main/gimp: security fix (CVE-2011-2896)

ref #805

2 files changed, 66 insertions, 3 deletions

diff --git a/main/gimp/APKBUILD b/main/gimp/APKBUILD
index 71c211895..d297aae27 100644
--- a/main/gimp/APKBUILD
+++ b/main/gimp/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=gimp
 pkgver=2.6.11
-pkgrel=5
+pkgrel=6
 pkgdesc="GNU Image Manipulation Program"
 url="http://www.gimp.org/"
 arch="all"
@@ -13,7 +13,8 @@ install=
 subpackages="$pkgname-dev $pkgname-doc $pkgname-lang"
 source="ftp://ftp.$pkgname.org/pub/$pkgname/v2.6/$pkgname-$pkgver.tar.bz2
 	gimp-libpng1.5-compat.patch
-	gimp-curl-fix.patch"
+	gimp-curl-fix.patch
+	cve-2011-2896.patch"
 
 _builddir="${srcdir}/${pkgname}-${pkgver}"
 prepare() { 
@@ -54,4 +55,5 @@ package() {
 
 md5sums="bb2939fe13e54fc7255cef5d097bb5dd  gimp-2.6.11.tar.bz2
 7dfc4006676fdea887f1883ccc6c7772  gimp-libpng1.5-compat.patch
-678010acec374e06140e65f7de24ff69  gimp-curl-fix.patch"
+678010acec374e06140e65f7de24ff69  gimp-curl-fix.patch
+c317eae455c808b8434e9b600afee648  cve-2011-2896.patch"
diff --git a/main/gimp/cve-2011-2896.patch b/main/gimp/cve-2011-2896.patch
new file mode 100644
index 000000000..735d77175
--- /dev/null
+++ b/main/gimp/cve-2011-2896.patch
@@ -0,0 +1,61 @@
+From 376ad788c1a1c31d40f18494889c383f6909ebfc Mon Sep 17 00:00:00 2001
+From: Nils Philippsen <nils@redhat.com>
+Date: Thu, 04 Aug 2011 10:51:42 +0000
+Subject: file-gif-load: fix heap corruption and buffer overflow (CVE-2011-2896)
+
+---
+(limited to 'plug-ins/common/file-gif-load.c')
+
+diff --git a/plug-ins/common/file-gif-load.c b/plug-ins/common/file-gif-load.c
+index 81f3bd0..c91e7aa 100644
+--- a/plug-ins/common/file-gif-load.c
++++ b/plug-ins/common/file-gif-load.c
+@@ -713,7 +713,8 @@ LZWReadByte (FILE *fd,
+   static gint firstcode, oldcode;
+   static gint clear_code, end_code;
+   static gint table[2][(1 << MAX_LZW_BITS)];
+-  static gint stack[(1 << (MAX_LZW_BITS)) * 2], *sp;
++#define STACK_SIZE ((1 << (MAX_LZW_BITS)) * 2)
++  static gint stack[STACK_SIZE], *sp;
+   gint        i;
+ 
+   if (just_reset_LZW)
+@@ -788,7 +789,7 @@ LZWReadByte (FILE *fd,
+ 
+           return firstcode & 255;
+         }
+-      else if (code == end_code)
++      else if (code == end_code || code > max_code)
+         {
+           gint   count;
+           guchar buf[260];
+@@ -807,13 +808,14 @@ LZWReadByte (FILE *fd,
+ 
+       incode = code;
+ 
+-      if (code >= max_code)
++      if (code == max_code)
+         {
+-          *sp++ = firstcode;
++          if (sp < &(stack[STACK_SIZE]))
++            *sp++ = firstcode;
+           code = oldcode;
+         }
+ 
+-      while (code >= clear_code)
++      while (code >= clear_code && sp < &(stack[STACK_SIZE]))
+         {
+           *sp++ = table[1][code];
+           if (code == table[0][code])
+@@ -824,7 +826,8 @@ LZWReadByte (FILE *fd,
+           code = table[0][code];
+         }
+ 
+-      *sp++ = firstcode = table[1][code];
++      if (sp < &(stack[STACK_SIZE]))
++        *sp++ = firstcode = table[1][code];
+ 
+       if ((code = max_code) < (1 << MAX_LZW_BITS))
+         {
+--
+cgit v0.9.0.2