File gdk-pixbuf-toplevel-overflow-checks.patch of Package gdk-pixbuf.33887
From dbe2df05bc0e1eb3607fb40c983d97b3628074de Mon Sep 17 00:00:00 2001
From: Federico Mena Quintero <federico@gnome.org>
Date: Fri, 24 Nov 2017 15:09:55 -0600
Subject: [PATCH 1/5] Require glib 2.48.0 for the overflow-checked arithmetic
macros
---
configure.ac | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/configure.ac b/configure.ac
index 5846e5764..87523bff7 100644
--- a/configure.ac
+++ b/configure.ac
@@ -26,7 +26,7 @@ m4_define([gdk_pixbuf_binary_version], [2.10.0])
# required versions of other packages
-m4_define([glib_required_version], [2.37.6])
+m4_define([glib_required_version], [2.48.0])
AC_INIT([gdk-pixbuf], [gdk_pixbuf_version],
[http://bugzilla.gnome.org/enter_bug.cgi?product=gdk-pixbuf],
--
2.14.1
From a95dee2cfc2614a72c2da87fe91c0b8a23bba525 Mon Sep 17 00:00:00 2001
From: Dhiru Kholia <dhiru.kholia@gmail.com>
Date: Wed, 7 Sep 2016 05:42:00 +0000
Subject: [PATCH 2/5] Avoid undefined behavior
Doing overflow checks with signed integers invokes undefined
behavior and induces modern compilers to omit the checks altogether.
Avoid this by doing the overflow check with unsigned integers.
https://bugzilla.gnome.org/show_bug.cgi?id=770986
---
gdk-pixbuf/gdk-pixbuf.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/gdk-pixbuf/gdk-pixbuf.c b/gdk-pixbuf/gdk-pixbuf.c
index ca7c4752f..aaf840bcd 100644
--- a/gdk-pixbuf/gdk-pixbuf.c
+++ b/gdk-pixbuf/gdk-pixbuf.c
@@ -439,8 +439,8 @@ gdk_pixbuf_new (GdkColorspace colorspace,
int height)
{
guchar *buf;
- int channels;
- int rowstride;
+ unsigned int channels;
+ unsigned int rowstride;
g_return_val_if_fail (colorspace == GDK_COLORSPACE_RGB, NULL);
g_return_val_if_fail (bits_per_sample == 8, NULL);
@@ -448,7 +448,7 @@ gdk_pixbuf_new (GdkColorspace colorspace,
g_return_val_if_fail (height > 0, NULL);
channels = has_alpha ? 4 : 3;
- rowstride = width * channels;
+ rowstride = (unsigned) width * channels;
if (rowstride / channels != width || rowstride + 3 < 0) /* overflow */
return NULL;
--
2.14.1
From c2ddabaacba3417a6d6042363ec900bd15e0bf01 Mon Sep 17 00:00:00 2001
From: Philip Withnall <withnall@endlessm.com>
Date: Mon, 16 Jan 2017 10:13:48 +0000
Subject: [PATCH 3/5] gdk-pixbuf: Fix overflow check in gdk_pixbuf_new()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The recommended way to do an overflow check is to check against the
limit you have in mind, rather than doing the calculation and seeing if
it failed.
Fix this by rearranging the check: move the variables we control (or
have previously checked) over to one side, leaving the unknown variable
on its own on the left-hand side. This ensures the overflow check
doesn’t overflow itself.
Coverity ID: 1388538
https://bugzilla.gnome.org/show_bug.cgi?id=777315
---
gdk-pixbuf/gdk-pixbuf.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/gdk-pixbuf/gdk-pixbuf.c b/gdk-pixbuf/gdk-pixbuf.c
index aaf840bcd..bd57fa974 100644
--- a/gdk-pixbuf/gdk-pixbuf.c
+++ b/gdk-pixbuf/gdk-pixbuf.c
@@ -448,12 +448,13 @@ gdk_pixbuf_new (GdkColorspace colorspace,
g_return_val_if_fail (height > 0, NULL);
channels = has_alpha ? 4 : 3;
- rowstride = (unsigned) width * channels;
- if (rowstride / channels != width || rowstride + 3 < 0) /* overflow */
- return NULL;
-
+
+ /* Overflow? */
+ if (width > (G_MAXUINT - 3) / channels)
+ return NULL;
+
/* Always align rows to 32-bit boundaries */
- rowstride = (rowstride + 3) & ~3;
+ rowstride = (width * channels + 3) & ~3;
buf = g_try_malloc_n (height, rowstride);
if (!buf)
--
2.14.1
From f4b7de652552551aa79ea973002acda1fc06963d Mon Sep 17 00:00:00 2001
From: Bastien Nocera <hadess@hadess.net>
Date: Thu, 27 Jul 2017 12:12:27 +0100
Subject: [PATCH 4/5] gdk-pixbuf: Tighten rowstride overflow check
The rowstride is stored as an int, and is an int in the public API.
