libgxps: CVE-2018-10733 ; CVE-2018-10767
This commit is contained in:
parent
25f913e9c0
commit
a411f8be11
3 changed files with 177 additions and 1 deletions
148
srcpkgs/libgxps/patches/CVE-2018-10733.patch
Normal file
148
srcpkgs/libgxps/patches/CVE-2018-10733.patch
Normal file
|
@ -0,0 +1,148 @@
|
||||||
|
Sources:
|
||||||
|
https://git.gnome.org/browse/libgxps/commit/?id=b458226e162fe1ffe7acb4230c114a52ada5131b
|
||||||
|
|
||||||
|
https://git.gnome.org/browse/libgxps/commit/?id=133fe2a96e020d4ca65c6f64fb28a404050ebbfd
|
||||||
|
From 133fe2a96e020d4ca65c6f64fb28a404050ebbfd Mon Sep 17 00:00:00 2001
|
||||||
|
From: Carlos Garcia Campos <carlosgc@gnome.org>
|
||||||
|
Date: Sat, 5 May 2018 12:02:36 +0200
|
||||||
|
Subject: [PATCH] gxps-archive: Handle errors returned by archive_read_data
|
||||||
|
|
||||||
|
---
|
||||||
|
libgxps/gxps-archive.c | 7 +++++++
|
||||||
|
1 file changed, 7 insertions(+)
|
||||||
|
|
||||||
|
diff --git libgxps/gxps-archive.c libgxps/gxps-archive.c
|
||||||
|
index 346ba73..1bae729 100644
|
||||||
|
--- libgxps/gxps-archive.c
|
||||||
|
+++ libgxps/gxps-archive.c
|
||||||
|
@@ -520,6 +520,13 @@ gxps_archive_input_stream_read (GInputStream *stream,
|
||||||
|
return -1;
|
||||||
|
|
||||||
|
bytes_read = archive_read_data (istream->zip->archive, buffer, count);
|
||||||
|
+ if (bytes_read < 0) {
|
||||||
|
+ g_set_error_literal (error,
|
||||||
|
+ G_IO_ERROR,
|
||||||
|
+ g_io_error_from_errno (archive_errno (istream->zip->archive)),
|
||||||
|
+ archive_error_string (istream->zip->archive));
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
if (bytes_read == 0 && istream->is_interleaved && !gxps_archive_input_stream_is_last_piece (istream)) {
|
||||||
|
/* Read next piece */
|
||||||
|
gxps_archive_input_stream_next_piece (istream);
|
||||||
|
--
|
||||||
|
2.18.1
|
||||||
|
|
||||||
|
From b458226e162fe1ffe7acb4230c114a52ada5131b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Carlos Garcia Campos <carlosgc@gnome.org>
|
||||||
|
Date: Sat, 5 May 2018 12:01:24 +0200
|
||||||
|
Subject: [PATCH] gxps-archive: Ensure gxps_archive_read_entry() fills the
|
||||||
|
GError in case of failure
|
||||||
|
|
||||||
|
And fix the callers to not overwrite the GError.
|
||||||
|
---
|
||||||
|
libgxps/gxps-archive.c | 15 +++++++++++----
|
||||||
|
libgxps/gxps-fonts.c | 17 +++++------------
|
||||||
|
libgxps/gxps-images.c | 17 ++++++-----------
|
||||||
|
3 files changed, 22 insertions(+), 27 deletions(-)
|
||||||
|
|
||||||
|
diff --git libgxps/gxps-archive.c libgxps/gxps-archive.c
|
||||||
|
index e763773..346ba73 100644
|
||||||
|
--- libgxps/gxps-archive.c
|
||||||
|
+++ libgxps/gxps-archive.c
|
||||||
|
@@ -406,9 +406,13 @@ gxps_archive_read_entry (GXPSArchive *archive,
|
||||||
|
gboolean retval;
|
||||||
|
|
||||||
|
stream = gxps_archive_open (archive, path);
|
||||||
|
- if (!stream)
|
||||||
|
- /* TODO: Error */
|
||||||
|
+ if (!stream) {
|
||||||
|
+ g_set_error (error,
|
||||||
|
+ G_IO_ERROR,
|
||||||
|
+ G_IO_ERROR_NOT_FOUND,
|
||||||
|
+ "The entry '%s' was not found in archive", path);
|
||||||
|
return FALSE;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
entry_size = archive_entry_size (GXPS_ARCHIVE_INPUT_STREAM (stream)->entry);
|
||||||
|
if (entry_size <= 0) {
|
||||||
|
@@ -423,7 +427,7 @@ gxps_archive_read_entry (GXPSArchive *archive,
|
||||||
|
*buffer = g_malloc (buffer_size);
|
||||||
|
do {
|
||||||
|
bytes = g_input_stream_read (stream, &buf, BUFFER_SIZE, NULL, error);
|
||||||
|
- if (*error != NULL) {
|
||||||
|
+ if (bytes < 0) {
|
||||||
|
g_free (*buffer);
|
||||||
|
g_object_unref (stream);
|
||||||
|
|
||||||
|
@@ -441,7 +445,10 @@ gxps_archive_read_entry (GXPSArchive *archive,
|
||||||
|
g_object_unref (stream);
|
||||||
|
|
||||||
|
if (*bytes_read == 0) {
|
||||||
|
- /* TODO: Error */
|
||||||
|
+ g_set_error (error,
|
||||||
|
+ G_IO_ERROR,
|
||||||
|
+ G_IO_ERROR_INVALID_DATA,
|
||||||
|
+ "The entry '%s' is empty in archive", path);
|
||||||
|
