Hi, Attached is a debdiff of the changes I made for my 2.6.3.2.2-3.1 NMU
Cheers, Giuseppe
diff -u wxwidgets2.6-2.6.3.2.2/debian/changelog
wxwidgets2.6-2.6.3.2.2/debian/changelog
--- wxwidgets2.6-2.6.3.2.2/debian/changelog
+++ wxwidgets2.6-2.6.3.2.2/debian/changelog
@@ -1,3 +1,12 @@
+wxwidgets2.6 (2.6.3.2.2-3.1) unstable; urgency=low
+
+ * Non-maintainer upload.
+ * Fixed Integer overflow in the wxImage::Create function.
+ (CVE-2009-2369) (Closes: #537175)
+ * Avoid name clashes with GSocket from glib 2.21+ and fixed FTBFS
+
+ -- Giuseppe Iuculano <iucul...@debian.org> Sat, 03 Oct 2009 12:57:53 +0200
+
wxwidgets2.6 (2.6.3.2.2-3) unstable; urgency=low
* Take the flavour from the changelog, not the top dirname. sbuild has
only in patch2:
unchanged:
--- wxwidgets2.6-2.6.3.2.2.orig/src/common/imagtiff.cpp
+++ wxwidgets2.6-2.6.3.2.2/src/common/imagtiff.cpp
@@ -232,15 +232,25 @@
}
uint32 w, h;
- uint32 npixels;
uint32 *raster;
TIFFGetField( tif, TIFFTAG_IMAGEWIDTH, &w );
TIFFGetField( tif, TIFFTAG_IMAGELENGTH, &h );
- npixels = w * h;
+ // guard against integer overflow during multiplication which could result
+ // in allocating a too small buffer and then overflowing it
+ const double bytesNeeded = (double)w * (double)h * sizeof(uint32);
+ if ( bytesNeeded >= 4294967295U /* UINT32_MAX */ )
+ {
+ if ( verbose )
+ wxLogError( _("TIFF: Image size is abnormally big.") );
+
+ TIFFClose(tif);
+
+ return false;
+ }
- raster = (uint32*) _TIFFmalloc( npixels * sizeof(uint32) );
+ raster = (uint32*) _TIFFmalloc( bytesNeeded );
if (!raster)
{
only in patch2:
unchanged:
--- wxwidgets2.6-2.6.3.2.2.orig/src/common/imagpng.cpp
+++ wxwidgets2.6-2.6.3.2.2/src/common/imagpng.cpp
@@ -570,18 +570,16 @@
if (!image->Ok())
goto error;
- lines = (unsigned char **)malloc( (size_t)(height * sizeof(unsigned char
*)) );
+ // initialize all line pointers to NULL to ensure that they can be safely
+ // free()d if an error occurs before all of them could be allocated
+ lines = (unsigned char **)calloc(height, sizeof(unsigned char *));
if ( !lines )
goto error;
for (i = 0; i < height; i++)
{
if ((lines[i] = (unsigned char *)malloc( (size_t)(width *
(sizeof(unsigned char) * 4)))) == NULL)
- {
- for ( unsigned int n = 0; n < i; n++ )
- free( lines[n] );
goto error;
- }
}
png_read_image( png_ptr, lines );
only in patch2:
unchanged:
--- wxwidgets2.6-2.6.3.2.2.orig/src/gtk/gsockgtk.cpp
+++ wxwidgets2.6-2.6.3.2.2/src/gtk/gsockgtk.cpp
@@ -14,8 +14,10 @@
#include <stdlib.h>
#include <stdio.h>
+#define GSocket GlibGSocket
#include <gdk/gdk.h>
#include <glib.h>
+#undef GSocket
#include "wx/gsocket.h"
#include "wx/unix/gsockunx.h"
signature.asc
Description: OpenPGP digital signature
