

GDK_PIXBUF_VERSION_MAJOR = 2.32

GDK_PIXBUF_VERSION = $(GDK_PIXBUF_VERSION_MAJOR).1

GDK_PIXBUF_SOURCE = gdk-pixbuf-$(GDK_PIXBUF_VERSION).tar.xz

GDK_PIXBUF_SITE = http://ftp.gnome.org/pub/gnome/sources/gdk-pixbuf/$(GDK_PIXBUF_VERSION_MAJOR)

GDK_PIXBUF_LICENSE = LGPLv2+

		$(TARGET_DIR)/etc/init.d/S26gdk-pixbuf

endef

# Tests don't build correctly with uClibc

define GDK_PIXBUF_DISABLE_TESTS

	$(SED) 's/ tests//' $(@D)/Makefile.in

endef

GDK_PIXBUF_POST_PATCH_HOOKS += GDK_PIXBUF_DISABLE_TESTS

$(eval $(autotools-package))

HOST_GDK_PIXBUF_CONF_OPTS = \