commit: 9e48855fcf4528e77c4c86b9bd1b12fa3176b23a Author: Alexandre Rostovtsev <tetromino <AT> gentoo <DOT> org> AuthorDate: Fri Aug 21 04:49:52 2015 +0000 Commit: Alexandre Rostovtsev <tetromino <AT> gentoo <DOT> org> CommitDate: Tue Sep 1 04:25:03 2015 +0000 URL: https://gitweb.gentoo.org/proj/gnome.git/commit/?id=9e48855f
x11-libs/gdk-pixbuf: 2.31.5 → 2.31.6 and more fixes for CVE-2015-4491 Really fix the overflow. Gentoo-Bug: 556314 Upstream-Bug-url: https://bugzilla.gnome.org/show_bug.cgi?id=752297 Package-Manager: portage-2.2.20.1 Manifest-Sign-Key: 0x18E5B6F2D8D5EC8D .../files/gdk-pixbuf-2.31.6-alpha-overflow.patch | 70 +++++++++ .../files/gdk-pixbuf-2.31.6-jpeg-overflow.patch | 35 +++++ .../gdk-pixbuf-2.31.6-pixops-gcc-optimizer.patch | 46 ++++++ .../files/gdk-pixbuf-2.31.6-pixops-overflow.patch | 173 +++++++++++++++++++++ .../gdk-pixbuf-2.31.6-pixops-variable-type.patch | 37 +++++ .../files/gdk-pixbuf-2.31.6-png-overflow.patch | 72 +++++++++ .../files/gdk-pixbuf-2.31.6-rotate-overflow.patch | 27 ++++ ...xbuf-2.31.5.ebuild => gdk-pixbuf-2.31.6.ebuild} | 15 +- 8 files changed, 474 insertions(+), 1 deletion(-) diff --git a/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-alpha-overflow.patch b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-alpha-overflow.patch new file mode 100644 index 0000000..bd4abfa --- /dev/null +++ b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-alpha-overflow.patch @@ -0,0 +1,70 @@ +From ca3c56421c075e729750cf80c3438b283232cce8 Mon Sep 17 00:00:00 2001 +From: Matthias Clasen <mcla...@redhat.com> +Date: Mon, 24 Aug 2015 15:20:08 -0400 +Subject: [PATCH] Avoid integer overflow in gdk_pixbuf_add_alpha + +Same as before: don't do ptr = base + y * rowstride if y and +rowstride are integers. + +This should fix http://bugzilla.gnome/org/753569 +--- + gdk-pixbuf/gdk-pixbuf-util.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +diff --git a/gdk-pixbuf/gdk-pixbuf-util.c b/gdk-pixbuf/gdk-pixbuf-util.c +index 6abe9b9..3600450 100644 +--- a/gdk-pixbuf/gdk-pixbuf-util.c ++++ b/gdk-pixbuf/gdk-pixbuf-util.c +@@ -67,6 +67,8 @@ gdk_pixbuf_add_alpha (const GdkPixbuf *pixbuf, + int x, y; + const guint8 *src_pixels; + guint8 *ret_pixels; ++ const guchar *src; ++ guchar *dest; + + g_return_val_if_fail (GDK_IS_PIXBUF (pixbuf), NULL); + g_return_val_if_fail (pixbuf->colorspace == GDK_COLORSPACE_RGB, NULL); +@@ -85,20 +87,18 @@ gdk_pixbuf_add_alpha (const GdkPixbuf *pixbuf, + } else { + new_pixbuf = gdk_pixbuf_new (GDK_COLORSPACE_RGB, TRUE, 8, pixbuf->width, pixbuf->height); + } +- ++ + if (!new_pixbuf) + return NULL; + + ret_pixels = gdk_pixbuf_get_pixels (new_pixbuf); + +- for (y = 0; y < pixbuf->height; y++) { +- const guchar *src; +- guchar *dest; ++ for (y = 0; y < pixbuf->height; y++, src_pixels += pixbuf->rowstride, ret_pixels += new_pixbuf->rowstride) { + guchar tr, tg, tb; + +- src = src_pixels + y * pixbuf->rowstride; +- dest = ret_pixels + y * new_pixbuf->rowstride; +- ++ src = src_pixels; ++ dest = ret_pixels; ++ + if (pixbuf->has_alpha) { + /* Just subst color, we already copied everything else */ + for (x = 0; x < pixbuf->width; x++) { +@@ -107,12 +107,12 @@ gdk_pixbuf_add_alpha (const GdkPixbuf *pixbuf, + src += 4; + dest += 4; + } +- } else { ++ } else { + for (x = 0; x < pixbuf->width; x++) { + tr = *dest++ = *src++; + tg = *dest++ = *src++; + tb = *dest++ = *src++; +- ++ + if (substitute_color && tr == r && tg == g && tb == b) + *dest++ = 0; + else +-- +2.5.1 + diff --git a/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-jpeg-overflow.patch b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-jpeg-overflow.patch new file mode 100644 index 0000000..ebec196 --- /dev/null +++ b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-jpeg-overflow.patch @@ -0,0 +1,35 @@ +From fde8d1d12a32740770253e97ddc9602654e16865 Mon Sep 17 00:00:00 2001 +From: Matthias Clasen <mcla...