mirror of
https://anongit.gentoo.org/git/repo/gentoo.git
synced 2025-06-10 23:30:03 +02:00
CVE-2023-36193 is fixed in 1.94. CVE-2023-46009 fixed by patch from upstream repo (not released yet). Bug: https://bugs.gentoo.org/918436 Signed-off-by: Hanno Böck <hanno@gentoo.org>
94 lines
3.1 KiB
Diff
94 lines
3.1 KiB
Diff
diff -Naurp a/src/giffunc.c b/src/giffunc.c
|
|
--- a/src/giffunc.c 2021-09-20 13:19:00.000000000 +0200
|
|
+++ b/src/giffunc.c 2024-02-04 14:05:47.811880522 +0100
|
|
@@ -466,8 +466,10 @@ Gif_CopyImage(Gif_Image *src)
|
|
void Gif_MakeImageEmpty(Gif_Image* gfi) {
|
|
Gif_ReleaseUncompressedImage(gfi);
|
|
Gif_ReleaseCompressedImage(gfi);
|
|
- gfi->left = gfi->top = 0;
|
|
- gfi->width = gfi->height = 1;
|
|
+ gfi->left = gfi->left < 0xFFFE ? gfi->left : 0xFFFE;
|
|
+ gfi->top = gfi->top < 0xFFFE ? gfi->top : 0xFFFE;
|
|
+ gfi->width = 1;
|
|
+ gfi->height = 1;
|
|
gfi->transparent = 0;
|
|
Gif_CreateUncompressedImage(gfi, 0);
|
|
gfi->img[0][0] = 0;
|
|
diff -Naurp a/src/support.c b/src/support.c
|
|
--- a/src/support.c 2023-06-14 17:47:12.000000000 +0200
|
|
+++ b/src/support.c 2024-02-04 14:05:51.307885109 +0100
|
|
@@ -1421,9 +1421,9 @@ analyze_crop(int nmerger, Gt_Crop* crop,
|
|
}
|
|
}
|
|
|
|
- if (t > b)
|
|
+ if (t > b) {
|
|
crop->w = crop->h = 0;
|
|
- else {
|
|
+ } else {
|
|
crop->x = l;
|
|
crop->y = t;
|
|
crop->w = r - l;
|
|
@@ -1618,7 +1618,8 @@ merge_frame_interval(Gt_Frameset *fset,
|
|
desti->comment = 0;
|
|
}
|
|
if (fr->comment) {
|
|
- if (!desti->comment) desti->comment = Gif_NewComment();
|
|
+ if (!desti->comment)
|
|
+ desti->comment = Gif_NewComment();
|
|
merge_comments(desti->comment, fr->comment);
|
|
/* delete the comment early to help with memory; set field to 0 so we
|
|
don't re-free it later */
|
|
@@ -1628,10 +1629,22 @@ merge_frame_interval(Gt_Frameset *fset,
|
|
|
|
if (fr->interlacing >= 0)
|
|
desti->interlace = fr->interlacing;
|
|
- if (fr->left >= 0)
|
|
- desti->left = fr->left + (fr->position_is_offset ? desti->left : 0);
|
|
- if (fr->top >= 0)
|
|
- desti->top = fr->top + (fr->position_is_offset ? desti->top : 0);
|
|
+ if (fr->left >= 0) {
|
|
+ int left = fr->left + (fr->position_is_offset ? desti->left : 0);
|
|
+ if (left + desti->width > 65535) {
|
|
+ error(1, "left position %d out of range", left);
|
|
+ return 0;
|
|
+ }
|
|
+ desti->left = left;
|
|
+ }
|
|
+ if (fr->top >= 0) {
|
|
+ int top = fr->top + (fr->position_is_offset ? desti->top : 0);
|
|
+ if (top + desti->height > 65535) {
|
|
+ error(1, "top position %d out of range", top);
|
|
+ return 0;
|
|
+ }
|
|
+ desti->top = top;
|
|
+ }
|
|
|
|
if (fr->delay >= 0)
|
|
desti->delay = fr->delay;
|
|
diff -Naurp a/src/xform.c b/src/xform.c
|
|
--- a/src/xform.c 2023-06-14 17:48:05.000000000 +0200
|
|
+++ b/src/xform.c 2024-02-04 14:05:47.812880524 +0100
|
|
@@ -262,18 +262,18 @@ crop_image(Gif_Image* gfi, Gt_Frame* fr,
|
|
gfi->img[j] = old_img[c.y + j] + c.x;
|
|
gfi->img[c.h] = 0;
|
|
Gif_DeleteArray(old_img);
|
|
+ gfi->left += c.x - fr->left_offset;
|
|
+ gfi->top += c.y - fr->top_offset;
|
|
gfi->width = c.w;
|
|
gfi->height = c.h;
|
|
- } else if (preserve_total_crop)
|
|
+ } else if (preserve_total_crop) {
|
|
Gif_MakeImageEmpty(gfi);
|
|
- else {
|
|
+ } else {
|
|
Gif_DeleteArray(gfi->img);
|
|
gfi->img = 0;
|
|
gfi->width = gfi->height = 0;
|
|
}
|
|
|
|
- gfi->left += c.x - fr->left_offset;
|
|
- gfi->top += c.y - fr->top_offset;
|
|
return gfi->img != 0;
|
|
}
|
|
|