~ubuntu-branches/ubuntu/trusty/gdk-pixbuf/trusty-security

Viewing changes to gdk-pixbuf/pixops/pixops.c

Committer: Package Import Robot
Author(s): Marc Deslauriers
Date: 2015-08-18 13:02:29 UTC
Revision ID: package-import@ubuntu.com-20150818130229-k9hth69jmg4u2v12

Tags: 2.30.7-0ubuntu1.1

* SECURITY UPDATE: heap overflow when scaling bitmap images
  - debian/patches/CVE-2015-4491-1.patch: check for overflows in
    gdk-pixbuf/pixops/pixops.c.
  - debian/patches/CVE-2015-4491-2.patch: also check n_x in
    gdk-pixbuf/pixops/pixops.c.
  - CVE-2015-4491

files added:
.pc/CVE-2015-4491-1.patch

.pc/CVE-2015-4491-1.patch/gdk-pixbuf

.pc/CVE-2015-4491-1.patch/gdk-pixbuf/pixops

.pc/CVE-2015-4491-1.patch/gdk-pixbuf/pixops/pixops.c

.pc/CVE-2015-4491-2.patch

.pc/CVE-2015-4491-2.patch/gdk-pixbuf

.pc/CVE-2015-4491-2.patch/gdk-pixbuf/pixops

.pc/CVE-2015-4491-2.patch/gdk-pixbuf/pixops/pixops.c

debian/patches/CVE-2015-4491-1.patch

debian/patches/CVE-2015-4491-2.patch

files modified:
.pc/applied-patches

debian/changelog

debian/patches/series

gdk-pixbuf/pixops/pixops.c

Show diffs side-by-side

added added

removed removed

gdk-pixbuf/pixops/pixops.c

1192

int i_offset, j_offset;

1193

int n_x = filter->x.n;

1194

int n_y = filter->y.n;

1195

int *weights = g_new (int, SUBSAMPLE * SUBSAMPLE * n_x * n_y);

1195

gsize n_weights;

1196

int *weights;

1197

1198

n_weights = SUBSAMPLE * SUBSAMPLE * n_x;

1199

if (n_weights / (SUBSAMPLE * SUBSAMPLE) != n_x)

1200

return NULL; /* overflow, bail */

1201

1202

n_weights *= n_y;

1203

if (n_weights / (SUBSAMPLE * SUBSAMPLE * n_x) != n_y)

1204

return NULL; /* overflow, bail */

1205

1206

weights = g_try_new (int, n_weights);

1207

if (!weights)

1208

return NULL; /* overflow, bail */

1196

1209

1197

1210

for (i_offset=0; i_offset < SUBSAMPLE; i_offset++)

1198

1211

for (j_offset=0; j_offset < SUBSAMPLE; j_offset++)

1267

1280

if (x_step == 0 || y_step == 0)

1268

1281

return; /* overflow, bail out */

1269

1282

1283

filter_weights = make_filter_table (filter);

1284

if (!filter_weights)

1285

return; /* overflow, bail out */

1286

1270

1287

line_bufs = g_new (guchar *, filter->y.n);

1271

filter_weights = make_filter_table (filter);

1272

1288

1273

1289

check_shift = check_size ? get_check_shift (check_size) : 0;

1274

1290

1388

1404

double scale)

1389

1405

{

1390

1406

int n = ceil (1 / scale + 1);

1391

double *pixel_weights = g_new (double, SUBSAMPLE * n);

1407

double *pixel_weights = g_malloc_n (sizeof (double) * SUBSAMPLE, n);

1392

1408

int offset;

1393

1409

int i;

1394

1410

1446

1462

}

1447

1463

1448

1464

dim->n = n;

1449

dim->weights = g_new (double, SUBSAMPLE * n);

1465

dim->weights = g_malloc_n (sizeof (double) * SUBSAMPLE, n);

1450

1466

1451

1467

pixel_weights = dim->weights;

1452

1468

1537

1553

double scale)

1538

1554

{

1539

1555

int n = ceil (1/scale + 3.0);

1540

double *pixel_weights = g_new (double, SUBSAMPLE * n);

1556

double *pixel_weights = g_malloc_n (sizeof (double) * SUBSAMPLE, n);

1541

1557

double w;

1542

1558

int offset, i;

1543

1559

Older »