imlib2: security bump to version 1.4.9

It already includes the fixes for CVE-2016-3994 and CVE-2011-5326 so drop the patches, and additionally fixes: CVE-2016-4024 - integer overflow in imlib2, which result in insufficient heap allocation. Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2016-05-01 10:34:47 -03:00 · 2016-05-01 10:34:47 -03:00 · 69a30b2817
parent 2512fcf41f
commit 69a30b2817
4 changed files with 4 additions and 179 deletions
--- a/package/imlib2/0001-fix-CVE-2016-3994.patch
+++ b/package/imlib2/0001-fix-CVE-2016-3994.patch
@ -1,71 +0,0 @@
-From 37a96801663b7b4cd3fbe56cc0eb8b6a17e766a8 Mon Sep 17 00:00:00 2001
-From: Kim Woelders <kim@woelders.dk>
-Date: Sun, 3 Apr 2016 19:40:25 +0200
-Subject: [PATCH] GIF loader: Fix out-of-bound reads from colormap.
-
-Bug-Debian: http://bugs.debian.org/785369
-Note: removes all special-casing from the inner loop, optimize for common case.
-Author: Yuriy M. Kaminskiy <yumkam+debian@gmail.com>
-Reported-By: Jakub Wilk <jwilk@debian.org>
-
-Thanks to Bernhard U:belacker <bernhardu@vr-web.de> for analysis.
-
-Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
---
- src/modules/loaders/loader_gif.c | 31 +++++++++++++++++--------------
- 1 file changed, 17 insertions(+), 14 deletions(-)
-
-diff --git a/src/modules/loaders/loader_gif.c b/src/modules/loaders/loader_gif.c
-index 638df59..4f08d64 100644
--- a/src/modules/loaders/loader_gif.c
-+++ b/src/modules/loaders/loader_gif.c
-@@ -141,8 +141,24 @@ load(ImlibImage * im, ImlibProgressFunction progress, char progress_granularity,
- 
-    if (im->loader || immediate_load || progress)
-      {
-+        DATA32 colormap[256];
-+
-         bg = gif->SBackGroundColor;
-         cmap = (gif->Image.ColorMap ? gif->Image.ColorMap : gif->SColorMap);
-+        memset (colormap, 0, sizeof(colormap));
-+        if (cmap != NULL)
-+           {
-+              for (i = cmap->ColorCount > 256 ? 256 : cmap->ColorCount; i-- > 0;)
-+                 {
-+                    r = cmap->Colors[i].Red;
-+                    g = cmap->Colors[i].Green;
-+                    b = cmap->Colors[i].Blue;
-+                    colormap[i] = (0xff << 24) | (r << 16) | (g << 8) | b;
-+                 }
-+              /* if bg > cmap->ColorCount, it is transparent black already */
-+              if (transp >= 0 && transp < 256)
-+                 colormap[transp] = bg >= 0 && bg < 256 ? colormap[bg] & 0x00ffffff : 0x00000000;
-+           }
-         im->data = (DATA32 *) malloc(sizeof(DATA32) * w * h);
-         if (!im->data)
-            goto quit;
-@@ -161,20 +177,7 @@ load(ImlibImage * im, ImlibProgressFunction progress, char progress_granularity,
-           {
-              for (j = 0; j < w; j++)
-                {
-                  if (rows[i][j] == transp)
-                    {
-                       r = cmap->Colors[bg].Red;
-                       g = cmap->Colors[bg].Green;
-                       b = cmap->Colors[bg].Blue;
-                       *ptr++ = 0x00ffffff & ((r << 16) | (g << 8) | b);
-                    }
-                  else
-                    {
-                       r = cmap->Colors[rows[i][j]].Red;
-                       g = cmap->Colors[rows[i][j]].Green;
-                       b = cmap->Colors[rows[i][j]].Blue;
-                       *ptr++ = (0xff << 24) | (r << 16) | (g << 8) | b;
-                    }
-+                  *ptr++ = colormap[rows[i][j]];
-                   per += per_inc;
-                   if (progress && (((int)per) != last_per)
-                       && (((int)per) % progress_granularity == 0))
-- 
-2.7.3
-
--- a/package/imlib2/0002-fix-CVE-2011-5326.patch
+++ b/package/imlib2/0002-fix-CVE-2011-5326.patch
@ -1,104 +0,0 @@
-From c94d83ccab15d5ef02f88d42dce38ed3f0892882 Mon Sep 17 00:00:00 2001
-From: Kim Woelders <kim@woelders.dk>
-Date: Wed, 6 Apr 2016 17:42:17 +0200
-Subject: [PATCH] Fix potential divide-by-zero in imlib_image_draw_ellipse().
-
-Attempting to draw a 2x1 ellipse with e.g. imlib_image_draw_ellipse(x, y, 2, 1)
-causes a divide-by-zero.
-It seems happy enough to draw 1x1, 1x2 and 2x2, but not 2x1.
-
-Patch by Simon Lees.