@redhat.com> +Date: Mon, 24 Aug 2015 15:48:51 -0400 +Subject: [PATCH] jpeg: Fix some integer overflows + +Similar to the previous commit. +--- + gdk-pixbuf/io-jpeg.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/gdk-pixbuf/io-jpeg.c b/gdk-pixbuf/io-jpeg.c +index fa6bec1..eb48aed 100644 +--- a/gdk-pixbuf/io-jpeg.c ++++ b/gdk-pixbuf/io-jpeg.c +@@ -886,7 +886,7 @@ gdk_pixbuf__jpeg_image_load_lines (JpegProgContext *context, + return FALSE; + } + +- context->dptr += nlines * context->pixbuf->rowstride; ++ context->dptr += (gsize)nlines * context->pixbuf->rowstride; + + /* send updated signal */ + if (context->updated_func) +@@ -1494,7 +1494,7 @@ real_save_jpeg (GdkPixbuf *pixbuf, + while (cinfo.next_scanline < cinfo.image_height) { + /* convert scanline from ARGB to RGB packed */ + for (j = 0; j < w; j++) +- memcpy (&(buf[j*3]), &(ptr[i*rowstride + j*n_channels]), 3); ++ memcpy (&(buf[j*3]), &(ptr[(gsize)i*rowstride + j*n_channels]), 3); + + /* write scanline */ + jbuf = (JSAMPROW *)(&buf); +-- +2.5.1 + diff --git a/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-pixops-gcc-optimizer.patch b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-pixops-gcc-optimizer.patch new file mode 100644 index 0000000..bd957b7 --- /dev/null +++ b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-pixops-gcc-optimizer.patch @@ -0,0 +1,46 @@ +From dd4b061c27dc0865c8f8987d294de6e04b321c18 Mon Sep 17 00:00:00 2001 +From: Benjamin Otte <o...@redhat.com> +Date: Sat, 22 Aug 2015 23:06:23 +0200 +Subject: [PATCH] pixops: Be smarter than gcc's optimizer + +gcc realizes that the overflow checks aren't necessary. Why not? + +Well, if an int overflows, the behavior is undefined. And turning on +-fomit-instructions is valid behavior in an undefined situation. +--- + gdk-pixbuf/pixops/pixops.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +diff --git a/gdk-pixbuf/pixops/pixops.c b/gdk-pixbuf/pixops/pixops.c +index b7951c7..5564a40 100644 +--- a/gdk-pixbuf/pixops/pixops.c ++++ b/gdk-pixbuf/pixops/pixops.c +@@ -1272,18 +1272,17 @@ make_filter_table (PixopsFilter *filter) + int i_offset, j_offset; + int n_x = filter->x.n; + int n_y = filter->y.n; +- int n_weights; + int *weights; + +- n_weights = SUBSAMPLE * SUBSAMPLE * n_x; +- if (n_weights / (SUBSAMPLE * SUBSAMPLE) != n_x) +- return NULL; /* overflow, bail */ ++ /* check n_x doesn't overflow */ ++ if (G_MAXINT / (SUBSAMPLE * SUBSAMPLE) < n_x) ++ return NULL; + +- n_weights *= n_y; +- if (n_weights / (SUBSAMPLE * SUBSAMPLE * n_x) != n_y) +- return NULL; /* overflow, bail */ ++ /* check n_y doesn't overflow */ ++ if (G_MAXINT / (SUBSAMPLE * SUBSAMPLE * n_x) < n_y) ++ return NULL; + +- weights = g_try_new (int, n_weights); ++ weights = g_try_new (int, SUBSAMPLE * SUBSAMPLE * n_x * n_y); + if (!weights) + return NULL; /* overflow, bail */ + +-- +2.5.1 + diff --git a/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-pixops-overflow.patch b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-pixops-overflow.patch new file mode 100644 index 0000000..00789ba --- /dev/null +++ b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-pixops-overflow.patch @@ -0,0 +1,173 @@ +From 7012b9a0b6263310fc7d57f0b06583c8404599af Mon Sep 17 00:00:00 2001 +From: Matthias Clasen <mcla...