Mageia Bugzilla – Attachment 2055 Details for
Bug 5458
gnash new security issues CVE-2011-4328 and CVE-2012-1175
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
Log In
[x]
|
New Account
|
Forgot Password
[patch]
gnash-0.8.10-CVE-2012-1175.diff
gnash-0.8.10-CVE-2012-1175.diff (text/plain), 1.80 KB, created by
David Walser
on 2012-04-20 20:20:21 CEST
(
hide
)
Description:
gnash-0.8.10-CVE-2012-1175.diff
Filename:
MIME Type:
Creator:
David Walser
Created:
2012-04-20 20:20:21 CEST
Size:
1.80 KB
patch
obsolete
>Description: Fix CVE-2012-1175. >Origin: http://git.sv.gnu.org/cgit/gnash.git/patch/?id=bb4dc77eecb6ed1b967e3ecbce3dac6c5e6f1527 >Author: Benjamin Wolsey <bwy@benjaminwolsey.de> >Bug-Debian: http://bugs.debian.org/664023 > >--- a/libbase/GnashImage.cpp >+++ b/libbase/GnashImage.cpp >@@ -26,6 +26,7 @@ > #include <boost/scoped_array.hpp> > #include <boost/shared_ptr.hpp> > #include <algorithm> >+#include <cassert> > > #ifdef USE_PNG > # include "GnashImagePng.h" >@@ -44,6 +45,21 @@ namespace image { > > namespace { > void processAlpha(GnashImage::iterator imageData, size_t pixels); >+ bool checkValidSize(size_t width, size_t height, size_t channels) { >+ >+ if (width == 0 || height == 0) return false; >+ >+ assert(channels > 0); >+ >+ boost::uint32_t maxSize = std::numeric_limits<boost::int32_t>::max(); >+ if (width >= maxSize || height >= maxSize) return false; >+ >+ maxSize /= channels; >+ maxSize /= width; >+ maxSize /= height; >+ >+ return maxSize > 0; >+ } > } > > GnashImage::GnashImage(iterator data, size_t width, size_t height, >@@ -55,6 +71,8 @@ GnashImage::GnashImage(iterator data, size_t width, size_t height, > _height(height), > _data(data) > { >+ // Callers should check dimensions >+ assert(checkValidSize(_width, _height, channels())); > } > > /// Create an image allocating a buffer of height*pitch bytes >@@ -66,8 +84,9 @@ GnashImage::GnashImage(size_t width, size_t height, ImageType type, > _width(width), > _height(height) > { >- const size_t max = std::numeric_limits<boost::int32_t>::max(); >- if (size() > max) { >+ // Constructed from external input, so restrict dimensions to avoid >+ // overflow in size calculations >+ if (!checkValidSize(_width, _height, channels())) { > throw std::bad_alloc(); > } > _data.reset(new value_type[size()]);
Description: Fix CVE-2012-1175. Origin: http://git.sv.gnu.org/cgit/gnash.git/patch/?id=bb4dc77eecb6ed1b967e3ecbce3dac6c5e6f1527 Author: Benjamin Wolsey <bwy@benjaminwolsey.de> Bug-Debian: http://bugs.debian.org/664023 --- a/libbase/GnashImage.cpp +++ b/libbase/GnashImage.cpp @@ -26,6 +26,7 @@ #include <boost/scoped_array.hpp> #include <boost/shared_ptr.hpp> #include <algorithm> +#include <cassert> #ifdef USE_PNG # include "GnashImagePng.h" @@ -44,6 +45,21 @@ namespace image { namespace { void processAlpha(GnashImage::iterator imageData, size_t pixels); + bool checkValidSize(size_t width, size_t height, size_t channels) { + + if (width == 0 || height == 0) return false; + + assert(channels > 0); + + boost::uint32_t maxSize = std::numeric_limits<boost::int32_t>::max(); + if (width >= maxSize || height >= maxSize) return false; + + maxSize /= channels; + maxSize /= width; + maxSize /= height; + + return maxSize > 0; + } } GnashImage::GnashImage(iterator data, size_t width, size_t height, @@ -55,6 +71,8 @@ GnashImage::GnashImage(iterator data, size_t width, size_t height, _height(height), _data(data) { + // Callers should check dimensions + assert(checkValidSize(_width, _height, channels())); } /// Create an image allocating a buffer of height*pitch bytes @@ -66,8 +84,9 @@ GnashImage::GnashImage(size_t width, size_t height, ImageType type, _width(width), _height(height) { - const size_t max = std::numeric_limits<boost::int32_t>::max(); - if (size() > max) { + // Constructed from external input, so restrict dimensions to avoid + // overflow in size calculations + if (!checkValidSize(_width, _height, channels())) { throw std::bad_alloc(); } _data.reset(new value_type[size()]);
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 5458
:
2054
| 2055