g_free (*buffer);
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
diff --git libgxps/gxps-fonts.c libgxps/gxps-fonts.c
|
||||||
|
index 882157d..8d02ffc 100644
|
||||||
|
--- libgxps/gxps-fonts.c
|
||||||
|
+++ libgxps/gxps-fonts.c
|
||||||
|
@@ -220,19 +220,12 @@ gxps_fonts_new_font_face (GXPSArchive *zip,
|
||||||
|
cairo_font_face_t *font_face;
|
||||||
|
guchar *font_data;
|
||||||
|
gsize font_data_len;
|
||||||
|
- gboolean res;
|
||||||
|
|
||||||
|
- res = gxps_archive_read_entry (zip, font_uri,
|
||||||
|
- &font_data, &font_data_len,
|
||||||
|
- error);
|
||||||
|
- if (!res) {
|
||||||
|
- g_set_error (error,
|
||||||
|
- GXPS_ERROR,
|
||||||
|
- GXPS_ERROR_SOURCE_NOT_FOUND,
|
||||||
|
- "Font source %s not found in archive",
|
||||||
|
- font_uri);
|
||||||
|
- return NULL;
|
||||||
|
- }
|
||||||
|
+ if (!gxps_archive_read_entry (zip, font_uri,
|
||||||
|
+ &font_data, &font_data_len,
|
||||||
|
+ error)) {
|
||||||
|
+ return NULL;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
ft_face.font_data = font_data;
|
||||||
|
ft_face.font_data_len = (gssize)font_data_len;
|
||||||
|
diff --git libgxps/gxps-images.c libgxps/gxps-images.c
|
||||||
|
index 4dcf9e2..50f899f 100644
|
||||||
|
--- libgxps/gxps-images.c
|
||||||
|
+++ libgxps/gxps-images.c
|
||||||
|
@@ -742,17 +742,12 @@ gxps_images_create_from_tiff (GXPSArchive *zip,
|
||||||
|
guchar *data;
|
||||||
|
guchar *p;
|
||||||
|
|
||||||
|
- if (!gxps_archive_read_entry (zip, image_uri,
|
||||||
|
- &buffer.buffer,
|
||||||
|
- &buffer.buffer_len,
|
||||||
|
- error)) {
|
||||||
|
- g_set_error (error,
|
||||||
|
- GXPS_ERROR,
|
||||||
|
- GXPS_ERROR_SOURCE_NOT_FOUND,
|
||||||
|
- "Image source %s not found in archive",
|
||||||
|
- image_uri);
|
||||||
|
- return NULL;
|
||||||
|
- }
|
||||||
|
+ if (!gxps_archive_read_entry (zip, image_uri,
|
||||||
|
+ &buffer.buffer,
|
||||||
|
+ &buffer.buffer_len,
|
||||||
|
+ error)) {
|
||||||
|
+ return NULL;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
buffer.pos = 0;
|
||||||
|
|
||||||
|
--
|
||||||
|
2.18.1
|
||||||
|
|
28
srcpkgs/libgxps/patches/CVE-2018-10767.patch
Normal file
28
srcpkgs/libgxps/patches/CVE-2018-10767.patch
Normal file
|
@ -0,0 +1,28 @@
|
||||||
|
Source:
|
||||||
|
https://gitlab.gnome.org/GNOME/libgxps/commit/123dd99c6a1ae2ef6fcb5547e51fa58e8c954b51
|
||||||
|
|
||||||
|
From 123dd99c6a1ae2ef6fcb5547e51fa58e8c954b51 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Carlos Garcia Campos <carlosgc@gnome.org>
|
||||||
|
Date: Fri, 8 Dec 2017 11:11:38 +0100
|
||||||
|
Subject: [PATCH] gxps-images: fix integer overflow in png decoder
|
||||||
|
|
||||||
|
---
|
||||||
|
libgxps/gxps-images.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git libgxps/gxps-images.c libgxps/gxps-images.c
|
||||||
|
index 98c7052..19cb1c0 100644
|
||||||
|
--- libgxps/gxps-images.c
|
||||||
|
+++ libgxps/gxps-images.c
|
||||||
|
@@ -286,7 +286,7 @@ gxps_images_create_from_png (GXPSArchive *zip,
|
||||||
|
}
|
||||||
|
|
||||||
|
stride = cairo_format_stride_for_width (format, png_width);
|
||||||
|
- if (stride < 0) {
|
||||||
|
+ if (stride < 0 || png_height >= INT_MAX / stride) {
|
||||||
|
fill_png_error (error, image_uri, NULL);
|
||||||
|
g_object_unref (stream);
|
||||||
|
png_destroy_read_struct (&png, &info, NULL);
|
||||||
|
--
|
||||||
|
2.18.1
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
# Template file for 'libgxps'
|
# Template file for 'libgxps'
|
||||||
pkgname=libgxps
|
pkgname=libgxps
|
||||||
version=0.3.0
|
version=0.3.0
|
||||||
revision=1
|
revision=2
|
||||||
build_style=meson
|
build_style=meson
|
||||||
configure_args="-Denable-test=false -Ddisable-introspection=$(vopt_if gir false true)"
|
configure_args="-Denable-test=false -Ddisable-introspection=$(vopt_if gir false true)"
|
||||||
hostmakedepends="pkg-config $(vopt_if gir gobject-introspection)"
|
hostmakedepends="pkg-config $(vopt_if gir gobject-introspection)"
|
||||||
|
|
Loading…
Reference in a new issue