Sophie: gimp-2:2.2.13-2.0.10.el5 src

gimp-2.2.13-2.0.10.el5.src.rpm

From 3c94bf44fed260b404dbcd2c6615e2abd8f39281 Mon Sep 17 00:00:00 2001
From: Nils Philippsen <nils@redhat.com>
Date: Thu, 12 Jul 2012 12:52:01 +0200
Subject: [PATCH] patch: CVE-2011-2896

Squashed commit of the following:

commit 4713e4998f20c7b08b6bbe95599400a4ff77eb14
Author: Nils Philippsen <nils@redhat.com>
Date:   Thu Jul 12 12:40:33 2012 +0200

    gifload: fix heap corruption and buffer overflow (CVE-2011-2896)
    (backported from commit 376ad788c1a1c31d40f18494889c383f6909ebfc)

commit 25f2fd1a69bc4e122558575cfdc6dcfa1cc5ad08
Author: Nils Philippsen <nils@redhat.com>
Date:   Thu Jul 12 12:33:27 2012 +0200

    gifload: ensure return value of LZWReadByte() is <= 255
    (backported from commit b1a3de761362db982c0ddfaff60ab4a3c4267f32)
---
 plug-ins/common/gifload.c |   25 ++++++++++++++-----------
 1 file changed, 14 insertions(+), 11 deletions(-)

diff --git a/plug-ins/common/gifload.c b/plug-ins/common/gifload.c
index 2d182a6..9744fbb 100644
--- a/plug-ins/common/gifload.c
+++ b/plug-ins/common/gifload.c
@@ -658,7 +658,8 @@ LZWReadByte (FILE *fd,
   static int firstcode, oldcode;
   static int clear_code, end_code;
   static int table[2][(1 << MAX_LZW_BITS)];
-  static int stack[(1 << (MAX_LZW_BITS)) * 2], *sp;
+#define STACK_SIZE ((1 << (MAX_LZW_BITS)) * 2)
+  static int stack[STACK_SIZE], *sp;
   register int i;
 
   if (just_reset_LZW)
@@ -704,11 +705,11 @@ LZWReadByte (FILE *fd,
 	    GetCode (fd, code_size, FALSE);
 	}
       while (firstcode == clear_code);
-      return firstcode;
+      return firstcode & 255;
     }
 
   if (sp > stack)
-    return *--sp;
+    return (*--sp) & 255;
 
   while ((code = GetCode (fd, code_size, FALSE)) >= 0)
     {
@@ -730,9 +731,9 @@ LZWReadByte (FILE *fd,
 	  sp = stack;
 	  firstcode = oldcode =
 	    GetCode (fd, code_size, FALSE);
-	  return firstcode;
+	  return firstcode & 255;
 	}
-      else if (code == end_code)
+      else if (code == end_code || code > max_code)
 	{
 	  int count;
 	  unsigned char buf[260];
@@ -750,13 +751,14 @@ LZWReadByte (FILE *fd,
 
       incode = code;
 
-      if (code >= max_code)
+      if (code == max_code)
 	{
-	  *sp++ = firstcode;
+      if (sp < &(stack[STACK_SIZE]))
+	    *sp++ = firstcode;
 	  code = oldcode;
 	}
 
-      while (code >= clear_code)
+      while (code >= clear_code && sp < &(stack[STACK_SIZE]))
 	{
 	  *sp++ = table[1][code];
 	  if (code == table[0][code])
@@ -767,7 +769,8 @@ LZWReadByte (FILE *fd,
 	  code = table[0][code];
 	}
 
-      *sp++ = firstcode = table[1][code];
+      if (sp < &(stack[STACK_SIZE]))
+        *sp++ = firstcode = table[1][code];
 
       if ((code = max_code) < (1 << MAX_LZW_BITS))
 	{
@@ -785,9 +788,9 @@ LZWReadByte (FILE *fd,
       oldcode = incode;
 
       if (sp > stack)
-	return *--sp;
+	return (*--sp) & 255;
     }
-  return code;
+  return code & 255;
 }
 
 static gint32
-- 
1.7.10.4