[SCM] GNU Shockwave Flash (SWF) player branch, master, updated. debian/0.8.10-4-1-gf1309ca

Gabriele Giacone gg0-guest at alioth.debian.org
Thu Mar 15 02:46:18 UTC 2012


This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU Shockwave Flash (SWF) player".

The branch, master has been updated
       via  f1309ca96e581d93d676ac1b65eb57bb838c882a (commit)
      from  830c52b59d0b40d4a5dc84df1d57cb06c8852aed (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit f1309ca96e581d93d676ac1b65eb57bb838c882a
Author: Gabriele Giacone <1o5g4r8o at gmail.com>
Date:   Thu Mar 15 03:29:52 2012 +0100

    Fix CVE-2012-1175.

-----------------------------------------------------------------------

Summary of changes:
 debian/changelog               |    6 ++++
 debian/patches/00CVE-2012-1175 |   58 ++++++++++++++++++++++++++++++++++++++++
 debian/patches/series          |    1 +
 3 files changed, 65 insertions(+), 0 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 41750db..1aea82c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+gnash (0.8.10-5) unstable; urgency=low
+
+  * Fix CVE-2012-1175 (Closes: #664023).
+
+ -- Gabriele Giacone <1o5g4r8o at gmail.com>  Thu, 15 Mar 2012 03:04:37 +0100
+
 gnash (0.8.10-4) unstable; urgency=low
 
   * B-D on libpng-dev for libpng15 transition (Closes: #662353).
diff --git a/debian/patches/00CVE-2012-1175 b/debian/patches/00CVE-2012-1175
new file mode 100644
index 0000000..3dbf490
--- /dev/null
+++ b/debian/patches/00CVE-2012-1175
@@ -0,0 +1,58 @@
+Description: Fix CVE-2012-1175.
+Origin: http://git.sv.gnu.org/cgit/gnash.git/patch/?id=bb4dc77eecb6ed1b967e3ecbce3dac6c5e6f1527
+Author: Benjamin Wolsey <bwy at benjaminwolsey.de>
+Bug-Debian: http://bugs.debian.org/664023
+
+--- a/libbase/GnashImage.cpp
++++ b/libbase/GnashImage.cpp
+@@ -26,6 +26,7 @@
+ #include <boost/scoped_array.hpp>
+ #include <boost/shared_ptr.hpp>
+ #include <algorithm>
++#include <cassert>
+ 
+ #ifdef USE_PNG
+ # include "GnashImagePng.h"
+@@ -44,6 +45,21 @@ namespace image {
+ 
+ namespace {
+     void processAlpha(GnashImage::iterator imageData, size_t pixels);
++    bool checkValidSize(size_t width, size_t height, size_t channels) {
++
++        if (width == 0 || height == 0) return false;
++
++        assert(channels > 0);
++
++        boost::uint32_t maxSize = std::numeric_limits<boost::int32_t>::max();
++        if (width >= maxSize || height >= maxSize) return false;
++
++        maxSize /= channels;
++        maxSize /= width;
++        maxSize /= height;
++
++        return maxSize > 0;
++    }
+ }
+ 
+ GnashImage::GnashImage(iterator data, size_t width, size_t height,
+@@ -55,6 +71,8 @@ GnashImage::GnashImage(iterator data, size_t width, size_t height,
+     _height(height),
+     _data(data)
+ {
++    // Callers should check dimensions
++    assert(checkValidSize(_width, _height, channels()));
+ }
+ 
+ /// Create an image allocating a buffer of height*pitch bytes
+@@ -66,8 +84,9 @@ GnashImage::GnashImage(size_t width, size_t height, ImageType type,
+     _width(width),
+     _height(height)
+ {
+-    const size_t max = std::numeric_limits<boost::int32_t>::max();
+-    if (size() > max) {
++    // Constructed from external input, so restrict dimensions to avoid
++    // overflow in size calculations
++    if (!checkValidSize(_width, _height, channels())) {
+         throw std::bad_alloc();
+     }
+     _data.reset(new value_type[size()]);
diff --git a/debian/patches/series b/debian/patches/series
index e69de29..f08dd83 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -0,0 +1 @@
+00CVE-2012-1175


hooks/post-receive
-- 
GNU Shockwave Flash (SWF) player



More information about the pkg-flash-devel mailing list