aboutsummaryrefslogtreecommitdiffstats
path: root/main/gimp
diff options
context:
space:
mode:
Diffstat (limited to 'main/gimp')
-rw-r--r--main/gimp/APKBUILD8
-rw-r--r--main/gimp/cve-2011-2896.patch61
2 files changed, 66 insertions, 3 deletions
diff --git a/main/gimp/APKBUILD b/main/gimp/APKBUILD
index 71c211895b..d297aae275 100644
--- a/main/gimp/APKBUILD
+++ b/main/gimp/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=gimp
pkgver=2.6.11
-pkgrel=5
+pkgrel=6
pkgdesc="GNU Image Manipulation Program"
url="http://www.gimp.org/"
arch="all"
@@ -13,7 +13,8 @@ install=
subpackages="$pkgname-dev $pkgname-doc $pkgname-lang"
source="ftp://ftp.$pkgname.org/pub/$pkgname/v2.6/$pkgname-$pkgver.tar.bz2
gimp-libpng1.5-compat.patch
- gimp-curl-fix.patch"
+ gimp-curl-fix.patch
+ cve-2011-2896.patch"
_builddir="${srcdir}/${pkgname}-${pkgver}"
prepare() {
@@ -54,4 +55,5 @@ package() {
md5sums="bb2939fe13e54fc7255cef5d097bb5dd gimp-2.6.11.tar.bz2
7dfc4006676fdea887f1883ccc6c7772 gimp-libpng1.5-compat.patch
-678010acec374e06140e65f7de24ff69 gimp-curl-fix.patch"
+678010acec374e06140e65f7de24ff69 gimp-curl-fix.patch
+c317eae455c808b8434e9b600afee648 cve-2011-2896.patch"
diff --git a/main/gimp/cve-2011-2896.patch b/main/gimp/cve-2011-2896.patch
new file mode 100644
index 0000000000..735d771750
--- /dev/null
+++ b/main/gimp/cve-2011-2896.patch
@@ -0,0 +1,61 @@
+From 376ad788c1a1c31d40f18494889c383f6909ebfc Mon Sep 17 00:00:00 2001
+From: Nils Philippsen <nils@redhat.com>
+Date: Thu, 04 Aug 2011 10:51:42 +0000
+Subject: file-gif-load: fix heap corruption and buffer overflow (CVE-2011-2896)
+
+---
+(limited to 'plug-ins/common/file-gif-load.c')
+
+diff --git a/plug-ins/common/file-gif-load.c b/plug-ins/common/file-gif-load.c
+index 81f3bd0..c91e7aa 100644
+--- a/plug-ins/common/file-gif-load.c
++++ b/plug-ins/common/file-gif-load.c
+@@ -713,7 +713,8 @@ LZWReadByte (FILE *fd,
+ static gint firstcode, oldcode;
+ static gint clear_code, end_code;
+ static gint table[2][(1 << MAX_LZW_BITS)];
+- static gint stack[(1 << (MAX_LZW_BITS)) * 2], *sp;
++#define STACK_SIZE ((1 << (MAX_LZW_BITS)) * 2)
++ static gint stack[STACK_SIZE], *sp;
+ gint i;
+
+ if (just_reset_LZW)
+@@ -788,7 +789,7 @@ LZWReadByte (FILE *fd,
+
+ return firstcode & 255;
+ }
+- else if (code == end_code)
++ else if (code == end_code || code > max_code)
+ {
+ gint count;
+ guchar buf[260];
+@@ -807,13 +808,14 @@ LZWReadByte (FILE *fd,
+
+ incode = code;
+
+- if (code >= max_code)
++ if (code == max_code)
+ {
+- *sp++ = firstcode;
++ if (sp < &(stack[STACK_SIZE]))
++ *sp++ = firstcode;
+ code = oldcode;
+ }
+
+- while (code >= clear_code)
++ while (code >= clear_code && sp < &(stack[STACK_SIZE]))
+ {
+ *sp++ = table[1][code];
+ if (code == table[0][code])
+@@ -824,7 +826,8 @@ LZWReadByte (FILE *fd,
+ code = table[0][code];
+ }
+
+- *sp++ = firstcode = table[1][code];
++ if (sp < &(stack[STACK_SIZE]))
++ *sp++ = firstcode = table[1][code];
+
+ if ((code = max_code) < (1 << MAX_LZW_BITS))
+ {
+--
+cgit v0.9.0.2