Bug#798032: libpgf: diff for NMU version 6.14.12-3.2

Sun, 03 Apr 2016 22:24:36 -0700 

Control: tags 798032 + patch
Control: tags 798032 + pending

Dear maintainer,

I've prepared an NMU for libpgf (versioned as 6.14.12-3.2) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer.

Regards.

diff -Nru libpgf-6.14.12/debian/changelog libpgf-6.14.12/debian/changelog
--- libpgf-6.14.12/debian/changelog	2015-10-20 04:09:35.000000000 -0500
+++ libpgf-6.14.12/debian/changelog	2016-04-03 21:58:47.000000000 -0500
@@ -1,3 +1,12 @@
+libpgf (6.14.12-3.2) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Apply upstream changes 147 & 148 to fix CVE-2015-6673 (Closes:
+    #798032).  New patches 02-fix-CVE-2015-6673-upstream-147.patch and
+    03-fix-CVE-2015-6673-upstream-148.patch.
+
+ -- Steve M. Robbins <s...@debian.org>  Sun, 03 Apr 2016 21:58:47 -0500
+
 libpgf (6.14.12-3.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru libpgf-6.14.12/debian/patches/02-fix-CVE-2015-6673-upstream-147.patch libpgf-6.14.12/debian/patches/02-fix-CVE-2015-6673-upstream-147.patch
--- libpgf-6.14.12/debian/patches/02-fix-CVE-2015-6673-upstream-147.patch	1969-12-31 18:00:00.000000000 -0600
+++ libpgf-6.14.12/debian/patches/02-fix-CVE-2015-6673-upstream-147.patch	2016-04-03 18:45:29.000000000 -0500
@@ -0,0 +1,97 @@
+--- libpgf-6.14.12.orig/include/PGFimage.h
++++ libpgf-6.14.12/include/PGFimage.h
+@@ -538,7 +538,7 @@
+ 	ProgressMode m_progressMode;	///< progress mode used in Read and Write; PM_Relative is default mode
+ 
+ 	void ComputeLevels();
+-	void CompleteHeader();
++	bool CompleteHeader();
+ 	void RgbToYuv(int pitch, UINT8* rgbBuff, BYTE bpp, int channelMap[], CallbackPtr cb, void *data) THROW_;
+ 	void Downsample(int nChannel);
+ 	UINT32 UpdatePostHeaderSize() THROW_;
+--- libpgf-6.14.12.orig/src/PGFimage.cpp
++++ libpgf-6.14.12/src/PGFimage.cpp
+@@ -145,7 +145,7 @@
+ 	m_height[0] = m_header.height;
+ 
+ 	// complete header
+-	CompleteHeader();
++	if (!CompleteHeader()) ReturnWithError(FormatCannotRead);
+ 
+ 	// interpret quant parameter
+ 	if (m_header.quality > DownsampleThreshold && 
+@@ -205,7 +205,7 @@
+ }
+ 
+ ////////////////////////////////////////////////////////////
+-void CPGFImage::CompleteHeader() {
++bool CPGFImage::CompleteHeader() {
+ 	if (m_header.mode == ImageModeUnknown) {
+ 		// undefined mode
+ 		switch(m_header.bpp) {
+@@ -261,20 +261,21 @@
+ 		// change mode
+ 		m_header.mode = ImageModeRGBA;
+ 	}
+-	ASSERT(m_header.mode != ImageModeBitmap || m_header.bpp == 1);
+-	ASSERT(m_header.mode != ImageModeIndexedColor || m_header.bpp == 8);
+-	ASSERT(m_header.mode != ImageModeGrayScale || m_header.bpp == 8);
+-	ASSERT(m_header.mode != ImageModeGray16 || m_header.bpp == 16);
+-	ASSERT(m_header.mode != ImageModeGray32 || m_header.bpp == 32);
+-	ASSERT(m_header.mode != ImageModeRGBColor || m_header.bpp == 24);
+-	ASSERT(m_header.mode != ImageModeRGBA || m_header.bpp == 32);
+-	ASSERT(m_header.mode != ImageModeRGB12 || m_header.bpp == 12);
+-	ASSERT(m_header.mode != ImageModeRGB16 || m_header.bpp == 16);
+-	ASSERT(m_header.mode != ImageModeRGB48 || m_header.bpp == 48);
+-	ASSERT(m_header.mode != ImageModeLabColor || m_header.bpp == 24);
+-	ASSERT(m_header.mode != ImageModeLab48 || m_header.bpp == 48);
+-	ASSERT(m_header.mode != ImageModeCMYKColor || m_header.bpp == 32);
+-	ASSERT(m_header.mode != ImageModeCMYK64 || m_header.bpp == 64);
++
++	if (m_header.mode == ImageModeBitmap && m_header.bpp != 1) return false;
++	if (m_header.mode == ImageModeIndexedColor && m_header.bpp != 8) return false;
++	if (m_header.mode == ImageModeGrayScale && m_header.bpp != 8) return false;
++	if (m_header.mode == ImageModeGray16 && m_header.bpp != 16) return false;
++	if (m_header.mode == ImageModeGray32 && m_header.bpp != 32) return false;
++	if (m_header.mode == ImageModeRGBColor && m_header.bpp != 24) return false;
++	if (m_header.mode == ImageModeRGBA && m_header.bpp != 32) return false;
++	if (m_header.mode == ImageModeRGB12 && m_header.bpp != 12) return false;
