gentoo-ebuilds/media-gfx/gifsicle/files/gifsicle-1.94-CVE-2023-46009.patch
Hanno Böck df23eb8615
media-gfx/gifsicle: Version bump and security fix
CVE-2023-36193 is fixed in 1.94.
CVE-2023-46009 fixed by patch from upstream repo (not released yet).

Bug: https://bugs.gentoo.org/918436
Signed-off-by: Hanno Böck <hanno@gentoo.org>
2024-02-04 14:40:36 +01:00

94 lines
3.1 KiB
Diff

diff -Naurp a/src/giffunc.c b/src/giffunc.c
--- a/src/giffunc.c 2021-09-20 13:19:00.000000000 +0200
+++ b/src/giffunc.c 2024-02-04 14:05:47.811880522 +0100
@@ -466,8 +466,10 @@ Gif_CopyImage(Gif_Image *src)
void Gif_MakeImageEmpty(Gif_Image* gfi) {
Gif_ReleaseUncompressedImage(gfi);
Gif_ReleaseCompressedImage(gfi);
- gfi->left = gfi->top = 0;
- gfi->width = gfi->height = 1;
+ gfi->left = gfi->left < 0xFFFE ? gfi->left : 0xFFFE;
+ gfi->top = gfi->top < 0xFFFE ? gfi->top : 0xFFFE;
+ gfi->width = 1;
+ gfi->height = 1;
gfi->transparent = 0;
Gif_CreateUncompressedImage(gfi, 0);
gfi->img[0][0] = 0;
diff -Naurp a/src/support.c b/src/support.c
--- a/src/support.c 2023-06-14 17:47:12.000000000 +0200
+++ b/src/support.c 2024-02-04 14:05:51.307885109 +0100
@@ -1421,9 +1421,9 @@ analyze_crop(int nmerger, Gt_Crop* crop,
}
}
- if (t > b)
+ if (t > b) {
crop->w = crop->h = 0;
- else {
+ } else {
crop->x = l;
crop->y = t;
crop->w = r - l;
@@ -1618,7 +1618,8 @@ merge_frame_interval(Gt_Frameset *fset,
desti->comment = 0;
}
if (fr->comment) {
- if (!desti->comment) desti->comment = Gif_NewComment();
+ if (!desti->comment)
+ desti->comment = Gif_NewComment();
merge_comments(desti->comment, fr->comment);
/* delete the comment early to help with memory; set field to 0 so we
don't re-free it later */
@@ -1628,10 +1629,22 @@ merge_frame_interval(Gt_Frameset *fset,
if (fr->interlacing >= 0)
desti->interlace = fr->interlacing;
- if (fr->left >= 0)
- desti->left = fr->left + (fr->position_is_offset ? desti->left : 0);
- if (fr->top >= 0)
- desti->top = fr->top + (fr->position_is_offset ? desti->top : 0);
+ if (fr->left >= 0) {
+ int left = fr->left + (fr->position_is_offset ? desti->left : 0);
+ if (left + desti->width > 65535) {
+ error(1, "left position %d out of range", left);
+ return 0;
+ }
+ desti->left = left;
+ }
+ if (fr->top >= 0) {
+ int top = fr->top + (fr->position_is_offset ? desti->top : 0);
+ if (top + desti->height > 65535) {
+ error(1, "top position %d out of range", top);
+ return 0;
+ }
+ desti->top = top;
+ }
if (fr->delay >= 0)
desti->delay = fr->delay;
diff -Naurp a/src/xform.c b/src/xform.c
--- a/src/xform.c 2023-06-14 17:48:05.000000000 +0200
+++ b/src/xform.c 2024-02-04 14:05:47.812880524 +0100
@@ -262,18 +262,18 @@ crop_image(Gif_Image* gfi, Gt_Frame* fr,
gfi->img[j] = old_img[c.y + j] + c.x;
gfi->img[c.h] = 0;
Gif_DeleteArray(old_img);
+ gfi->left += c.x - fr->left_offset;
+ gfi->top += c.y - fr->top_offset;
gfi->width = c.w;
gfi->height = c.h;
- } else if (preserve_total_crop)
+ } else if (preserve_total_crop) {
Gif_MakeImageEmpty(gfi);
- else {
+ } else {
Gif_DeleteArray(gfi->img);
gfi->img = 0;
gfi->width = gfi->height = 0;
}
- gfi->left += c.x - fr->left_offset;
- gfi->top += c.y - fr->top_offset;
return gfi->img != 0;
}