diff options
Diffstat (limited to 'main/gimp/CVE-2012-2763.patch')
-rw-r--r-- | main/gimp/CVE-2012-2763.patch | 122 |
1 files changed, 122 insertions, 0 deletions
diff --git a/main/gimp/CVE-2012-2763.patch b/main/gimp/CVE-2012-2763.patch new file mode 100644 index 0000000000..c3f81c4898 --- /dev/null +++ b/main/gimp/CVE-2012-2763.patch @@ -0,0 +1,122 @@ +From 744f7a4a2b5acb8b531a6f5dd8744ebb95348fc2 Mon Sep 17 00:00:00 2001 +From: Kevin Cozens <kcozens@cvs.gnome.org> +Date: Mon, 17 Aug 2009 23:29:02 +0000 +Subject: script-fu: Bug #679215: Fixed potential buffer overflow in readstr_upto() + +Cherry picked from commit 76155d79df8d497d9a5994029247387e222da9e9. + +gimp-2-6 is no longer maintained. But we might as well commit this for +the benefit of EL/LTS distros. This patch hasn't even been compiled, so +YMMV. Enjoy. +--- +diff --git a/plug-ins/script-fu/tinyscheme/scheme.c b/plug-ins/script-fu/tinyscheme/scheme.c +index 60440fc..1f509f2 100644 +--- a/plug-ins/script-fu/tinyscheme/scheme.c ++++ b/plug-ins/script-fu/tinyscheme/scheme.c +@@ -1710,7 +1710,7 @@ static char *readstr_upto(scheme *sc, char *delim) { + char *p = sc->strbuff; + gunichar c = 0; + gunichar c_prev = 0; +- int len = 0; ++ int len = 0; + + #if 0 + while (!is_one_of(delim, (*p++ = inchar(sc)))) +@@ -1727,7 +1727,8 @@ static char *readstr_upto(scheme *sc, char *delim) { + c = inchar(sc); + len = g_unichar_to_utf8(c, p); + p += len; +- } while (c && !is_one_of(delim, c)); ++ } while ((p - sc->strbuff < sizeof(sc->strbuff)) && ++ (c && !is_one_of(delim, c))); + + if(p==sc->strbuff+2 && c_prev=='\\') + *p = '\0'; +@@ -2053,9 +2054,11 @@ static void atom2str(scheme *sc, pointer l, int f, char **pp, int *plen) { + default: + #if USE_ASCII_NAMES + if(c==127) { +- strcpy(p,"#\\del"); break; ++ snprintf(p,STRBUFFSIZE, "#\\del"); ++ break; + } else if(c<32) { +- strcpy(p,"#\\"); strcat(p,charnames[c]); break; ++ snprintf(p,STRBUFFSIZE, "#\\%s", charnames[c]); ++ break; + } + #else + if(c<32) { +@@ -2655,7 +2658,7 @@ static pointer opexe_0(scheme *sc, enum scheme_opcodes op) { + if(sc->tracing) { + s_save(sc,OP_REAL_APPLY,sc->args,sc->code); + sc->print_flag = 1; +- /* sc->args=cons(sc,sc->code,sc->args);*/ ++ /* sc->args=cons(sc,sc->code,sc->args);*/ + putstr(sc,"\nApply to: "); + s_goto(sc,OP_P0LIST); + } +@@ -2769,7 +2772,7 @@ static pointer opexe_0(scheme *sc, enum scheme_opcodes op) { + + case OP_SET0: /* set! */ + if(is_immutable(car(sc->code))) +- Error_1(sc,"set!: unable to alter immutable variable", car(sc->code)); ++ Error_1(sc,"set!: unable to alter immutable variable",car(sc->code)); + s_save(sc,OP_SET1, sc->NIL, car(sc->code)); + sc->code = cadr(sc->code); + s_goto(sc,OP_EVAL); +@@ -3593,17 +3596,11 @@ static pointer opexe_2(scheme *sc, enum scheme_opcodes op) { + static int is_list(scheme *sc, pointer a) + { return list_length(sc,a) >= 0; } + +-/* Result is: +- proper list: length +- circular list: -1 +- not even a pair: -2 +- dotted list: -2 minus length before dot +-*/ +-int list_length(scheme *sc, pointer a) { ++int list_length(scheme *sc, pointer p) { + int i=0; + pointer slow, fast; + +- slow = fast = a; ++ slow = fast = p; + while (1) + { + if (fast == sc->NIL) +@@ -4156,13 +4153,13 @@ static pointer opexe_5(scheme *sc, enum scheme_opcodes op) { + case OP_RDVEC: + /*sc->code=cons(sc,mk_proc(sc,OP_VECTOR),sc->value); + s_goto(sc,OP_EVAL); Cannot be quoted*/ +- /*x=cons(sc,mk_proc(sc,OP_VECTOR),sc->value); +- s_return(sc,x); Cannot be part of pairs*/ +- /*sc->code=mk_proc(sc,OP_VECTOR); +- sc->args=sc->value; +- s_goto(sc,OP_APPLY);*/ +- sc->args=sc->value; +- s_goto(sc,OP_VECTOR); ++ /*x=cons(sc,mk_proc(sc,OP_VECTOR),sc->value); ++ s_return(sc,x); Cannot be part of pairs*/ ++ /*sc->code=mk_proc(sc,OP_VECTOR); ++ sc->args=sc->value; ++ s_goto(sc,OP_APPLY);*/ ++ sc->args=sc->value; ++ s_goto(sc,OP_VECTOR); + + /* ========== printing part ========== */ + case OP_P0LIST: +diff --git a/plug-ins/script-fu/tinyscheme/scheme.h b/plug-ins/script-fu/tinyscheme/scheme.h +index 92edba6..c3bf08e 100644 +--- a/plug-ins/script-fu/tinyscheme/scheme.h ++++ b/plug-ins/script-fu/tinyscheme/scheme.h +@@ -198,7 +198,7 @@ struct scheme_interface { + gunichar (*charvalue)(pointer p); + int (*is_list)(scheme *sc, pointer p); + int (*is_vector)(pointer p); +- int (*list_length)(scheme *sc, pointer a); ++ int (*list_length)(scheme *sc, pointer p); + long (*vector_length)(pointer vec); + void (*fill_vector)(pointer vec, pointer elem); + pointer (*vector_elem)(pointer vec, int ielem); +-- +cgit v0.9.0.2 |