r5384 - in /packages/libimager-perl/branches/upstream/current: Changes Imager.pm META.yml bmp.c t/t107bmp.t

kjetil-guest at users.alioth.debian.org kjetil-guest at users.alioth.debian.org
Fri May 11 11:54:40 UTC 2007 

Author: kjetil-guest
Date: Fri May 11 11:54:40 2007
New Revision: 5384

URL: http://svn.debian.org/wsvn/pkg-perl/?sc=1&rev=5384
Log:
Load /tmp/tmp.qIPYB31381/libimager-perl-0.57 into
packages/libimager-perl/branches/upstream/current.

Modified:
    packages/libimager-perl/branches/upstream/current/Changes
    packages/libimager-perl/branches/upstream/current/Imager.pm
    packages/libimager-perl/branches/upstream/current/META.yml
    packages/libimager-perl/branches/upstream/current/bmp.c
    packages/libimager-perl/branches/upstream/current/t/t107bmp.t

Modified: packages/libimager-perl/branches/upstream/current/Changes
URL: http://svn.debian.org/wsvn/pkg-perl/packages/libimager-perl/branches/upstream/current/Changes?rev=5384&op=diff
==============================================================================
--- packages/libimager-perl/branches/upstream/current/Changes (original)
+++ packages/libimager-perl/branches/upstream/current/Changes Fri May 11 11:54:40 2007
@@ -1,6 +1,16 @@
 Imager release history.  Older releases can be found in Changes.old
 
-Imager 0.56 - 
+Imager 0.57 - 30 Apr 2007
+===========
+
+This is a maintenence release fixing a security issue in Imager.
+
+ - CRITICAL: a specially crafted compressed BMP file can cause a buffer
+   overflow in malloced memory.  There will be further discussion of
+   this issue in the ticket below.
+   http://rt.cpan.org/Ticket/Display.html?id=26811
+
+Imager 0.56 - 1 Apr 2007
 ===========
 
  - added support for reading 16-bit/sample PGM/PPM images
@@ -51,7 +61,7 @@
  - avoid Data::Dumper in regops.perl to support older releases of perl
    https://rt.cpan.org/Ticket/Display.html?id=24391
 
- Imager 0.55 - 16 Dec 2006
+Imager 0.55 - 16 Dec 2006
 ===========
 
 This is primarily a bug fix release.

Modified: packages/libimager-perl/branches/upstream/current/Imager.pm
URL: http://svn.debian.org/wsvn/pkg-perl/packages/libimager-perl/branches/upstream/current/Imager.pm?rev=5384&op=diff
==============================================================================
--- packages/libimager-perl/branches/upstream/current/Imager.pm (original)
+++ packages/libimager-perl/branches/upstream/current/Imager.pm Fri May 11 11:54:40 2007
@@ -155,7 +155,7 @@
 BEGIN {
   require Exporter;
   @ISA = qw(Exporter);
-  $VERSION = '0.56';
+  $VERSION = '0.57';
   eval {
     require XSLoader;
     XSLoader::load(Imager => $VERSION);

Modified: packages/libimager-perl/branches/upstream/current/META.yml
URL: http://svn.debian.org/wsvn/pkg-perl/packages/libimager-perl/branches/upstream/current/META.yml?rev=5384&op=diff
==============================================================================
--- packages/libimager-perl/branches/upstream/current/META.yml (original)
+++ packages/libimager-perl/branches/upstream/current/META.yml Fri May 11 11:54:40 2007
@@ -1,6 +1,6 @@
 --- #YAML:1.0
 name: Imager
-version: 0.56
+version: 0.57
 version_from: Imager.pm
 author: Tony Cook <tony at imager.perl.org>, Arnar M. Hrafnkelsson
 abstract: Perl extension for Generating 24 bit Images
@@ -15,4 +15,4 @@
 meta-spec:
   version: 1.3
   url: http://module-build.sourceforge.net/META-spec-v1.3.html
-generated_by: Imager version 0.56
+generated_by: Imager version 0.57

