Fixing Security bug #74069 and added ~ppc while I was there. x86 stable in just a bit.

7 files changed, 283 insertions, 6 deletions

diff --git a/media-gfx/xzgv/ChangeLog b/media-gfx/xzgv/ChangeLog
index dc47072d7b4e..da5f3036b7d5 100644
--- a/media-gfx/xzgv/ChangeLog
+++ b/media-gfx/xzgv/ChangeLog
@@ -1,6 +1,12 @@
 # ChangeLog for media-gfx/xzgv
-# Copyright 2002-2004 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/media-gfx/xzgv/ChangeLog,v 1.8 2004/09/06 18:49:28 gustavoz Exp $
+# Copyright 2002-2005 Gentoo Foundation; Distributed under the GPL v2
+# $Header: /var/cvsroot/gentoo-x86/media-gfx/xzgv/ChangeLog,v 1.9 2005/01/05 16:32:01 chriswhite Exp $
+
+*xzgv-0.8-r1 (06 Jan 2005)
+
+  06 Jan 2005; Chris White <chriswhite@gentoo.org>
+  +files/xzgv-0.8-integer-overflow-fix.diff, +xzgv-0.8-r1.ebuild:
+  Fixing Security bug #74069 and added ~ppc while I was there.
 
   06 Sep 2004; Gustavo Zacarias <gustavoz@gentoo.org> xzgv-0.7-r1.ebuild,
   xzgv-0.8.ebuild:
diff --git a/media-gfx/xzgv/Manifest b/media-gfx/xzgv/Manifest
index e8e96eba2c0b..f8d67be40353 100644
--- a/media-gfx/xzgv/Manifest
+++ b/media-gfx/xzgv/Manifest
@@ -2,5 +2,8 @@ MD5 42a167e1eb5d7c0e1e348df9bb1b00d9 ChangeLog 943
 MD5 dffd46174e78b327c834fc3e4b1cf848 metadata.xml 160
 MD5 63e70f430ddb82ae0477176dc02ec42e xzgv-0.7-r1.ebuild 1161
 MD5 ee3fe63d1b9be7a0c6463383b95d73aa xzgv-0.8.ebuild 1259
+MD5 ee3fe63d1b9be7a0c6463383b95d73aa xzgv-0.8-r1.ebuild 1259
 MD5 fdc1547580fe894d8749ab0fbc604452 files/digest-xzgv-0.7-r1 60
 MD5 df76e36ea08fa4317c30d7879eec9f93 files/digest-xzgv-0.8 60
+MD5 9495e82307945c08599a0bd9ffc2f4f6 files/xzgv-0.8-integer-overflow-fix.diff 6374
+MD5 df76e36ea08fa4317c30d7879eec9f93 files/digest-xzgv-0.8-r1 60
diff --git a/media-gfx/xzgv/files/digest-xzgv-0.8-r1 b/media-gfx/xzgv/files/digest-xzgv-0.8-r1
new file mode 100644
index 000000000000..0840bb8d59ac
--- /dev/null
+++ b/media-gfx/xzgv/files/digest-xzgv-0.8-r1
@@ -0,0 +1 @@
+MD5 e392277f1447076402df2e3d9e782cb2 xzgv-0.8.tar.gz 302801
diff --git a/media-gfx/xzgv/files/xzgv-0.8-integer-overflow-fix.diff b/media-gfx/xzgv/files/xzgv-0.8-integer-overflow-fix.diff
new file mode 100644
index 000000000000..627ba199af63
--- /dev/null
+++ b/media-gfx/xzgv/files/xzgv-0.8-integer-overflow-fix.diff
@@ -0,0 +1,197 @@
+diff -urN xzgv-0.8/ChangeLog xzgv/ChangeLog
+--- xzgv-0.8/ChangeLog	Tue Sep 16 15:08:42 2003
++++ xzgv/ChangeLog	Wed Dec 15 03:30:46 2004
+@@ -1,3 +1,13 @@
++2004-11-03  Russell Marks  <russell.marks@ntlworld.com>
++
++	* Added width/height limits to all native picture readers. This is
++	a crude (albeit effective) fix for heap overflow bugs - there may
++	yet be more subtle problems, but I can't really fix them until I
++	know they're there. :-) Thanks to Luke Macken for letting me know
++	about the heap overflow problems (in zgv). I suppose I should also
++	thank "infamous41md" for publishing the original advisory/exploit
++	(again for zgv), even if he didn't bother emailing me or anything.
