From 9cc86a7f95129dcf8c75d3972acb3f4cd64f75e5 Mon Sep 17 00:00:00 2001 From: Jon Ciesla Date: Apr 08 2009 14:40:08 +0000 Subject: CVE-2009-0792. --- diff --git a/argyllcms-CVE-2009-0792.patch b/argyllcms-CVE-2009-0792.patch new file mode 100644 index 0000000..d02d8f7 --- /dev/null +++ b/argyllcms-CVE-2009-0792.patch @@ -0,0 +1,166 @@ +--- icc/icc.c.orig 2009-04-08 08:38:40.000000000 -0400 ++++ icc/icc.c 2009-04-08 08:54:08.000000000 -0400 +@@ -3312,7 +3312,7 @@ static int icmCurve_lookup_fwd( + rv |= 1; + } + ix = (unsigned int)floor(val); /* Coordinate */ +- if (ix > (p->size-2)) ++ if (ix < 0 || ix > (p->size-2)) + ix = (p->size-2); + w = val - (double)ix; /* weight */ + val = p->data[ix]; +@@ -3334,6 +3334,11 @@ static int icmTable_setup_bwd( + ) { + unsigned int i; + ++ if (size > INT_MAX - 2) ++ /* Although rt->size is unsigned long, the rt data ++ * structure uses int data types to store indices. */ ++ return 2; ++ + rt->size = size; /* Stash pointers to these away */ + rt->data = data; + +@@ -3352,7 +3357,7 @@ static int icmTable_setup_bwd( + rt->qscale = (double)rt->rsize/(rt->rmax - rt->rmin); /* Scale factor to quantize to */ + + /* Initialize the reverse lookup structures, and get overall min/max */ +- if ((rt->rlists = (unsigned int **) icp->al->calloc(icp->al, 1, rt->rsize * sizeof(unsigned int *))) == NULL) { ++ if ((rt->rlists = (unsigned int **) icp->al->calloc(icp->al, rt->rsize, sizeof(int *))) == NULL) { + return 2; + } + +@@ -3365,6 +3370,16 @@ static int icmTable_setup_bwd( + int t; + t = s; s = e; e = t; + } ++ ++ /* s and e should both be in the range [0,rt->rsize] ++ * now, but let's not rely on floating point ++ * calculations -- double-check. */ ++ if (s < 0) ++ s = 0; ++ if (e < 0) ++ e = 0; ++ if (s >= rt->rsize) ++ s = rt->rsize-1; + if (e >= rt->rsize) + e = rt->rsize-1; + +@@ -3383,6 +3398,9 @@ static int icmTable_setup_bwd( + as = rt->rlists[j][0]; /* Allocate space for this list */ + nf = rt->rlists[j][1]; /* Next free location in list */ + if (nf >= as) { /* need to expand space */ ++ if (as > INT_MAX / 2 / sizeof (int)) ++ return 2; ++ + as *= 2; + rt->rlists[j] = (unsigned int *) icp->al->realloc(icp->al,rt->rlists[j], sizeof(unsigned int) * as); + if (rt->rlists[j] == NULL) { +@@ -3434,7 +3452,7 @@ static int icmTable_lookup_bwd( + val = rsize_1; + ix = (int)floor(val); /* Coordinate */ + +- if (ix > (rt->size-2)) ++ if (ix < 0 || ix > (rt->size-2)) + ix = (rt->size-2); + if (rt->rlists[ix] != NULL) { /* There is a list of fwd candidates */ + /* For each candidate forward range */ +@@ -3461,6 +3479,7 @@ static int icmTable_lookup_bwd( + /* We have failed to find an exact value, so return the nearest value */ + /* (This is slow !) */ + val = fabs(ival - rt->data[0]); ++ /* rt->size is known to be < INT_MAX */ + for (k = 0, i = 1; i < rt->size; i++) { + double er; + er = fabs(ival - rt->data[i]); +@@ -4704,7 +4723,7 @@ double *in /* Input array[inputChan] */ + rv |= 1; + } + ix = (int)floor(val); /* Grid coordinate */ +- if (ix > (p->inputEnt-2)) ++ if (ix < 0 || ix > (p->inputEnt-2)) + ix = (p->inputEnt-2); + w = val - (double)ix; /* weight */ + val = table[ix]; +@@ -4764,7 +4783,7 @@ double *in /* Input array[outputChan] * + rv |= 1; + } + x = (int)floor(val); /* Grid coordinate */ +- if (x > clutPoints_2) ++ if (x < 0 || x > clutPoints_2) + x = clutPoints_2; + co[e] = val - (double)x; /* 1.0 - weight */ + gp += x * p->dinc[e]; /* Add index offset for base of cube */ +@@ -4838,7 +4857,7 @@ double *in /* Input array[outputChan] * + rv |= 1; + } + x = (int)floor(val); /* Grid coordinate */ +- if (x > clutPoints_2) ++ if (x < 0 || x > clutPoints_2) + x = clutPoints_2; + co[e] = val - (double)x; /* 1.0 - weight */ + gp += x * p->dinc[e]; /* Add index offset for base of cube */ +@@ -4957,7 +4976,7 @@ double *in /* Input array[outputChan] * + rv |= 1; + } + x = (int)floor(val); /* Grid coordinate */ +- if (x > clutPoints_2) ++ if (x < 0 || x > clutPoints_2) + x = clutPoints_2; + co[e] = val - (double)x; /* 1.0 - weight */ + gp += x * p->dinc[e]; /* Add index offset for base of cube */ +@@ -5070,7 +5089,7 @@ double *in /* Input array[outputChan] * + rv |= 1; + } + ix = (int)floor(val); /* Grid coordinate */ +- if (ix > (p->outputEnt-2)) ++ if (ix < 0 || ix > (p->outputEnt-2)) + ix = (p->outputEnt-2); + w = val - (double)ix; /* weight */ + val = table[ix]; +@@ -7887,7 +7906,7 @@ static int icmTextDescription_allocate( + if (p->size != p->_size) { + if (p->desc != NULL) + icp->al->free(icp->al, p->desc); +- if ((p->desc = (char *) icp->al->malloc(icp->al, p->size * sizeof(char))) == NULL) { ++ if ((p->desc = (char *) icp->al->calloc(icp->al, p->size, sizeof(char))) == NULL) { + sprintf(icp->err,"icmTextDescription_alloc: malloc() of Ascii description failed"); + return icp->errc = 2; + } +@@ -9061,7 +9080,7 @@ static int icmUcrBg_allocate( + if (p->size != p->_size) { + if (p->string != NULL) + icp->al->free(icp->al, p->string); +- if ((p->string = (char *) icp->al->malloc(icp->al, p->size * sizeof(char))) == NULL) { ++ if ((p->string = (char *) icp->al->calloc(icp->al, p->size, sizeof(char))) == NULL) { + sprintf(icp->err,"icmUcrBg_allocate: malloc() of string data failed"); + return icp->errc = 2; + } +@@ -9515,7 +9534,7 @@ static double icmVideoCardGamma_lookup( + else if (val0 > inputEnt_1) + val0 = inputEnt_1; + ix = (int)floor(val0); /* Coordinate */ +- if (ix > (p->u.table.entryCount-2)) ++ if (ix < 0 || ix > (p->u.table.entryCount-2)) + ix = (p->u.table.entryCount-2); + w = val0 - (double)ix; /* weight */ + if (p->u.table.entrySize == 1) { +@@ -10061,7 +10080,7 @@ static int icmCrdInfo_allocate( + if (p->ppsize != p->_ppsize) { + if (p->ppname != NULL) + icp->al->free(icp->al, p->ppname); +- if ((p->ppname = (char *) icp->al->malloc(icp->al, p->ppsize * sizeof(char))) == NULL) { ++ if ((p->ppname = (char *) icp->al->calloc(icp->al, p->ppsize, sizeof(char))) == NULL) { + sprintf(icp->err,"icmCrdInfo_alloc: malloc() of string data failed"); + return icp->errc = 2; + } +@@ -10071,7 +10090,7 @@ static int icmCrdInfo_allocate( + if (p->crdsize[t] != p->_crdsize[t]) { + if (p->crdname[t] != NULL) + icp->al->free(icp->al, p->crdname[t]); +- if ((p->crdname[t] = (char *) icp->al->malloc(icp->al, p->crdsize[t] * sizeof(char))) == NULL) { ++ if ((p->crdname[t] = (char *) icp->al->calloc(icp->al, p->crdsize[t], sizeof(char))) == NULL) { + sprintf(icp->err,"icmCrdInfo_alloc: malloc() of CRD%d name string failed",t); + return icp->errc = 2; + } diff --git a/argyllcms.spec b/argyllcms.spec index 441b5b3..1d49d96 100644 --- a/argyllcms.spec +++ b/argyllcms.spec @@ -5,7 +5,7 @@ Name: argyllcms Version: 1.0.3 -Release: 3%{?alphatag}%{?dist} +Release: 4%{?alphatag}%{?dist} Summary: ICC compatible color management system Group: User Interface/X @@ -19,6 +19,7 @@ Patch2: %{name}-1.0.3-remove-libusb-fork-check.patch # Patch applied for legal reasons Patch4: %{name}-1.0.2-legal.patch Patch5: argyllcms-CVE-2009-0583,0584.patch +Patch6: argyllcms-CVE-2009-0792.patch BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) BuildRequires: libtiff-devel, libusb-devel @@ -117,6 +118,9 @@ rm -rf %{buildroot} %changelog +* Wed Apr 08 2009 Jon Ciesla - 1.0.3-4 +- Patch for ICC library CVE-2009-0792. + * Mon Mar 23 2009 Jon Ciesla - 1.0.3-3 - Patch for ICC library CVE-2009-{0583, 0584} by Tim Waugh.