imlib2: security bump to version 1.4.9

It already includes the fixes for CVE-2016-3994 and CVE-2011-5326 so drop the patches, and additionally fixes: CVE-2016-4024 - integer overflow in imlib2, which result in insufficient heap allocation. Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2025-07-27 21:26:36 +00:00 · 2016-05-01 10:34:47 -03:00 · 2016-05-01 10:34:47 -03:00 · 69a30b2817
commit 69a30b2817
parent 2512fcf41f
4 changed files with 4 additions and 179 deletions
--- a/package/imlib2/0001-fix-CVE-2016-3994.patch
+++ b/package/imlib2/0001-fix-CVE-2016-3994.patch
@ -1,71 +0,0 @@
 From 37a96801663b7b4cd3fbe56cc0eb8b6a17e766a8 Mon Sep 17 00:00:00 2001
 From: Kim Woelders <kim@woelders.dk>
 Date: Sun, 3 Apr 2016 19:40:25 +0200
 Subject: [PATCH] GIF loader: Fix out-of-bound reads from colormap.
 Bug-Debian: http://bugs.debian.org/785369
 Note: removes all special-casing from the inner loop, optimize for common case.
 Author: Yuriy M. Kaminskiy <yumkam+debian@gmail.com>
 Reported-By: Jakub Wilk <jwilk@debian.org>
 Thanks to Bernhard U:belacker <bernhardu@vr-web.de> for analysis.
 Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
 ---
 src/modules/loaders/loader_gif.c | 31 +++++++++++++++++--------------
 1 file changed, 17 insertions(+), 14 deletions(-)
 diff --git a/src/modules/loaders/loader_gif.c b/src/modules/loaders/loader_gif.c
 index 638df59..4f08d64 100644
 --- a/src/modules/loaders/loader_gif.c
 +++ b/src/modules/loaders/loader_gif.c
@@ -141,8 +141,24 @@ load(ImlibImage * im, ImlibProgressFunction progress, char progress_granularity,
    if (im->loader || immediate_load || progress)
      {
 +        DATA32 colormap[256];
 +
         bg = gif->SBackGroundColor;
         cmap = (gif->Image.ColorMap ? gif->Image.ColorMap : gif->SColorMap);
 +        memset (colormap, 0, sizeof(colormap));
 +        if (cmap != NULL)
 +           {
 +              for (i = cmap->ColorCount > 256 ? 256 : cmap->ColorCount; i-- > 0;)
 +                 {
 +                    r = cmap->Colors[i].Red;
 +                    g = cmap->Colors[i].Green;
 +                    b = cmap->Colors[i].Blue;
 +                    colormap[i] = (0xff << 24) | (r << 16) | (g << 8) | b;
 +                 }
 +              /* if bg > cmap->ColorCount, it is transparent black already */
 +              if (transp >= 0 && transp < 256)
 +                 colormap[transp] = bg >= 0 && bg < 256 ? colormap[bg] & 0x00ffffff : 0x00000000;
 +           }
         im->data = (DATA32 *) malloc(sizeof(DATA32) * w * h);
         if (!im->data)
            goto quit;
@@ -161,20 +177,7 @@ load(ImlibImage * im, ImlibProgressFunction progress, char progress_granularity,
           {
              for (j = 0; j < w; j++)
                {
 -                  if (rows[i][j] == transp)
 -                    {
 -                       r = cmap->Colors[bg].Red;
 -                       g = cmap->Colors[bg].Green;
 -                       b = cmap->Colors[bg].Blue;
 -                       *ptr++ = 0x00ffffff & ((r << 16) | (g << 8) | b);
 -                    }
 -                  else
 -                    {
 -                       r = cmap->Colors[rows[i][j]].Red;
 -                       g = cmap->Colors[rows[i][j]].Green;
 -                       b = cmap->Colors[rows[i][j]].Blue;
 -                       *ptr++ = (0xff << 24) | (r << 16) | (g << 8) | b;
 -                    }
 +                  *ptr++ = colormap[rows[i][j]];
                   per += per_inc;
                   if (progress && (((int)per) != last_per)
                       && (((int)per) % progress_granularity == 0))
 -- 
 2.7.3
--- a/package/imlib2/0002-fix-CVE-2011-5326.patch
+++ b/package/imlib2/0002-fix-CVE-2011-5326.patch
@ -1,104 +0,0 @@
 From c94d83ccab15d5ef02f88d42dce38ed3f0892882 Mon Sep 17 00:00:00 2001
 From: Kim Woelders <kim@woelders.dk>
 Date: Wed, 6 Apr 2016 17:42:17 +0200
 Subject: [PATCH] Fix potential divide-by-zero in imlib_image_draw_ellipse().
 Attempting to draw a 2x1 ellipse with e.g. imlib_image_draw_ellipse(x, y, 2, 1)
 causes a divide-by-zero.
