Hello dear maintainer(s), the Debian LTS team would like to fix the security issues which are currently open in the Squeeze version of gtk+2.0 and relate to gdk-pixbuf: https://security-tracker.debian.org/tracker/source-package/gtk+2.0
A user have noticed me about these issues, originally filed against, and I have already prepared a package (debdiff attached), backporting the patches from wheezy's gdk-pixbuf. Could you please take a look on it? Would you like to finish the upload and prepared the DLA or do you want me to go ahead? Cheers, Santiago
diff -u gtk+2.0-2.20.1/debian/changelog gtk+2.0-2.20.1/debian/changelog --- gtk+2.0-2.20.1/debian/changelog +++ gtk+2.0-2.20.1/debian/changelog @@ -1,3 +1,16 @@ +gtk+2.0 (2.20.1-2+deb6u2) squeeze-lts; urgency=medium + + * Non-maintainer upload by the Squeeze LTS Team. + * Fix CVE-2015-4491: Integer overflow in gdk-pixbuf's pixops/pixops.c + allowed to execute arbitrary code or cause a DoS via crafted bitmaps of + specific size. + * Fix CVE-2015-7673: io-tga.c in gdk-pixbuf was susceptible to a heap + overflow, allowing remote attackers to cause a DoS or execute arbitrary + code via a crafted Truevision TGA (TARGA) file. + * Fix CVE-2015-7674: Heap overflow in gdk-pixbuf when scaling a GIF file. + + -- Santiago Ruano Rincón <santiag...@riseup.net> Mon, 22 Feb 2016 21:54:36 +0100 + gtk+2.0 (2.20.1-2+deb6u1) squeeze-lts; urgency=medium * Non-maintainer upload by the Debian LTS Team. diff -u gtk+2.0-2.20.1/debian/patches/series gtk+2.0-2.20.1/debian/patches/series --- gtk+2.0-2.20.1/debian/patches/series +++ gtk+2.0-2.20.1/debian/patches/series @@ -24,0 +25,6 @@ +CVE-2015-4491.patch +CVE-2015-7673/0003-io-tga-Colormaps-are-always-present-so-always-parse-.patch +CVE-2015-7673/0002-tga-Wrap-TGAColormap-struct-in-its-own-API.patch +CVE-2015-7673/0001-pixops-Fail-make_weights-functions-on-OOM.patch +CVE-2015-7674/0001-pixops-Don-t-overflow-variables-when-shifting-them.patch +CVE-2015-4491-2.patch only in patch2: unchanged: --- gtk+2.0-2.20.1.orig/debian/patches/CVE-2015-4491-2.patch +++ gtk+2.0-2.20.1/debian/patches/CVE-2015-4491-2.patch @@ -0,0 +1,39 @@ +From 8dba67cb4f38d62a47757741ad41e3f245b4a32a Mon Sep 17 00:00:00 2001 +From: Benjamin Otte <o...@redhat.com> +Date: Mon, 17 Aug 2015 18:52:47 +0200 +Subject: [PATCH] pixops: Fix oversight for CVE-2015-4491 + +The n_x variable could be made large enough to overflow, too. + +Also included are various testcases for this vulnerability: +- The original exploit (adapted for the testsuite) +- Causing overflow by making both X and Y variables large +- Causing overflow using only the X variable +- Causing overflow using only the Y variable + +https://bugzilla.gnome.org/show_bug.cgi?id=752297 +--- + gdk-pixbuf/pixops/pixops.c | 6 ++- + tests/Makefile.am | 7 ++++ + tests/cve-2015-4491.bmp | Bin 0 -> 82 bytes + tests/cve-2015-4491.c | 87 ++++++++++++++++++++++++++++++++++++++++++ + tests/resources.gresource.xml | 1 + + 5 files changed, 100 insertions(+), 1 deletion(-) + create mode 100644 tests/cve-2015-4491.bmp + create mode 100644 tests/cve-2015-4491.c + +--- a/gdk-pixbuf/pixops/pixops.c ++++ b/gdk-pixbuf/pixops/pixops.c +@@ -1197,7 +1197,11 @@ + gsize n_weights; + int *weights; + +- n_weights = SUBSAMPLE * SUBSAMPLE * n_x * n_y; ++ n_weights = SUBSAMPLE * SUBSAMPLE * n_x; ++ if (n_weights / (SUBSAMPLE * SUBSAMPLE) != n_x) ++ return NULL; /* overflow, bail */ ++ ++ n_weights *= n_y; + if (n_weights / (SUBSAMPLE * SUBSAMPLE * n_x) != n_y) + return NULL; /* overflow, bail */ + only in patch2: unchanged: --- gtk+2.0-2.20.1.orig/debian/patches/CVE-2015-4491.patch +++ gtk+2.0-2.20.1/debian/patches/CVE-2015-4491.patch @@ -0,0 +1,77 @@ +From ffec86ed5010c5a2be14f47b33bcf4ed3169a199 Mon Sep 17 00:00:00 2001 +From: Matthias Clasen <mcla...@redhat.com> +Date: Mon, 13 Jul 2015 00:33:40 -0400 +Subject: pixops: Be more careful about integer overflow + +Our loader code is supposed to handle out-of-memory and overflow +situations gracefully, reporting errors instead of aborting. But +if you load an image at a specific size, we also execute our +scaling code, which was not careful enough about overflow in some +places. + +This commit makes the scaling code silently return if it fails to +allocate filter tables. This is the best we can do, since +gdk_pixbuf_scale() is not taking a GError. + +https://bugzilla.gnome.org/show_bug.cgi?id=752297 + +--- a/gdk-pixbuf/pixops/pixops.c ++++ b/gdk-pixbuf/pixops/pixops.c +@@ -1194,7 +1194,16 @@ + int i_offset, j_offset; + int n_x = filter->x.n; + int n_y = filter->y.n; +- int *weights = g_new (int, SUBSAMPLE * SUBSAMPLE * n_x * n_y); ++ gsize n_weights; ++ int *weights; ++ ++ n_weights = SUBSAMPLE * SUBSAMPLE * n_x * n_y; ++ if (n_weights / (SUBSAMPLE * SUBSAMPLE * n_x) != n_y) ++ return NULL; /* overflow, bail */ ++ ++ weights = g_try_new (int, n_weights); ++ if (!weights) ++ return NULL; /* overflow, bail */ + + for (i_offset=0; i_offset < SUBSAMPLE; i_offset++) + for (j_offset=0; j_offset < SUBSAMPLE; j_offset++) +@@ -1269,8 +1278,11 @@ + if (x_step == 0 || y_step == 0) + return; /* overflow, bail out */ + +- line_bufs = g_new (guchar *, filter->y.n); + filter_weights = make_filter_table (filter); ++ if (!filter_weights) ++ return; /* overflow, bail out */ ++ ++ line_bufs = g_new (guchar *, filter->y.n); + + check_shift = check_size ? get_check_shift (check_size) : 0; + +@@ -1390,7 +1402,7 @@ + double scale) + { + int n = ceil (1 / scale + 1); +- double *pixel_weights = g_new (double, SUBSAMPLE * n); ++ double *pixel_weights = g_malloc_n (sizeof (double) * SUBSAMPLE, n); + int offset; + int i; + +@@ -1448,7 +1460,7 @@ + } + + dim->n = n; +- dim->weights = g_new (double, SUBSAMPLE * n); ++ dim->weights = g_malloc_n (sizeof (double) * SUBSAMPLE, n); + + pixel_weights = dim->weights; + +@@ -1539,7 +1551,7 @@ + double scale) + { + int n = ceil (1/scale + 3.0); +- double *pixel_weights = g_new (double, SUBSAMPLE * n); ++ double *pixel_weights = g_malloc_n (sizeof (double) * SUBSAMPLE, n); + double w; + int offset, i; + only in patch2: unchanged: --- gtk+2.0-2.20.1.orig/debian/patches/CVE-2015-7673/0001-pixops-Fail-make_weights-functions-on-OOM.patch +++ gtk+2.0-2.20.1/debian/patches/CVE-2015-7673/0001-pixops-Fail-make_weights-functions-on-OOM.patch @@ -0,0 +1,190 @@ +From 19f9685dbff7d1f929c61cf99188df917a18811d Mon Sep 17 00:00:00 2001 +From: Benjamin Otte <o...@redhat.com> +Date: Sat, 19 Sep 2015 21:24:34 +0200 +Subject: [PATCH] pixops: Fail make_weights functions on OOM + +The weights could grow very large under certain circumstances, in +particular in security-relevant conditions, including the testsuite. +By allowing the weight allocation to fail, this can be worked around. + +https://bugzilla.gnome.org/show_bug.cgi?id=754387 +--- + gdk-pixbuf/pixops/pixops.c | 75 +++++++++++++++++++++++++++++++++------------- + 1 file changed, 55 insertions(+), 20 deletions(-) + +--- a/gdk-pixbuf/pixops/pixops.c ++++ b/gdk-pixbuf/pixops/pixops.c +@@ -1397,15 +1397,19 @@ + /* Compute weights for reconstruction by replication followed by + * sampling with a box filter + */ +-static void ++static gboolean + tile_make_weights (PixopsFilterDimension *dim, + double scale) + { + int n = ceil (1 / scale + 1); +- double *pixel_weights = g_malloc_n (sizeof (double) * SUBSAMPLE, n); ++ double *pixel_weights; + int offset; + int i; + ++ pixel_weights = g_try_malloc_n (sizeof (double) * SUBSAMPLE, n); ++ if (pixel_weights == NULL) ++ return FALSE; ++ + dim->n = n; + dim->offset = 0; + dim->weights = pixel_weights; +@@ -1433,13 +1437,15 @@ + } + } + } ++ ++ return TRUE; + } + + /* Compute weights for a filter that, for minification + * is the same as 'tiles', and for magnification, is bilinear + * reconstruction followed by a sampling with a delta function. + */ +-static void ++static gboolean + bilinear_magnify_make_weights (PixopsFilterDimension *dim, + double scale) + { +@@ -1460,7 +1466,9 @@ + } + + dim->n = n; +- dim->weights = g_malloc_n (sizeof (double) * SUBSAMPLE, n); ++ dim->weights = g_try_malloc_n (sizeof (double) * SUBSAMPLE, n); ++ if (dim->weights == NULL) ++ return FALSE; + + pixel_weights = dim->weights; + +@@ -1500,6 +1508,8 @@ + } + } + } ++ ++ return TRUE; + } + + /* Computes the integral from b0 to b1 of +@@ -1546,15 +1556,19 @@ + /* Compute weights for reconstructing with bilinear + * interpolation, then sampling with a box filter + */ +-static void ++static gboolean + bilinear_box_make_weights (PixopsFilterDimension *dim, + double scale) + { + int n = ceil (1/scale + 3.0); +- double *pixel_weights = g_malloc_n (sizeof (double) * SUBSAMPLE, n); ++ double *pixel_weights; + double w; + int offset, i; + ++ pixel_weights = g_malloc_n (sizeof (double) * SUBSAMPLE, n); ++ if (pixel_weights == NULL) ++ return FALSE; ++ + dim->offset = -1.0; + dim->n = n; + dim->weights = pixel_weights; +@@ -1572,9 +1586,11 @@ + *(pixel_weights++) = w * scale; + } + } ++ ++ return TRUE; + } + +-static void ++static gboolean + make_weights (PixopsFilter *filter, + PixopsInterpType interp_type, + double scale_x, +@@ -1583,23 +1599,39 @@ + switch (interp_type) + { + case PIXOPS_INTERP_NEAREST: ++ default: + g_assert_not_reached (); +- break; ++ return FALSE; + + case PIXOPS_INTERP_TILES: +- tile_make_weights (&filter->x, scale_x); +- tile_make_weights (&filter->y, scale_y); +- break; ++ if (!tile_make_weights (&filter->x, scale_x)) ++ return FALSE; ++ if (!tile_make_weights (&filter->y, scale_y)) ++ { ++ g_free (filter->x.weights); ++ return FALSE; ++ } ++ return TRUE; + + case PIXOPS_INTERP_BILINEAR: +- bilinear_magnify_make_weights (&filter->x, scale_x); +- bilinear_magnify_make_weights (&filter->y, scale_y); +- break; ++ if (!bilinear_magnify_make_weights (&filter->x, scale_x)) ++ return FALSE; ++ if (!bilinear_magnify_make_weights (&filter->y, scale_y)) ++ { ++ g_free (filter->x.weights); ++ return FALSE; ++ } ++ return TRUE; + + case PIXOPS_INTERP_HYPER: +- bilinear_box_make_weights (&filter->x, scale_x); +- bilinear_box_make_weights (&filter->y, scale_y); +- break; ++ if (!bilinear_box_make_weights (&filter->x, scale_x)) ++ return FALSE; ++ if (!bilinear_box_make_weights (&filter->y, scale_y)) ++ { ++ g_free (filter->x.weights); ++ return FALSE; ++ } ++ return TRUE; + } + } + +@@ -1654,7 +1686,8 @@ + } + + filter.overall_alpha = overall_alpha / 255.; +- make_weights (&filter, interp_type, scale_x, scale_y); ++ if (!make_weights (&filter, interp_type, scale_x, scale_y)) ++ return; + + #ifdef USE_MMX + if (filter.x.n == 2 && filter.y.n == 2 && +@@ -1804,7 +1837,8 @@ + } + + filter.overall_alpha = overall_alpha / 255.; +- make_weights (&filter, interp_type, scale_x, scale_y); ++ if (!make_weights (&filter, interp_type, scale_x, scale_y)) ++ return; + + if (filter.x.n == 2 && filter.y.n == 2 && dest_channels == 4 && + src_channels == 4 && src_has_alpha && !dest_has_alpha) +@@ -2211,7 +2245,8 @@ + } + + filter.overall_alpha = 1.0; +- make_weights (&filter, interp_type, scale_x, scale_y); ++ if (!make_weights (&filter, interp_type, scale_x, scale_y)) ++ return; + + if (filter.x.n == 2 && filter.y.n == 2 && dest_channels == 3 && src_channels == 3) + { only in patch2: unchanged: --- gtk+2.0-2.20.1.orig/debian/patches/CVE-2015-7673/0002-tga-Wrap-TGAColormap-struct-in-its-own-API.patch +++ gtk+2.0-2.20.1/debian/patches/CVE-2015-7673/0002-tga-Wrap-TGAColormap-struct-in-its-own-API.patch @@ -0,0 +1,227 @@ +From edf6fb8d856574bc3bb3a703037f56533229267c Mon Sep 17 00:00:00 2001 +From: Benjamin Otte <o...