++
+ 2003-09-16  Russell Marks  <russell.marks@ntlworld.com>
+ 
+ 	* Version 0.8.
+diff -urN xzgv-0.8/src/Makefile xzgv/src/Makefile
+--- xzgv-0.8/src/Makefile	Tue Jan  1 05:37:45 2002
++++ xzgv/src/Makefile	Wed Dec 15 03:30:46 2004
+@@ -84,18 +84,19 @@
+ logo.o: logo.c logodata.h
+ logoconv.o: logoconv.c
+ main.o: main.c backend.h readmrf.h readgif.h readpng.h readjpeg.h \
+- readtiff.h resizepic.h rcfile.h filedetails.h gotodir.h updatetn.h \
+- confirm.h misc.h copymove.h rename.h help.h dir_icon.xpm \
++ readtiff.h readprf.h resizepic.h rcfile.h filedetails.h gotodir.h \
++ updatetn.h confirm.h misc.h copymove.h rename.h help.h dir_icon.xpm \
+  dir_icon_small.xpm file_icon.xpm file_icon_small.xpm logo.h \
+  icon-48.xpm main.h
+ misc.o: misc.c misc.h
+ rcfile.o: rcfile.c getopt.h rcfile.h rcfile_opt.h rcfile_var.h \
+  rcfile_short.h
+-readgif.o: readgif.c readgif.h
+-readjpeg.o: readjpeg.c rcfile.h readjpeg.h
+-readmrf.o: readmrf.c readmrf.h
++readgif.o: readgif.c reader.h readgif.h
++readjpeg.o: readjpeg.c rcfile.h reader.h readjpeg.h
++readmrf.o: readmrf.c reader.h readmrf.h
+ readpng.o: readpng.c readpng.h
+-readtiff.o: readtiff.c readtiff.h
++readprf.o: readprf.c reader.h readprf.h
++readtiff.o: readtiff.c reader.h readtiff.h
+ rename.o: rename.c backend.h main.h rename.h
+ resizepic.o: resizepic.c resizepic.h
+ updatetn.o: updatetn.c backend.h main.h rcfile.h dither.h resizepic.h \
+diff -urN xzgv-0.8/src/reader.h xzgv/src/reader.h
+--- xzgv-0.8/src/reader.h	Thu Jan  1 01:00:00 1970
++++ xzgv/src/reader.h	Wed Dec 15 03:30:46 2004
+@@ -0,0 +1,15 @@
++/* xzgv 0.8 - picture viewer for X, with file selector.
++ * Copyright (C) 1999-2004 Russell Marks. See main.c for license details.
++ *
++ * reader.h
++ */
++
++/* range check on width and height as a crude way of avoiding overflows
++ * when calling malloc/calloc. 32767 is the obvious limit to use given that
++ * xzgv effectively imposes such a limit anyway.
++ * Adds an extra 2 to height for max-height check, partly to reflect what
++ * the check in zgv does but also to allow for readtiff.c allocating an
++ * extra line (so at least an extra 1 would have been needed in any case).
++ */
++#define WH_MAX	32767
++#define WH_BAD(w,h)	((w)<=0 || (w)>WH_MAX || (h)<=0 || ((h)+2)>WH_MAX)
+diff -urN xzgv-0.8/src/readgif.c xzgv/src/readgif.c
+--- xzgv-0.8/src/readgif.c	Sun Mar  3 04:34:32 2002
++++ xzgv/src/readgif.c	Wed Dec 15 03:30:46 2004
+@@ -8,6 +8,7 @@
+ #include <string.h>
+ #include <unistd.h>
+ #include <stdlib.h>
++#include "reader.h"
+ #include "readgif.h"
+ 
+ 
+@@ -103,7 +104,7 @@
+   
+   if(local_colour_map) readcolmap(in);
+   
+-  if((image=malloc(width*height*3))==NULL)
++  if(WH_BAD(width,height) || (image=malloc(width*height*3))==NULL)
+     {
+     fclose(in);
+     return(0);
+diff -urN xzgv-0.8/src/readjpeg.c xzgv/src/readjpeg.c