 It seems happy enough to draw 1x1, 1x2 and 2x2, but not 2x1.
 Patch by Simon Lees.
 https://bugs.debian.org/639414
 Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
 ---
 src/lib/ellipse.c | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)
 diff --git a/src/lib/ellipse.c b/src/lib/ellipse.c
 index cd90268..ddb410b 100644
 --- a/src/lib/ellipse.c
 +++ b/src/lib/ellipse.c
@@ -71,6 +71,9 @@ __imlib_Ellipse_DrawToData(int xc, int yc, int a, int b, DATA32 color,
         if (IN_RANGE(rx, by, clw, clh))
            pfunc(color, bp + len);
 +        if (dx < 1)
 +           dx = 1;
 +
         dy += b2;
         yy -= ((dy << 16) / dx);
         lx--;
@@ -123,6 +126,9 @@ __imlib_Ellipse_DrawToData(int xc, int yc, int a, int b, DATA32 color,
         if (IN_RANGE(rx, by, clw, clh))
            pfunc(color, bp + len);
 +        if (dy < 1)
 +           dy = 1;
 +
         dx -= a2;
         xx += ((dx << 16) / dy);
         ty++;
@@ -222,6 +228,9 @@ __imlib_Ellipse_DrawToData_AA(int xc, int yc, int a, int b, DATA32 color,
         if (IN_RANGE(rx, by, clw, clh))
            pfunc(col1, bp + len);
 +        if (dx < 1)
 +           dx = 1;
 +
         dy += b2;
         yy -= ((dy << 16) / dx);
         lx--;
@@ -295,6 +304,9 @@ __imlib_Ellipse_DrawToData_AA(int xc, int yc, int a, int b, DATA32 color,
         if (IN_RANGE(rx, by, clw, clh))
            pfunc(col1, bp + len);
 +        if (dy < 1)
 +           dy = 1;
 +
         dx -= a2;
         xx += ((dx << 16) / dy);
         ty++;
@@ -395,6 +407,9 @@ __imlib_Ellipse_FillToData(int xc, int yc, int a, int b, DATA32 color,
         if (IN_RANGE(rx, by, clw, clh))
            pfunc(color, bp + len);
 +        if (dx < 1)
 +           dx = 1;
 +
         dy += b2;
         yy -= ((dy << 16) / dx);
         lx--;
@@ -453,6 +468,9 @@ __imlib_Ellipse_FillToData(int xc, int yc, int a, int b, DATA32 color,
         if (((unsigned)by < (unsigned)clh) && (len > 0))
            sfunc(color, bpp, len);
 +        if (dy < 1)
 +           dy = 1;
 +
         dx -= a2;
         xx += ((dx << 16) / dy);
         ty++;
@@ -556,6 +574,9 @@ __imlib_Ellipse_FillToData_AA(int xc, int yc, int a, int b, DATA32 color,
         if (IN_RANGE(rx, by, clw, clh))
            pfunc(col1, bp + len);
 +        if (dx < 1)
 +           dx = 1;
 +
         dy += b2;
         yy -= ((dy << 16) / dx);
         lx--;
@@ -629,6 +650,9 @@ __imlib_Ellipse_FillToData_AA(int xc, int yc, int a, int b, DATA32 color,
         if (IN_RANGE(rx, by, clw, clh))
            pfunc(col1, bp + len);
 +        if (dy < 1)
 +           dy = 1;
 +
         dx -= a2;
         xx += ((dx << 16) / dy);
         ty++;
 -- 
 2.7.3
--- a/package/imlib2/imlib2.hash
+++ b/package/imlib2/imlib2.hash
@ -1,3 +1,3 @@
-# From https://sourceforge.net/projects/enlightenment/files/imlib2-src/1.4.8/
+# From https://sourceforge.net/projects/enlightenment/files/imlib2-src/1.4.9/
-md5	97cf1007b0339102974ce20c8f17c249	imlib2-1.4.8.tar.bz2
+md5	23ef8b49f2793bc63b16839a2062298b	imlib2-1.4.9.tar.bz2
-sha1	09759f9cd0bb530a738032d06b29edf0038f2052	imlib2-1.4.8.tar.bz2
+sha1	f389d67c337b604a365e620b0083b2d342dd724e	imlib2-1.4.9.tar.bz2
--- a/package/imlib2/imlib2.mk
+++ b/package/imlib2/imlib2.mk
@ -4,7 +4,7 @@
 #
 ################################################################################
-IMLIB2_VERSION = 1.4.8
+IMLIB2_VERSION = 1.4.9
 IMLIB2_SOURCE = imlib2-$(IMLIB2_VERSION).tar.bz2
 IMLIB2_SITE = http://downloads.sourceforge.net/project/enlightenment/imlib2-src/$(IMLIB2_VERSION)
 IMLIB2_LICENSE = imlib2 license