@redhat.com> +Date: Sun, 20 Sep 2015 00:22:42 +0200 +Subject: [PATCH] tga: Wrap TGAColormap struct in its own API + +Instead of poking into it directly. +--- + gdk-pixbuf/io-tga.c | 124 ++++++++++++++++++++++++++++++++++------------------ + 1 file changed, 82 insertions(+), 42 deletions(-) + +--- a/gdk-pixbuf/io-tga.c ++++ b/gdk-pixbuf/io-tga.c +@@ -66,8 +66,8 @@ + typedef struct _TGAHeader TGAHeader; + typedef struct _TGAFooter TGAFooter; + +-typedef struct _TGAColormap TGAColormap; + typedef struct _TGAColor TGAColor; ++typedef struct _TGAColormap TGAColormap; + + typedef struct _TGAContext TGAContext; + +@@ -104,15 +104,15 @@ + } sig; + }; + +-struct _TGAColormap { +- gint size; +- TGAColor *cols; +-}; +- + struct _TGAColor { + guchar r, g, b, a; + }; + ++struct _TGAColormap { ++ guint n_colors; ++ TGAColor colors[1]; ++}; ++ + struct _TGAContext { + TGAHeader *hdr; + guint rowstride; +@@ -237,6 +237,51 @@ + g_free(pixels); + } + ++static TGAColormap * ++colormap_new (guint n_colors) ++{ ++ TGAColormap *cmap; ++ ++ g_assert (n_colors <= G_MAXUINT16); ++ ++ cmap = g_try_malloc0 (sizeof (TGAColormap) + (MAX (n_colors, 1) - 1) * sizeof (TGAColor)); ++ if (cmap == NULL) ++ return NULL; ++ ++ cmap->n_colors = n_colors; ++ ++ return cmap; ++} ++ ++static const TGAColor * ++colormap_get_color (TGAColormap *cmap, ++ guint id) ++{ ++ static const TGAColor transparent_black = { 0, 0, 0, 0 }; ++ ++ if (id >= cmap->n_colors) ++ return &transparent_black; ++ ++ return &cmap->colors[id]; ++} ++ ++static void ++colormap_set_color (TGAColormap *cmap, ++ guint id, ++ const TGAColor *color) ++{ ++ if (id >= cmap->n_colors) ++ return; ++ ++ cmap->colors[id] = *color; ++} ++ ++static void ++colormap_free (TGAColormap *cmap) ++{ ++ g_free (cmap); ++} ++ + static GdkPixbuf *get_contiguous_pixbuf (guint width, + guint height, + gboolean has_alpha) +@@ -371,11 +416,12 @@ + guchar *p = ctx->pptr; + + for (; upper_bound; upper_bound--, s++) { +- *p++ = ctx->cmap->cols[*s].r; +- *p++ = ctx->cmap->cols[*s].g; +- *p++ = ctx->cmap->cols[*s].b; ++ const TGAColor *color = colormap_get_color (ctx->cmap, *s); ++ *p++ = color->r; ++ *p++ = color->g; ++ *p++ = color->b; + if (ctx->hdr->cmap_bpp == 32) +- *p++ = ctx->cmap->cols[*s].a; ++ *p++ = color->a; + } + } + +@@ -442,7 +488,7 @@ + return TRUE; + } + +-static void write_rle_data(TGAContext *ctx, TGAColor *color, guint *rle_count) ++static void write_rle_data(TGAContext *ctx, const TGAColor *color, guint *rle_count) + { + for (; *rle_count; (*rle_count)--) { + g_memmove(ctx->pptr, (guchar *) color, ctx->pbuf->n_channels); +@@ -470,7 +516,7 @@ + return --n; + } else { + rle_num = (tag & 0x7f) + 1; +- write_rle_data(ctx, &ctx->cmap->cols[*s], &rle_num); ++ write_rle_data(ctx, colormap_get_color (ctx->cmap, *s), &rle_num); + s++, n++; + if (ctx->pbuf_bytes_done == ctx->pbuf_bytes) { + ctx->done = TRUE; +@@ -483,14 +529,12 @@ + return --n; + } else { + for (; raw_num; raw_num--) { +- *ctx->pptr++ = +- ctx->cmap->cols[*s].r; +- *ctx->pptr++ = +- ctx->cmap->cols[*s].g; +- *ctx->pptr++ = +- ctx->cmap->cols[*s].b; ++ const TGAColor *color = colormap_get_color (ctx->cmap, *s); ++ *ctx->pptr++ = color->r; ++ *ctx->pptr++ = color->g; ++ *ctx->pptr++ = color->b; + if (ctx->pbuf->n_channels == 4) +- *ctx->pptr++ = ctx->cmap->cols[*s].a; ++ *ctx->pptr++ = color->a; + s++, n++; + ctx->pbuf_bytes_done += ctx->pbuf->n_channels; + if (ctx->pbuf_bytes_done == ctx->pbuf_bytes) { +@@ -674,46 +718,44 @@ + + static gboolean try_colormap(TGAContext *ctx, GError **err) + { +- static guchar *p; +- static guint n; ++ TGAColor color; ++ guchar *p; ++ guint i, n_colors; + + g_return_val_if_fail(ctx != NULL, FALSE); + +- ctx->cmap = g_try_malloc(sizeof(TGAColormap)); ++ n_colors = LE16(ctx->hdr->cmap_n_colors); ++ ctx->cmap = colormap_new (n_colors); + if (!ctx->cmap) { + g_set_error_literal(err, GDK_PIXBUF_ERROR, GDK_PIXBUF_ERROR_INSUFFICIENT_MEMORY, +- _("Cannot allocate colormap structure")); +- return FALSE; +- } +- ctx->cmap->size = LE16(ctx->hdr->cmap_n_colors); +- ctx->cmap->cols = g_try_malloc(sizeof(TGAColor) * ctx->cmap->size); +- if (!ctx->cmap->cols) { +- g_set_error_literal(err, GDK_PIXBUF_ERROR, GDK_PIXBUF_ERROR_INSUFFICIENT_MEMORY, +- _("Cannot allocate colormap entries")); ++ _("Cannot allocate colormap")); + return FALSE; + } + + p = ctx->in->data; +- for (n = 0; n < ctx->cmap->size; n++) { ++ color.a = 255; ++ ++ for (i = 0; i < n_colors; i++) { + if ((ctx->hdr->cmap_bpp == 15) || (ctx->hdr->cmap_bpp == 16)) { + guint16 col = p[0] + (p[1] << 8); +- ctx->cmap->cols[n].b = (col >> 7) & 0xf8; +- ctx->cmap->cols[n].g = (col >> 2) & 0xf8; +- ctx->cmap->cols[n].r = col << 3; ++ color.b = (col >> 7) & 0xf8; ++ color.g = (col >> 2) & 0xf8; ++ color.r = col << 3; + p += 2; + } + else if ((ctx->hdr->cmap_bpp == 24) || (ctx->hdr->cmap_bpp == 32)) { +- ctx->cmap->cols[n].b = *p++; +- ctx->cmap->cols[n].g = *p++; +- ctx->cmap->cols[n].r = *p++; ++ color.b = *p++; ++ color.g = *p++; ++ color.r = *p++; + if (ctx->hdr->cmap_bpp == 32) +- ctx->cmap->cols[n].a = *p++; ++ color.a = *p++; + } else { + g_set_error_literal(err, GDK_PIXBUF_ERROR, + GDK_PIXBUF_ERROR_CORRUPT_IMAGE, + _("Unexpected bitdepth for colormap entries")); + return FALSE; + } ++ colormap_set_color (ctx->cmap, i, &color); + } + ctx->in = io_buffer_free_segment(ctx->in, ctx->cmap_size, err); + if (!ctx->in) +@@ -944,10 +986,8 @@ + ctx->udata); + } + g_free (ctx->hdr); +- if (ctx->cmap) { +- g_free (ctx->cmap->cols); +- g_free (ctx->cmap); +- } ++ if (ctx->cmap) ++ colormap_free (ctx->cmap); + if (ctx->pbuf) + g_object_unref (ctx->pbuf); + if (ctx->in && ctx->in->size) only in patch2: unchanged: --- gtk+2.0-2.20.1.orig/debian/patches/CVE-2015-7673/0003-io-tga-Colormaps-are-always-present-so-always-parse-.patch +++ gtk+2.0-2.20.1/debian/patches/CVE-2015-7673/0003-io-tga-Colormaps-are-always-present-so-always-parse-.patch @@ -0,0 +1,48 @@ +From 6ddca835100107e6b5841ce9d56074f6d98c387e Mon Sep 17 00:00:00 2001 +From: Benjamin Otte <o...