-
-https://bugs.debian.org/639414
-Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
---
- src/lib/ellipse.c | 24 ++++++++++++++++++++++++
- 1 file changed, 24 insertions(+)
-
-diff --git a/src/lib/ellipse.c b/src/lib/ellipse.c
-index cd90268..ddb410b 100644
--- a/src/lib/ellipse.c
-+++ b/src/lib/ellipse.c
-@@ -71,6 +71,9 @@ __imlib_Ellipse_DrawToData(int xc, int yc, int a, int b, DATA32 color,
-         if (IN_RANGE(rx, by, clw, clh))
-            pfunc(color, bp + len);
- 
-+        if (dx < 1)
-+           dx = 1;
-+
-         dy += b2;
-         yy -= ((dy << 16) / dx);
-         lx--;
-@@ -123,6 +126,9 @@ __imlib_Ellipse_DrawToData(int xc, int yc, int a, int b, DATA32 color,
-         if (IN_RANGE(rx, by, clw, clh))
-            pfunc(color, bp + len);
- 
-+        if (dy < 1)
-+           dy = 1;
-+
-         dx -= a2;
-         xx += ((dx << 16) / dy);
-         ty++;
-@@ -222,6 +228,9 @@ __imlib_Ellipse_DrawToData_AA(int xc, int yc, int a, int b, DATA32 color,
-         if (IN_RANGE(rx, by, clw, clh))
-            pfunc(col1, bp + len);
- 
-+        if (dx < 1)
-+           dx = 1;
-+
-         dy += b2;
-         yy -= ((dy << 16) / dx);
-         lx--;
-@@ -295,6 +304,9 @@ __imlib_Ellipse_DrawToData_AA(int xc, int yc, int a, int b, DATA32 color,
-         if (IN_RANGE(rx, by, clw, clh))
-            pfunc(col1, bp + len);
- 
-+        if (dy < 1)
-+           dy = 1;
-+
-         dx -= a2;
-         xx += ((dx << 16) / dy);
-         ty++;
-@@ -395,6 +407,9 @@ __imlib_Ellipse_FillToData(int xc, int yc, int a, int b, DATA32 color,
-         if (IN_RANGE(rx, by, clw, clh))
-            pfunc(color, bp + len);
- 
-+        if (dx < 1)
-+           dx = 1;
-+
-         dy += b2;
-         yy -= ((dy << 16) / dx);
-         lx--;
-@@ -453,6 +468,9 @@ __imlib_Ellipse_FillToData(int xc, int yc, int a, int b, DATA32 color,
-         if (((unsigned)by < (unsigned)clh) && (len > 0))
-            sfunc(color, bpp, len);
- 
-+        if (dy < 1)
-+           dy = 1;
-+
-         dx -= a2;
-         xx += ((dx << 16) / dy);
-         ty++;
-@@ -556,6 +574,9 @@ __imlib_Ellipse_FillToData_AA(int xc, int yc, int a, int b, DATA32 color,
-         if (IN_RANGE(rx, by, clw, clh))
-            pfunc(col1, bp + len);
- 
-+        if (dx < 1)
-+           dx = 1;
-+
-         dy += b2;
-         yy -= ((dy << 16) / dx);
-         lx--;
-@@ -629,6 +650,9 @@ __imlib_Ellipse_FillToData_AA(int xc, int yc, int a, int b, DATA32 color,
-         if (IN_RANGE(rx, by, clw, clh))
-            pfunc(col1, bp + len);
- 
-+        if (dy < 1)
-+           dy = 1;
-+
-         dx -= a2;
-         xx += ((dx << 16) / dy);
-         ty++;
-- 
-2.7.3
-
--- a/package/imlib2/imlib2.hash
+++ b/package/imlib2/imlib2.hash
@ -1,3 +1,3 @@
-# From https://sourceforge.net/projects/enlightenment/files/imlib2-src/1.4.8/
-md5	97cf1007b0339102974ce20c8f17c249	imlib2-1.4.8.tar.bz2
-sha1	09759f9cd0bb530a738032d06b29edf0038f2052	imlib2-1.4.8.tar.bz2
+# From https://sourceforge.net/projects/enlightenment/files/imlib2-src/1.4.9/
+md5	23ef8b49f2793bc63b16839a2062298b	imlib2-1.4.9.tar.bz2
+sha1	f389d67c337b604a365e620b0083b2d342dd724e	imlib2-1.4.9.tar.bz2
--- a/package/imlib2/imlib2.mk
+++ b/package/imlib2/imlib2.mk
@ -4,7 +4,7 @@
 #
 ################################################################################

-IMLIB2_VERSION = 1.4.8
+IMLIB2_VERSION = 1.4.9
 IMLIB2_SOURCE = imlib2-$(IMLIB2_VERSION).tar.bz2
 IMLIB2_SITE = http://downloads.sourceforge.net/project/enlightenment/imlib2-src/$(IMLIB2_VERSION)
 IMLIB2_LICENSE = imlib2 license