+--- xzgv-0.8/src/readjpeg.c	Tue Sep 16 12:52:04 2003
++++ xzgv/src/readjpeg.c	Wed Dec 15 03:30:46 2004
+@@ -13,6 +13,7 @@
+ #include <jpeglib.h>
+ 
+ #include "rcfile.h"
++#include "reader.h"
+ 
+ #include "readjpeg.h"
+ 
+@@ -265,7 +266,7 @@
+ /* this one shouldn't hurt */
+ cinfo.do_block_smoothing=FALSE;
+ 
+-if((*imagep=image=malloc(width*height*3))==NULL)
++if(WH_BAD(width,height) || (*imagep=image=malloc(width*height*3))==NULL)
+   longjmp(jerr.setjmp_buffer,1);
+ 
+ jpeg_start_decompress(&cinfo);
+diff -urN xzgv-0.8/src/readmrf.c xzgv/src/readmrf.c
+--- xzgv-0.8/src/readmrf.c	Sat Oct  7 14:26:55 2000
++++ xzgv/src/readmrf.c	Wed Dec 15 03:30:46 2004
+@@ -7,6 +7,7 @@
+ #include <stdio.h>
+ #include <string.h>
+ #include <stdlib.h>
++#include "reader.h"
+ #include "readmrf.h"
+ 
+ 
+@@ -91,7 +92,8 @@
+ w64=(w+63)/64;
+ h64=(h+63)/64;
+ 
+-if((*bmap=malloc(w*h*3))==NULL ||
++if(WH_BAD(w64*64,h64*64) || WH_BAD(w,h) ||
++   (*bmap=malloc(w*h*3))==NULL ||
+    (image=calloc(w64*h64*64*64,1))==NULL)
+   {
+   if(*bmap) free(*bmap),*bmap=NULL;
+diff -urN xzgv-0.8/src/readpng.c xzgv/src/readpng.c
+--- xzgv-0.8/src/readpng.c	Thu Jul 10 16:13:43 2003
++++ xzgv/src/readpng.c	Wed Dec 15 03:32:46 2004
+@@ -16,6 +16,7 @@
+ #include <stdlib.h>
+ #include <png.h>
+ #include <setjmp.h>	/* after png.h to avoid horrible thing in pngconf.h */
++#include "reader.h"
+ #include "readpng.h"
+ 
+ 
+@@ -129,7 +130,8 @@
+   }
+ 
+ /* allocate image memory */
+-if((*theimageptr=theimage=malloc(width*height*3))==NULL)
++if(WH_BAD(width,height) ||
++   (*theimageptr=theimage=malloc(width*height*3))==NULL)
+   {
+   png_read_end(png_ptr,info_ptr);
+   png_destroy_read_struct(&png_ptr,&info_ptr,NULL);
+diff -urN xzgv-0.8/src/readprf.c xzgv/src/readprf.c
+--- xzgv-0.8/src/readprf.c	Mon Apr  9 19:08:19 2001
++++ xzgv/src/readprf.c	Wed Dec 15 03:30:46 2004
+@@ -7,6 +7,7 @@
+ #include <stdio.h>
+ #include <string.h>
+ #include <stdlib.h>
++#include "reader.h"
+ #include "readprf.h"
+ 
+ #define squaresize	64
+@@ -164,7 +165,7 @@
+   bytepp=1;
+ 
+ n=width*squaresize;
+-if((planebuf[0]=calloc(n,planes))==NULL)
++if(WH_BAD(width,height) || (planebuf[0]=calloc(n,planes))==NULL)
+   {
+   fclose(in);
+   return(0);
+@@ -173,6 +174,7 @@
+ for(f=1;f<planes;f++)
+   planebuf[f]=planebuf[f-1]+n;
+ 
++/* width/height already checked above */
+ if((*theimageptr=malloc(width*height*3))==NULL)
+   {
+   free(planebuf[0]);
+diff -urN xzgv-0.8/src/readtiff.c xzgv/src/readtiff.c
+--- xzgv-0.8/src/readtiff.c	Thu Dec 28 03:20:55 2000
++++ xzgv/src/readtiff.c	Wed Dec 15 03:30:46 2004
+@@ -11,7 +11,7 @@
+ #include <setjmp.h>
+ #include <sys/file.h>  /* for open et al */
+ #include <tiffio.h>
+-
++#include "reader.h"
+ #include "readtiff.h"
+ 
+ 
+@@ -36,7 +36,8 @@
+  * spare for the flip afterwards.