@redhat.com> +Date: Sun, 20 Sep 2015 00:29:59 +0200 +Subject: [PATCH] io-tga: Colormaps are always present, so always parse them. + +We might end up with a colormap with 0 entries, but whatever, it's a +colormap. +--- + gdk-pixbuf/io-tga.c | 14 +++----------- + 1 file changed, 3 insertions(+), 11 deletions(-) + +--- a/gdk-pixbuf/io-tga.c ++++ b/gdk-pixbuf/io-tga.c +@@ -319,9 +319,8 @@ + || (ctx->hdr->type == TGA_TYPE_RLE_TRUECOLOR) + || (ctx->hdr->type == TGA_TYPE_RLE_GRAYSCALE)); + +- if (ctx->hdr->has_cmap) +- ctx->cmap_size = ((ctx->hdr->cmap_bpp + 7) >> 3) * +- LE16(ctx->hdr->cmap_n_colors); ++ ctx->cmap_size = ((ctx->hdr->cmap_bpp + 7) >> 3) * ++ LE16(ctx->hdr->cmap_n_colors); + + alpha = ((ctx->hdr->bpp == 16) || + (ctx->hdr->bpp == 32) || +@@ -680,13 +679,6 @@ + + g_return_val_if_fail(ctx != NULL, FALSE); + +- if (ctx->cmap_size == 0) { +- g_set_error_literal(err, GDK_PIXBUF_ERROR, +- GDK_PIXBUF_ERROR_CORRUPT_IMAGE, +- _("Image is corrupted or truncated")); +- return FALSE; +- } +- + ctx->cmap = g_try_malloc(sizeof(TGAColormap)); + if (!ctx->cmap) { + g_set_error_literal(err, GDK_PIXBUF_ERROR, GDK_PIXBUF_ERROR_INSUFFICIENT_MEMORY, +@@ -831,7 +823,7 @@ + return TRUE; + } + } +- if (ctx->hdr->has_cmap && !ctx->cmap) { ++ if (!ctx->cmap) { + if (ctx->in->size >= ctx->cmap_size) { + if (!try_colormap(ctx, err)) + return FALSE; only in patch2: unchanged: --- gtk+2.0-2.20.1.orig/debian/patches/CVE-2015-7674/0001-pixops-Don-t-overflow-variables-when-shifting-them.patch +++ gtk+2.0-2.20.1/debian/patches/CVE-2015-7674/0001-pixops-Don-t-overflow-variables-when-shifting-them.patch @@ -0,0 +1,30 @@ +From e9a5704edaa9aee9498f1fbf6e1b70fcce2e55aa Mon Sep 17 00:00:00 2001 +From: Benjamin Otte <o...@redhat.com> +Date: Tue, 22 Sep 2015 22:44:51 +0200 +Subject: [PATCH] pixops: Don't overflow variables when shifting them + +If we shift by 16 bits we need to be sure those 16 bits actually exist. +They do now. +--- + gdk-pixbuf/pixops/pixops.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/gdk-pixbuf/pixops/pixops.c ++++ b/gdk-pixbuf/pixops/pixops.c +@@ -266,11 +266,11 @@ + double scale_x, + double scale_y) + { +- int i; +- int x; +- int x_step = (1 << SCALE_SHIFT) / scale_x; +- int y_step = (1 << SCALE_SHIFT) / scale_y; +- int xmax, xstart, xstop, x_pos, y_pos; ++ gint64 i; ++ gint64 x; ++ gint64 x_step = (1 << SCALE_SHIFT) / scale_x; ++ gint64 y_step = (1 << SCALE_SHIFT) / scale_y; ++ gint64 xmax, xstart, xstop, x_pos, y_pos; + const guchar *p; + + #define INNER_LOOP(SRC_CHANNELS,DEST_CHANNELS,ASSIGN_PIXEL) \
signature.asc
Description: Digital signature