Modified: packages/libimager-perl/branches/upstream/current/bmp.c
URL: http://svn.debian.org/wsvn/pkg-perl/packages/libimager-perl/branches/upstream/current/bmp.c?rev=5384&op=diff
==============================================================================
--- packages/libimager-perl/branches/upstream/current/bmp.c (original)
+++ packages/libimager-perl/branches/upstream/current/bmp.c Fri May 11 11:54:40 2007
@@ -916,6 +916,13 @@
         }
       }
       else if (packed[0]) {
+	if (x + packed[0] > xsize) {
+	  /* this file is corrupt */
+	  myfree(line);
+	  i_push_error(0, "invalid data during decompression");
+	  i_img_destroy(im);
+	  return NULL;
+	}
         line[0] = packed[1] >> 4;
         line[1] = packed[1] & 0x0F;
         for (i = 0; i < packed[0]; i += 2) {
@@ -958,6 +965,13 @@
 
         default:
           count = packed[1];
+	  if (x + count > xsize) {
+	    /* this file is corrupt */
+	    myfree(line);
+	    i_push_error(0, "invalid data during decompression");
+	    i_img_destroy(im);
+	    return NULL;
+	  }
           size = (count + 1) / 2;
           read_size = (size+1) / 2 * 2;
           if (ig->readcb(ig, packed, read_size) != read_size) {
@@ -1113,6 +1127,13 @@
         }
       }
       if (packed[0]) {
+	if (x + packed[0] > xsize) {
+	  /* this file isn't incomplete, it's corrupt */
+	  myfree(line);
+	  i_push_error(0, "invalid data during decompression");
+	  i_img_destroy(im);
+	  return NULL;
+	}
         memset(line, packed[1], packed[0]);
         i_ppal(im, x, x+packed[0], y, line);
         x += packed[0];
@@ -1147,6 +1168,14 @@
 
         default:
           count = packed[1];
+	  if (x + count > xsize) {
+	    /* runs shouldn't cross a line boundary */
+	    /* this file isn't incomplete, it's corrupt */
+	    myfree(line);
+	    i_push_error(0, "invalid data during decompression");
+	    i_img_destroy(im);
+	    return NULL;
+	  }
           read_size = (count+1) / 2 * 2;
           if (ig->readcb(ig, line, read_size) != read_size) {
             myfree(line);

Modified: packages/libimager-perl/branches/upstream/current/t/t107bmp.t
URL: http://svn.debian.org/wsvn/pkg-perl/packages/libimager-perl/branches/upstream/current/t/t107bmp.t?rev=5384&op=diff
==============================================================================
--- packages/libimager-perl/branches/upstream/current/t/t107bmp.t (original)
+++ packages/libimager-perl/branches/upstream/current/t/t107bmp.t Fri May 11 11:54:40 2007
@@ -1,6 +1,6 @@
 #!perl -w
 use strict;
-use Test::More tests => 191;
+use Test::More tests => 199;
 use Imager qw(:all);
 use Imager::Test qw(test_image_raw is_image);
 init_log("testout/t107bmp.log",1);
@@ -492,6 +492,32 @@
       { 10 => "35 00 00 00" }, 
       "image data offset too small (53)",
       "24-bit, small image offset"
+     ],
+     # compression issues
+     [
+      "comp8.bmp",
+      { 0x436 => "97" },
+      "invalid data during decompression",
+      "8bit, RLE run beyond edge of image"
+     ],
+     [
+      # caused glibc malloc or valgrind to complain
+      "comp8.bmp",
+      { 0x436 => "94 00 00 03" },
+      "invalid data during decompression",
+      "8bit, literal run beyond edge of image"
+     ],
+     [
+      "comp4.bmp",
+      { 0x76 => "FF bb FF BB" },
+      "invalid data during decompression",
+      "4bit - RLE run beyond edge of image"
+     ],
+     [
+      "comp4.bmp",
+      { 0x76 => "94 bb 00 FF" },
+      "invalid data during decompression",
+      "4bit - literal run beyond edge of image"
      ],
     );
   my $test_index = 0;

More information about the Pkg-perl-cvs-commits mailing list