1 files changed, 122 insertions, 0 deletions
diff --git a/main/gimp/CVE-2012-2763.patch b/main/gimp/CVE-2012-2763.patch
new file mode 100644
index 0000000000..c3f81c4898
--- /dev/null
+++ b/main/gimp/CVE-2012-2763.patch
@@ -0,0 +1,122 @@
+From 744f7a4a2b5acb8b531a6f5dd8744ebb95348fc2 Mon Sep 17 00:00:00 2001
+From: Kevin Cozens <kcozens@cvs.gnome.org>
+Date: Mon, 17 Aug 2009 23:29:02 +0000
+Subject: script-fu: Bug #679215: Fixed potential buffer overflow in readstr_upto()
+
+Cherry picked from commit 76155d79df8d497d9a5994029247387e222da9e9.
+
+gimp-2-6 is no longer maintained. But we might as well commit this for
+the benefit of EL/LTS distros. This patch hasn't even been compiled, so
+YMMV. Enjoy.
+---
+diff --git a/plug-ins/script-fu/tinyscheme/scheme.c b/plug-ins/script-fu/tinyscheme/scheme.c
+index 60440fc..1f509f2 100644
+--- a/plug-ins/script-fu/tinyscheme/scheme.c
++++ b/plug-ins/script-fu/tinyscheme/scheme.c
+@@ -1710,7 +1710,7 @@ static char *readstr_upto(scheme *sc, char *delim) {
+   char *p = sc->strbuff;
+   gunichar c = 0;
+   gunichar c_prev = 0;
+-  int  len = 0;
++  int len = 0;
+ 
+ #if 0
+   while (!is_one_of(delim, (*p++ = inchar(sc))))
+@@ -1727,7 +1727,8 @@ static char *readstr_upto(scheme *sc, char *delim) {
+     c = inchar(sc);
+     len = g_unichar_to_utf8(c, p);
+     p += len;
+-  } while (c && !is_one_of(delim, c));
++  } while ((p - sc->strbuff < sizeof(sc->strbuff)) &&
++           (c && !is_one_of(delim, c)));
+ 
+   if(p==sc->strbuff+2 && c_prev=='\\')
+     *p = '\0';
+@@ -2053,9 +2054,11 @@ static void atom2str(scheme *sc, pointer l, int f, char **pp, int *plen) {
+                default:
+ #if USE_ASCII_NAMES
+                     if(c==127) {
+-                         strcpy(p,"#\\del"); break;
++                         snprintf(p,STRBUFFSIZE, "#\\del");
++                         break;
+                     } else if(c<32) {
+-                         strcpy(p,"#\\"); strcat(p,charnames[c]); break;
++                         snprintf(p,STRBUFFSIZE, "#\\%s", charnames[c]);
++                         break;
+                     }
+ #else
+                     if(c<32) {
+@@ -2655,7 +2658,7 @@ static pointer opexe_0(scheme *sc, enum scheme_opcodes op) {
+        if(sc->tracing) {
+          s_save(sc,OP_REAL_APPLY,sc->args,sc->code);
+          sc->print_flag = 1;
+-         /*         sc->args=cons(sc,sc->code,sc->args);*/
++         /*  sc->args=cons(sc,sc->code,sc->args);*/
+          putstr(sc,"\nApply to: ");
+          s_goto(sc,OP_P0LIST);
+        }
+@@ -2769,7 +2772,7 @@ static pointer opexe_0(scheme *sc, enum scheme_opcodes op) {
+ 
+      case OP_SET0:       /* set! */
+           if(is_immutable(car(sc->code)))
+-                Error_1(sc,"set!: unable to alter immutable variable", car(sc->code));
++                Error_1(sc,"set!: unable to alter immutable variable",car(sc->code));
+           s_save(sc,OP_SET1, sc->NIL, car(sc->code));
+           sc->code = cadr(sc->code);
+           s_goto(sc,OP_EVAL);
+@@ -3593,17 +3596,11 @@ static pointer opexe_2(scheme *sc, enum scheme_opcodes op) {
+ static int is_list(scheme *sc, pointer a)
+ { return list_length(sc,a) >= 0; }
+ 
+-/* Result is:
+-   proper list: length
+-   circular list: -1
+-   not even a pair: -2
+-   dotted list: -2 minus length before dot
+-*/
+-int list_length(scheme *sc, pointer a) {
++int list_length(scheme *sc, pointer p) {
+     int i=0;
+     pointer slow, fast;
+ 
+-    slow = fast = a;
++    slow = fast = p;
+     while (1)
+     {
+         if (fast == sc->NIL)
+@@ -4156,13 +4153,13 @@ static pointer opexe_5(scheme *sc, enum scheme_opcodes op) {
+      case OP_RDVEC:
+           /*sc->code=cons(sc,mk_proc(sc,OP_VECTOR),sc->value);
+           s_goto(sc,OP_EVAL); Cannot be quoted*/
+-       /*x=cons(sc,mk_proc(sc,OP_VECTOR),sc->value);
+-         s_return(sc,x); Cannot be part of pairs*/
+-       /*sc->code=mk_proc(sc,OP_VECTOR);
+-       sc->args=sc->value;
+-       s_goto(sc,OP_APPLY);*/
+-       sc->args=sc->value;
+-       s_goto(sc,OP_VECTOR);
++          /*x=cons(sc,mk_proc(sc,OP_VECTOR),sc->value);
++          s_return(sc,x); Cannot be part of pairs*/
++          /*sc->code=mk_proc(sc,OP_VECTOR);
++          sc->args=sc->value;
++          s_goto(sc,OP_APPLY);*/
++          sc->args=sc->value;
++          s_goto(sc,OP_VECTOR);
+ 
+      /* ========== printing part ========== */
+      case OP_P0LIST:
+diff --git a/plug-ins/script-fu/tinyscheme/scheme.h b/plug-ins/script-fu/tinyscheme/scheme.h
+index 92edba6..c3bf08e 100644
+--- a/plug-ins/script-fu/tinyscheme/scheme.h
++++ b/plug-ins/script-fu/tinyscheme/scheme.h
+@@ -198,7 +198,7 @@ struct scheme_interface {
+   gunichar (*charvalue)(pointer p);
+   int (*is_list)(scheme *sc, pointer p);
+   int (*is_vector)(pointer p);
+-  int (*list_length)(scheme *sc, pointer a);
++  int (*list_length)(scheme *sc, pointer p);
+   long (*vector_length)(pointer vec);
+   void (*fill_vector)(pointer vec, pointer elem);
+   pointer (*vector_elem)(pointer vec, int ielem);
+--
+cgit v0.9.0.2