Source: imlib2
Version: 1.4.6-2+deb8u1
Severity: important
Tags: security jessie upstream fixed-upstream patch
Dear Maintainer,
imlib2 commit v1.4.6-19-g143f299 fixes potentially exploitable
integer overflow.
https://git.enlightenment.org/legacy/imlib2.git/commit/?id=143f299
Please apply this patch to jessie (it is already in 1.4.7 in stretch/sid).
-- System Information:
Debian Release: 8.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable'), (100,
'proposed-updates')
Architecture: i386 (x86_64)
Foreign Architectures: amd64
Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=ru_RU.KOI8-R, LC_CTYPE=ru_RU.KOI8-R (charmap=KOI8-R)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
>From 143f2993d7ccb73b26bb83abac6fa86f443981f9 Mon Sep 17 00:00:00 2001
From: Fabian Keil <f...@fabiankeil.de>
Date: Wed, 3 Dec 2014 15:00:48 +0100
Subject: [PATCH] Make IMAGE_DIMENSIONS_OK() more restrictive
Prevents invalid reads and unreasonably large memory allocations
with input/queue/id:000210,src:000114,op:int32,pos:3,val:be:+32,+cov:
==20321== Invalid read of size 1
==20321== at 0x1FCDB16: __imlib_ScaleAARGB (scale.c:1043)
==20321== by 0x1F9BF81: __imlib_RenderImage (rend.c:409)
==20321== by 0x1F0F82C: imlib_render_image_part_on_drawable_at_size (api.c:1886)
==20321== by 0x40CD75: gib_imlib_render_image_part_on_drawable_at_size (gib_imlib.c:231)
==20321== by 0x42C732: winwidget_render_image (winwidget.c:576)
==20321== by 0x417ACA: feh_event_handle_keypress (keyevents.c:598)
==20321== by 0x4190DE: feh_main_iteration (main.c:119)
==20321== by 0x418F45: main (main.c:82)
==20321== Address 0x3a12e034 is 12 bytes before a block of size 1,965,846,976 alloc'd
==20321== at 0x103D293: malloc (in /usr/local/lib/valgrind/vgpreload_memcheck-amd64-freebsd.so)
==20321== by 0x5B3D1F1: load (loader_pnm.c:149)
==20321== by 0x1F7D70F: __imlib_LoadImage (image.c:1041)
==20321== by 0x1F090E4: imlib_load_image_with_error_return (api.c:1299)
==20321== by 0x40F47B: feh_load_image (imlib.c:252)
==20321== by 0x42CA0E: winwidget_loadimage (winwidget.c:753)
==20321== by 0x42C918: winwidget_create_from_file (winwidget.c:126)
==20321== by 0x421869: init_slideshow_mode (slideshow.c:62)
==20321== by 0x418F13: main (main.c:78)
---
src/lib/image.h | 7 +++++--
src/lib/rend.c | 4 ----
2 files changed, 5 insertions(+), 6 deletions(-)
diff --git a/src/lib/image.h b/src/lib/image.h
index da82576..0175e94 100644
--- a/src/lib/image.h
+++ b/src/lib/image.h
@@ -184,8 +184,11 @@ __hidden void __imlib_SaveImage(ImlibImage *im, const char *file,
#define SET_FLAG(flags, f) ((flags) |= (f))
#define UNSET_FLAG(flags, f) ((flags) &= (~f))
+/* The maximum pixmap dimension is 65535. */
+/* However, for now, use 46340 (46340^2 < 2^31) to avoid buffer overflow issues. */
+# define X_MAX_DIM 46340
+
#define IMAGE_DIMENSIONS_OK(w, h) \
- ( ((w) > 0) && ((h) > 0) && \
- ((unsigned long long)(w) * (unsigned long long)(h) <= (1ULL << 29) - 1) )
+ ( ((w) > 0) && ((h) > 0) && ((w) < X_MAX_DIM) && ((h) < X_MAX_DIM) )
#endif
diff --git a/src/lib/rend.c b/src/lib/rend.c
index 2d7934b..44be783 100644
--- a/src/lib/rend.c
+++ b/src/lib/rend.c
@@ -16,10 +16,6 @@
#include "scale.h"
#include "ximage.h"
-/* The maximum pixmap dimension is 65535. */
-/* However, for now, use 46340 (46340^2 < 2^31) to avoid buffer overflow issues. */
-#define X_MAX_DIM 46340
-
/* size of the lines per segment we scale / render at a time */
#define LINESIZE 16
--
2.1.4