Making it an unsigned int for those calculations would increase
the limit, which would obviously cause problems when the calculated
value ends up between G_MAXUINT and G_MAXINT in the positives.
https://bugzilla.gnome.org/show_bug.cgi?id=765094
---
gdk-pixbuf/gdk-pixbuf.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gdk-pixbuf/gdk-pixbuf.c b/gdk-pixbuf/gdk-pixbuf.c
index bd57fa974..b5defec18 100644
--- a/gdk-pixbuf/gdk-pixbuf.c
+++ b/gdk-pixbuf/gdk-pixbuf.c
@@ -440,7 +440,7 @@ gdk_pixbuf_new (GdkColorspace colorspace,
{
guchar *buf;
unsigned int channels;
- unsigned int rowstride;
+ int rowstride;
g_return_val_if_fail (colorspace == GDK_COLORSPACE_RGB, NULL);
g_return_val_if_fail (bits_per_sample == 8, NULL);
@@ -450,7 +450,7 @@ gdk_pixbuf_new (GdkColorspace colorspace,
channels = has_alpha ? 4 : 3;
/* Overflow? */
- if (width > (G_MAXUINT - 3) / channels)
+ if (width > (G_MAXINT - 3) / channels)
return NULL;
/* Always align rows to 32-bit boundaries */
--
2.14.1
From a561ee715901161528181bcfd158ff976c28c2cd Mon Sep 17 00:00:00 2001
From: Bastien Nocera <hadess@hadess.net>
Date: Wed, 26 Jul 2017 17:01:57 +0200
Subject: [PATCH 5/5] gdk-pixbuf: Add gdk_pixbuf_calculate_rowstride()
To calculate the rowstride without allocating memory!
https://bugzilla.gnome.org/show_bug.cgi?id=765094
---
gdk-pixbuf/gdk-pixbuf-core.h | 6 +++++
gdk-pixbuf/gdk-pixbuf.c | 59 ++++++++++++++++++++++++++++++++++----------
2 files changed, 52 insertions(+), 13 deletions(-)
diff --git a/gdk-pixbuf/gdk-pixbuf-core.h b/gdk-pixbuf/gdk-pixbuf-core.h
index 5d41a1598..5dae8782c 100644
--- a/gdk-pixbuf/gdk-pixbuf-core.h
+++ b/gdk-pixbuf/gdk-pixbuf-core.h
@@ -252,6 +252,12 @@ GBytes * gdk_pixbuf_read_pixel_bytes (const GdkPixbuf *pixbuf);
GdkPixbuf *gdk_pixbuf_new (GdkColorspace colorspace, gboolean has_alpha, int bits_per_sample,
int width, int height);
+gint gdk_pixbuf_calculate_rowstride (GdkColorspace colorspace,
+ gboolean has_alpha,
+ int bits_per_sample,
+ int width,
+ int height);
+
/* Copy a pixbuf */
GdkPixbuf *gdk_pixbuf_copy (const GdkPixbuf *pixbuf);
diff --git a/gdk-pixbuf/gdk-pixbuf.c b/gdk-pixbuf/gdk-pixbuf.c
index b5defec18..16a582f94 100644
--- a/gdk-pixbuf/gdk-pixbuf.c
+++ b/gdk-pixbuf/gdk-pixbuf.c
@@ -416,6 +416,46 @@ free_buffer (guchar *pixels, gpointer data)
g_free (pixels);
}
+/**
+ * gdk_pixbuf_calculate_rowstride:
+ * @colorspace: Color space for image
+ * @has_alpha: Whether the image should have transparency information
+ * @bits_per_sample: Number of bits per color sample
+ * @width: Width of image in pixels, must be > 0
+ * @height: Height of image in pixels, must be > 0
+ *
+ * Calculates the rowstride that an image created with those values would
+ * have. This is useful for front-ends and backends that want to sanity
+ * check image values without needing to create them.
+ *
+ * Return value: the rowstride for the given values, or -1 in case of error.
+ *
+ * Since: 2.36.8
+ */
+gint
+gdk_pixbuf_calculate_rowstride (GdkColorspace colorspace,
+ gboolean has_alpha,
+ int bits_per_sample,
+ int width,
+ int height)
+{
+ unsigned int channels;
+
+ g_return_val_if_fail (colorspace == GDK_COLORSPACE_RGB, -1);
+ g_return_val_if_fail (bits_per_sample == 8, -1);
+ g_return_val_if_fail (width > 0, -1);
+ g_return_val_if_fail (height > 0, -1);
+
+ channels = has_alpha ? 4 : 3;
+
+ /* Overflow? */
+ if (width > (G_MAXINT - 3) / channels)
+ return -1;
+
+ /* Always align rows to 32-bit boundaries */
+ return (width * channels + 3) & ~3;
+}
+
/**
* gdk_pixbuf_new:
* @colorspace: Color space for image
@@ -439,23 +479,16 @@ gdk_pixbuf_new (GdkColorspace colorspace,
int height)
{
guchar *buf;
- unsigned int channels;
int rowstride;
- g_return_val_if_fail (colorspace == GDK_COLORSPACE_RGB, NULL);
- g_return_val_if_fail (bits_per_sample == 8, NULL);
- g_return_val_if_fail (width > 0, NULL);
- g_return_val_if_fail (height > 0, NULL);
-
- channels = has_alpha ? 4 : 3;
-
- /* Overflow? */
- if (width > (G_MAXINT - 3) / channels)
+ rowstride = gdk_pixbuf_calculate_rowstride (colorspace,
+ has_alpha,
+ bits_per_sample,
+ width,
+ height);
+ if (rowstride <= 0)
return NULL;
- /* Always align rows to 32-bit boundaries */
- rowstride = (width * channels + 3) & ~3;
-
buf = g_try_malloc_n (height, rowstride);
if (!buf)
return NULL;
--
2.14.1
