From 0dec8e672d9f4dcf03494c0a85b4296ea30c56b7 Mon Sep 17 00:00:00 2001 From: Max Rees Date: Tue, 23 Jul 2019 19:33:20 -0400 Subject: user/atril: patch for CVE-2019-1010006 --- user/atril/APKBUILD | 6 +++-- user/atril/CVE-2019-1010006.patch | 56 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 60 insertions(+), 2 deletions(-) create mode 100644 user/atril/CVE-2019-1010006.patch (limited to 'user/atril') diff --git a/user/atril/APKBUILD b/user/atril/APKBUILD index 5fd885123..d9f1127a9 100644 --- a/user/atril/APKBUILD +++ b/user/atril/APKBUILD @@ -13,7 +13,8 @@ makedepends="caja-dev djvulibre-dev gobject-introspection-dev gtk+3.0-dev intltool itstool libgxps-dev libsecret-dev libsm-dev libspectre-dev libxml2-dev libxml2-utils poppler-dev python3 tiff-dev" subpackages="$pkgname-dev $pkgname-doc $pkgname-lang" -source="https://pub.mate-desktop.org/releases/1.22/atril-$pkgver.tar.xz" +source="https://pub.mate-desktop.org/releases/1.22/atril-$pkgver.tar.xz + CVE-2019-1010006.patch" build() { cd "$builddir" @@ -41,4 +42,5 @@ package() { make DESTDIR="$pkgdir" install } -sha512sums="838ae397c868ac417c9266e4a06525d66214650cf8647e91c1472d83d50c8954f6dbb29411384892a98f0929e1fbac9947118bd0db10d50400fc0d5270a3619d atril-1.22.1.tar.xz" +sha512sums="838ae397c868ac417c9266e4a06525d66214650cf8647e91c1472d83d50c8954f6dbb29411384892a98f0929e1fbac9947118bd0db10d50400fc0d5270a3619d atril-1.22.1.tar.xz +ea6db09fe033a8ddf6d90f080858057fad5452a23801e0f41f7a90ec352b71344e8b596a0913deabca333ff24dc5023628eab7c18bc526c0a7f8fb0d680acdf7 CVE-2019-1010006.patch" diff --git a/user/atril/CVE-2019-1010006.patch b/user/atril/CVE-2019-1010006.patch new file mode 100644 index 000000000..ce107d193 --- /dev/null +++ b/user/atril/CVE-2019-1010006.patch @@ -0,0 +1,56 @@ +From e02fe9170ad0ac2fd46c75329c4f1d4502d4a362 Mon Sep 17 00:00:00 2001 +From: Jason Crain +Date: Sat, 2 Dec 2017 20:24:33 -0600 +Subject: [PATCH] Fix overflow checks in tiff backend + +The overflow checks in tiff_document_render and +tiff_document_get_thumbnail don't work when optimizations are enabled. +Change the checks so they don't rely on undefined behavior. + +https://bugzilla.gnome.org/show_bug.cgi?id=788980 +--- + backend/tiff/tiff-document.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/backend/tiff/tiff-document.c b/backend/tiff/tiff-document.c +index 8f40934e..7bf95c2b 100644 +--- a/backend/tiff/tiff-document.c ++++ b/backend/tiff/tiff-document.c +@@ -284,12 +284,12 @@ tiff_document_render (EvDocument *document, + return NULL; + } + +- bytes = height * rowstride; +- if (bytes / rowstride != height) { ++ if (height >= INT_MAX / rowstride) { + g_warning("Overflow while rendering document."); + /* overflow */ + return NULL; + } ++ bytes = height * rowstride; + + pixels = g_try_malloc (bytes); + if (!pixels) { +@@ -374,15 +374,15 @@ tiff_document_get_thumbnail (EvDocument *document, + if (width <= 0 || height <= 0) + return NULL; + +- rowstride = width * 4; +- if (rowstride / 4 != width) ++ if (width >= INT_MAX / 4) + /* overflow */ + return NULL; ++ rowstride = width * 4; + +- bytes = height * rowstride; +- if (bytes / rowstride != height) ++ if (height >= INT_MAX / rowstride) + /* overflow */ + return NULL; ++ bytes = height * rowstride; + + pixels = g_try_malloc (bytes); + if (!pixels) +-- +2.21.0 + -- cgit v1.2.3-60-g2f50