File gnash-CVE-2012-1175.diff of Package gnash

From bb4dc77eecb6ed1b967e3ecbce3dac6c5e6f1527 Mon Sep 17 00:00:00 2001
From: Benjamin Wolsey <bwy@benjaminwolsey.de>
Date: Sat, 10 Mar 2012 14:52:50 +0000
Subject: Fix crash in GnashImage.cpp

---
---
 libbase/GnashImage.cpp |   23 +++++++++++++++++++++--
 1 file changed, 21 insertions(+), 2 deletions(-)

--- a/libbase/GnashImage.cpp
+++ b/libbase/GnashImage.cpp
@@ -24,6 +24,7 @@
 #include <memory>        // for auto_ptr
 #include <boost/scoped_array.hpp>
 #include <boost/shared_ptr.hpp>
+#include <cassert>
 
 #include "FileTypes.h"
 #include "GnashImage.h"
@@ -42,6 +43,21 @@ namespace gnash
 
 namespace {
     void processAlpha(GnashImage::iterator imageData, size_t pixels);
+    bool checkValidSize(size_t width, size_t height, size_t channels) {
+
+        if (width == 0 || height == 0) return false;
+
+        assert(channels > 0);
+
+        boost::uint32_t maxSize = std::numeric_limits<boost::int32_t>::max();
+        if (width >= maxSize || height >= maxSize) return false;
+
+        maxSize /= channels;
+        maxSize /= width;
+        maxSize /= height;
+
+        return maxSize > 0;
+    }
 }
 
 GnashImage::GnashImage(iterator data, size_t width, size_t height,
@@ -53,6 +69,8 @@ GnashImage::GnashImage(iterator data, si
     _height(height),
     _data(data)
 {
+    // Callers should check dimensions
+    assert(checkValidSize(_width, _height, channels()));
 }
 
 /// Create an image allocating a buffer of height*pitch bytes
@@ -64,8 +82,9 @@ GnashImage::GnashImage(size_t width, siz
     _width(width),
     _height(height)
 {
-    const size_t max = std::numeric_limits<boost::int32_t>::max();
-    if (size() > max) {
+    // Constructed from external input, so restrict dimensions to avoid
+    // overflow in size calculations
+    if (!checkValidSize(_width, _height, channels())) {
         throw std::bad_alloc();
     }
     _data.reset(new value_type[size()]);
openSUSE Build Service is sponsored by