+  */
+ numpix=width*height;
+-if((image=malloc(numpix*sizeof(uint32)+width*3))==NULL)
++if(WH_BAD(width,height) ||
++   (image=malloc(numpix*sizeof(uint32)+width*3))==NULL)
+   {
+   TIFFClose(in);
+   return(0);
diff --git a/media-gfx/xzgv/xzgv-0.7-r1.ebuild b/media-gfx/xzgv/xzgv-0.7-r1.ebuild
index 3ddf0387a64d..4e086cae3c5b 100644
--- a/media-gfx/xzgv/xzgv-0.7-r1.ebuild
+++ b/media-gfx/xzgv/xzgv-0.7-r1.ebuild
@@ -1,6 +1,6 @@
-# Copyright 1999-2004 Gentoo Foundation
+# Copyright 1999-2005 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/media-gfx/xzgv/xzgv-0.7-r1.ebuild,v 1.10 2004/09/06 18:49:28 gustavoz Exp $
+# $Header: /var/cvsroot/gentoo-x86/media-gfx/xzgv/xzgv-0.7-r1.ebuild,v 1.11 2005/01/05 16:32:01 chriswhite Exp $
 
 DESCRIPTION="An X image viewer."
 SRC_URI="http://xzgv.browser.org/${P}.tar.gz"
diff --git a/media-gfx/xzgv/xzgv-0.8-r1.ebuild b/media-gfx/xzgv/xzgv-0.8-r1.ebuild
new file mode 100644
index 000000000000..1a4b8d27b982
--- /dev/null
+++ b/media-gfx/xzgv/xzgv-0.8-r1.ebuild
@@ -0,0 +1,70 @@
+# Copyright 1999-2005 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/media-gfx/xzgv/xzgv-0.8-r1.ebuild,v 1.1 2005/01/05 16:32:01 chriswhite Exp $
+
+inherit eutils
+
+DESCRIPTION="An X image viewer."
+SRC_URI="http://xzgv.browser.org/${P}.tar.gz"
+HOMEPAGE="http://xzgv.browser.org/"
+
+SLOT="0"
+LICENSE="GPL-2"
+KEYWORDS="~x86 ~sparc ~ppc"
+IUSE=""
+
+DEPEND="virtual/x11
+	sys-apps/gawk
+	media-libs/libpng
+	media-libs/jpeg
+	media-libs/tiff
+	sys-libs/zlib
+	=x11-libs/gtk+-1.2*
+	>=media-libs/imlib-1.0"
+
+src_unpack() {
+	unpack ${A}
+
+	cd ${S}
+	cp config.mk config.mk.orig
+	sed -i -e "s:-O2 -Wall:${CFLAGS}:" config.mk
+
+	case "${ARCH}" in
+		"x86")
+			;;
+		*)
+			sed -i -e "s/CFLAGS+=-DINTERP_MMX/#&/" config.mk
+			;;
+	esac
+
+	# Fix for bug #74069
+	epatch ${FILESDIR}/${P}-integer-overflow-fix.diff
+}
+
+src_compile() {
+	emake || die
+}
+
+src_install() {
+	dodir /usr/bin /usr/share/info /usr/share/man/man1
+	make PREFIX=${D}/usr \
+		 SHARE_INFIX=/share \
+		 INFO_DIR_UPDATE=no \
+		 MANDIR=${D}/usr/share/man/man1 \
+	     install || die
+
+	# Fix info files
+	cd ${D}/usr/share/info
+	for i in 1 2 3
+	do
+		mv xzgv-$i.gz xzgv.info-$i.gz
+	done
+	gzip -dc xzgv.gz | \
+		sed -e 's:^xzgv-:xzgv\.info-:g' | \
+		gzip -9c > xzgv.info.gz
+	rm xzgv.gz
+
+	cd ${S}
+
+	dodoc AUTHORS COPYING ChangeLog INSTALL NEWS README* TODO
+}
diff --git a/media-gfx/xzgv/xzgv-0.8.ebuild b/media-gfx/xzgv/xzgv-0.8.ebuild
index ab6c0d3d4bd2..c561e1ed2bad 100644
--- a/media-gfx/xzgv/xzgv-0.8.ebuild
+++ b/media-gfx/xzgv/xzgv-0.8.ebuild
@@ -1,6 +1,6 @@
-# Copyright 1999-2004 Gentoo Foundation
+# Copyright 1999-2005 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/media-gfx/xzgv/xzgv-0.8.ebuild,v 1.6 2004/09/06 18:49:28 gustavoz Exp $
+# $Header: /var/cvsroot/gentoo-x86/media-gfx/xzgv/xzgv-0.8.ebuild,v 1.7 2005/01/05 16:32:01 chriswhite Exp $
 
 DESCRIPTION="An X image viewer."
 SRC_URI="http://xzgv.browser.org/${P}.tar.gz"