++	if (m_header.mode == ImageModeRGB16 && m_header.bpp != 16) return false;
++	if (m_header.mode == ImageModeRGB48 && m_header.bpp != 48) return false;
++	if (m_header.mode == ImageModeLabColor && m_header.bpp != 24) return false;
++	if (m_header.mode == ImageModeLab48 && m_header.bpp != 48) return false;
++	if (m_header.mode == ImageModeCMYKColor && m_header.bpp != 32) return false;
++	if (m_header.mode == ImageModeCMYK64 && m_header.bpp != 64) return false;
+ 
+ 	// set number of channels
+ 	if (!m_header.channels) {
+@@ -300,8 +301,7 @@
+ 			m_header.channels = 4;
+ 			break;
+ 		default:
+-			ASSERT(false);
+-			m_header.channels = 3;
++		        return false;
+ 		}
+ 	}
+ 
+@@ -311,6 +311,8 @@
+ 	if (!m_header.usedBitsPerChannel || m_header.usedBitsPerChannel > bpc) {
+ 		m_header.usedBitsPerChannel = bpc;
+ 	}
++
++	return true;
+ }
+ 
+ //////////////////////////////////////////////////////////////////////
+--- libpgf-6.14.12.orig/src/Decoder.cpp
++++ libpgf-6.14.12/src/Decoder.cpp
+@@ -158,7 +158,7 @@
+ 		if (size > 0) {
+ 			// read post-header
+ 			if (header.mode == ImageModeIndexedColor) {
+-				ASSERT((size_t)size >= ColorTableSize);
++				if (size < ColorTableSize) ReturnWithError(FormatCannotRead);
+ 				// read color table
+ 				count = expected = ColorTableSize;
+ 				m_stream->Read(&count, postHeader.clut);
diff -Nru libpgf-6.14.12/debian/patches/03-fix-CVE-2015-6673-upstream-148.patch libpgf-6.14.12/debian/patches/03-fix-CVE-2015-6673-upstream-148.patch
--- libpgf-6.14.12/debian/patches/03-fix-CVE-2015-6673-upstream-148.patch	1969-12-31 18:00:00.000000000 -0600
+++ libpgf-6.14.12/debian/patches/03-fix-CVE-2015-6673-upstream-148.patch	2016-04-03 21:56:44.000000000 -0500
@@ -0,0 +1,63 @@
+--- libpgf-6.14.12.orig/src/Decoder.cpp
++++ libpgf-6.14.12/src/Decoder.cpp
+@@ -87,29 +87,6 @@
+ 
+ 	int count, expected;
+ 
+-	// set number of threads
+-#ifdef LIBPGF_USE_OPENMP 
+-	m_macroBlockLen = omp_get_num_procs();
+-#else
+-	m_macroBlockLen = 1;
+-#endif
+-	
+-	if (useOMP && m_macroBlockLen > 1) {
+-#ifdef LIBPGF_USE_OPENMP
+-		omp_set_num_threads(m_macroBlockLen);
+-#endif
+-
+-		// create macro block array
+-		m_macroBlocks = new(std::nothrow) CMacroBlock*[m_macroBlockLen];
+-		if (!m_macroBlocks) ReturnWithError(InsufficientMemory);
+-		for (int i=0; i < m_macroBlockLen; i++) m_macroBlocks[i] = new CMacroBlock();
+-		m_currentBlock = m_macroBlocks[m_currentBlockIndex];
+-	} else {
+-		m_macroBlocks = 0;
+-		m_macroBlockLen = 1; // there is only one macro block
+-		m_currentBlock = new CMacroBlock(); 
+-	}
+-
+ 	// store current stream position
+ 	m_startPos = m_stream->GetPos();
+ 
+@@ -209,6 +186,30 @@
+ 
+ 	// store current stream position
+ 	m_encodedHeaderLength = UINT32(m_stream->GetPos() - m_startPos);
++
++	// set number of threads
++#ifdef LIBPGF_USE_OPENMP 
++	m_macroBlockLen = omp_get_num_procs();
++#else
++	m_macroBlockLen = 1;
++#endif
++
++	if (useOMP && m_macroBlockLen > 1) {
++#ifdef LIBPGF_USE_OPENMP
++		omp_set_num_threads(m_macroBlockLen);
++#endif
++
++		// create macro block array
++		m_macroBlocks = new(std::nothrow) CMacroBlock*[m_macroBlockLen];
++		if (!m_macroBlocks) ReturnWithError(InsufficientMemory);
++		for (int i = 0; i < m_macroBlockLen; i++) m_macroBlocks[i] = new CMacroBlock();
++		m_currentBlock = m_macroBlocks[m_currentBlockIndex];
++	} else {
++		m_macroBlocks = 0;
++		m_macroBlockLen = 1; // there is only one macro block
++		m_currentBlock = new(std::nothrow) CMacroBlock();
++		if (!m_currentBlock) ReturnWithError(InsufficientMemory);
++	}
+ }
+ 
+ /////////////////////////////////////////////////////////////////////
diff -Nru libpgf-6.14.12/debian/patches/series libpgf-6.14.12/debian/patches/series
--- libpgf-6.14.12/debian/patches/series	2014-09-28 09:48:34.000000000 -0500
+++ libpgf-6.14.12/debian/patches/series	2016-04-03 21:56:05.000000000 -0500
@@ -1,2 +1,4 @@
 00-fix_encoding.patch
 01-fix_build.patch
+02-fix-CVE-2015-6673-upstream-147.patch
+03-fix-CVE-2015-6673-upstream-148.patch

Attachment: signature.asc
Description: PGP signature

Reply via email to