diff options
Diffstat (limited to 'www-plugins/gnash/files/gnash-0.8.10-cve-2012-1175.patch')
-rw-r--r-- | www-plugins/gnash/files/gnash-0.8.10-cve-2012-1175.patch | 63 |
1 files changed, 0 insertions, 63 deletions
diff --git a/www-plugins/gnash/files/gnash-0.8.10-cve-2012-1175.patch b/www-plugins/gnash/files/gnash-0.8.10-cve-2012-1175.patch deleted file mode 100644 index 9a218d9216be..000000000000 --- a/www-plugins/gnash/files/gnash-0.8.10-cve-2012-1175.patch +++ /dev/null @@ -1,63 +0,0 @@ -From bb4dc77eecb6ed1b967e3ecbce3dac6c5e6f1527 Mon Sep 17 00:00:00 2001 -From: Benjamin Wolsey <bwy@benjaminwolsey.de> -Date: Sat, 10 Mar 2012 14:52:50 +0000 -Subject: Fix crash in GnashImage.cpp - ---- -diff --git a/libbase/GnashImage.cpp b/libbase/GnashImage.cpp -index 11c6956..03a6939 100644 ---- a/libbase/GnashImage.cpp -+++ b/libbase/GnashImage.cpp -@@ -26,6 +26,7 @@ - #include <boost/scoped_array.hpp> - #include <boost/shared_ptr.hpp> - #include <algorithm> -+#include <cassert> - - #ifdef USE_PNG - # include "GnashImagePng.h" -@@ -44,6 +45,21 @@ namespace image { - - namespace { - void processAlpha(GnashImage::iterator imageData, size_t pixels); -+ bool checkValidSize(size_t width, size_t height, size_t channels) { -+ -+ if (width == 0 || height == 0) return false; -+ -+ assert(channels > 0); -+ -+ boost::uint32_t maxSize = std::numeric_limits<boost::int32_t>::max(); -+ if (width >= maxSize || height >= maxSize) return false; -+ -+ maxSize /= channels; -+ maxSize /= width; -+ maxSize /= height; -+ -+ return maxSize > 0; -+ } - } - - GnashImage::GnashImage(iterator data, size_t width, size_t height, -@@ -55,6 +71,8 @@ GnashImage::GnashImage(iterator data, size_t width, size_t height, - _height(height), - _data(data) - { -+ // Callers should check dimensions -+ assert(checkValidSize(_width, _height, channels())); - } - - /// Create an image allocating a buffer of height*pitch bytes -@@ -66,8 +84,9 @@ GnashImage::GnashImage(size_t width, size_t height, ImageType type, - _width(width), - _height(height) - { -- const size_t max = std::numeric_limits<boost::int32_t>::max(); -- if (size() > max) { -+ // Constructed from external input, so restrict dimensions to avoid -+ // overflow in size calculations -+ if (!checkValidSize(_width, _height, channels())) { - throw std::bad_alloc(); - } - _data.reset(new value_type[size()]); --- -cgit v0.9.0.2 |