@redhat.com> +Date: Mon, 24 Aug 2015 14:44:50 -0400 +Subject: [PATCH] Fix some more integer overflows + +The scaling code had a similar problem to the one fixed in the +previous commit: Expressions like ptr = base + y * rowstride are +prone to overflow if y and rowstride are (possibly large) integers. +--- + gdk-pixbuf/pixops/pixops.c | 48 +++++++++++++++++++++++----------------------- + 1 file changed, 24 insertions(+), 24 deletions(-) + +diff --git a/gdk-pixbuf/pixops/pixops.c b/gdk-pixbuf/pixops/pixops.c +index 5564a40..e41b286 100644 +--- a/gdk-pixbuf/pixops/pixops.c ++++ b/gdk-pixbuf/pixops/pixops.c +@@ -304,8 +304,8 @@ pixops_scale_nearest (guchar *dest_buf, + guchar *dest; + y_pos = ((i + render_y0) * y_step + y_step / 2) >> SCALE_SHIFT; + y_pos = CLAMP (y_pos, 0, src_height - 1); +- src = src_buf + y_pos * src_rowstride; +- dest = dest_buf + i * dest_rowstride; ++ src = src_buf + (gsize)y_pos * src_rowstride; ++ dest = dest_buf + (gsize)i * dest_rowstride; + + x = render_x0 * x_step + x_step / 2; + +@@ -368,8 +368,8 @@ pixops_composite_nearest (guchar *dest_buf, + guchar *dest; + y_pos = ((i + render_y0) * y_step + y_step / 2) >> SCALE_SHIFT; + y_pos = CLAMP (y_pos, 0, src_height - 1); +- src = src_buf + y_pos * src_rowstride; +- dest = dest_buf + i * dest_rowstride; ++ src = src_buf + (gsize)y_pos * src_rowstride; ++ dest = dest_buf + (gsize)i * dest_rowstride; + + x = render_x0 * x_step + x_step / 2; + +@@ -442,8 +442,8 @@ pixops_composite_nearest_noscale (guchar *dest_buf, + + for (i = 0; i < (render_y1 - render_y0); i++) + { +- const guchar *src = src_buf + (i + render_y0) * src_rowstride; +- guchar *dest = dest_buf + i * dest_rowstride; ++ const guchar *src = src_buf + (gsize)(i + render_y0) * src_rowstride; ++ guchar *dest = dest_buf + (gsize)i * dest_rowstride; + + x = render_x0 * src_channels; + +@@ -540,8 +540,8 @@ pixops_composite_color_nearest (guchar *dest_buf, + guchar *dest; + y_pos = ((i + render_y0) * y_step + y_step / 2) >> SCALE_SHIFT; + y_pos = CLAMP (y_pos, 0, src_height - 1); +- src = src_buf + y_pos * src_rowstride; +- dest = dest_buf + i * dest_rowstride; ++ src = src_buf + (gsize)y_pos * src_rowstride; ++ dest = dest_buf + (gsize)i * dest_rowstride; + + x = render_x0 * x_step + x_step / 2; + +@@ -1398,7 +1398,7 @@ pixops_process (guchar *dest_buf, + guchar *new_outbuf; + guint32 tcolor1, tcolor2; + +- guchar *outbuf = dest_buf + dest_rowstride * i; ++ guchar *outbuf = dest_buf + (gsize)dest_rowstride * i; + guchar *outbuf_end = outbuf + dest_channels * (render_x1 - render_x0); + + if (((i + check_y) >> check_shift) & 1) +@@ -1417,9 +1417,9 @@ pixops_process (guchar *dest_buf, + if (y_start < 0) + line_bufs[j] = (guchar *)src_buf; + else if (y_start < src_height) +- line_bufs[j] = (guchar *)src_buf + src_rowstride * y_start; ++ line_bufs[j] = (guchar *)src_buf + (gsize)src_rowstride * y_start; + else +- line_bufs[j] = (guchar *)src_buf + src_rowstride * (src_height - 1); ++ line_bufs[j] = (guchar *)src_buf + (gsize)src_rowstride * (src_height - 1); + + y_start++; + } +@@ -1443,7 +1443,7 @@ pixops_process (guchar *dest_buf, + } + + new_outbuf = (*line_func) (run_weights, filter->x.n, filter->y.n, +- outbuf, dest_x, dest_buf + dest_rowstride * ++ outbuf, dest_x, dest_buf + (gsize)dest_rowstride * + i + run_end_index * dest_channels, + dest_channels, dest_has_alpha, + line_bufs, src_channels, src_has_alpha, +@@ -1966,7 +1966,7 @@ _pixops_composite (guchar *dest_buf, + return; + #endif + +- new_dest_buf = dest_buf + dest_y * dest_rowstride + dest_x * dest_channels; ++ new_dest_buf = dest_buf + (gsize)dest_y * dest_rowstride + (gsize)dest_x * dest_channels; + render_x0 = dest_x - offset_x; + render_y0 = dest_y - offset_y; + render_x1 = dest_x + dest_region_width - offset_x; +@@ -2126,7 +2126,7 @@ pixops_medialib_composite (guchar *dest_buf, + if (!use_medialib) + { + /* Use non-mediaLib version */ +- _pixops_composite_real (dest_buf + dest_y * dest_rowstride + dest_x * ++ _pixops_composite_real (dest_buf + (gsize)dest_y * dest_rowstride + (gsize)dest_x * + dest_channels, dest_x - offset_x, dest_y - + offset_y, dest_x + dest_region_width - offset_x, + dest_y + dest_region_height - offset_y, +@@ -2168,8 +2168,8 @@ pixops_medialib_composite (guchar *dest_buf, + } + else + { +- mlib_u8 *data = dest_buf + (dest_y * dest_rowstride) + +- (dest_x * dest_channels); ++ mlib_u8 *data = dest_buf + (gsize)dest_y * dest_rowstride + ++ (gsize)dest_x * dest_channels; + + mlib_ImageSetStruct (&img_dest, MLIB_BYTE, dest_channels, + dest_region_width, dest_region_height, +@@ -2236,8 +2236,8 @@ pixops_medialib_composite (guchar *dest_buf, + else + { + /* Should not happen - Use non-mediaLib version */ +- _pixops_composite_real (dest_buf + dest_y * dest_rowstride + +- dest_x * dest_channels, ++ _pixops_composite_real (dest_buf + (gsize)dest_y * dest_rowstride + ++ (gsize)dest_x * dest_channels, + dest_x - offset_x, dest_y - offset_y, + dest_x + dest_region_width - offset_x, + dest_y + dest_region_height - offset_y, +@@ -2360,7 +2360,7 @@ _pixops_scale (guchar *dest_buf, + return; + #endif + +- new_dest_buf = dest_buf + dest_y * dest_rowstride + dest_x * dest_channels; ++ new_dest_buf = dest_buf + (gsize)dest_y * dest_rowstride + (gsize)dest_x * dest_channels; + render_x0 = dest_x - offset_x; + render_y0 = dest_y - offset_y; + render_x1 = dest_x + dest_region_width - offset_x; +@@ -2414,8 +2414,8 @@ pixops_medialib_scale (guchar *dest_buf, + */ + if (!use_medialib) + { +- _pixops_scale_real (dest_buf + dest_y * dest_rowstride + dest_x * +- dest_channels, dest_x - offset_x, dest_y - offset_y, ++ _pixops_scale_real (dest_buf + (gsize)dest_y * dest_rowstride + (gsize)dest_x * ++ dest_channels, dest_x - offset_x, dest_y - offset_y, + dest_x + dest_region_width - offset_x, + dest_y + dest_region_height - offset_y, + dest_rowstride, dest_channels, dest_has_alpha, +@@ -2443,8 +2443,8 @@ pixops_medialib_scale (guchar *dest_buf, + } + else + { +- mlib_u8 *data = dest_buf + (dest_y * dest_rowstride) + +- (dest_x * dest_channels); ++ mlib_u8 *data = dest_buf + (gsize)dest_y * dest_rowstride + ++ (gsize)dest_x * dest_channels; + + mlib_ImageSetStruct (&img_dest, MLIB_BYTE, dest_channels, + dest_region_width, dest_region_height, +@@ -2479,7 +2479,7 @@ pixops_medialib_scale (guchar *dest_buf, + int channels = 3; + int rowstride = (channels * src_width + 3) & ~3; + +- tmp_buf = g_malloc (src_rowstride * src_height); ++ tmp_buf = g_malloc_n (src_rowstride, src_height); + + if (src_buf != NULL) + { +-- +2.5.1 + diff --git a/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-pixops-variable-type.patch b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-pixops-variable-type.patch new file mode 100644 index 0000000..a83535f --- /dev/null +++ b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-pixops-variable-type.patch @@ -0,0 +1,37 @@ +From 3df91dc6c6f8d1421e9c8756959280de792af77a Mon Sep 17 00:00:00 2001 +From: Benjamin Otte <o...@redhat.com> +Date: Sat, 22 Aug 2015 17:57:23 +0200 +Subject: [PATCH] pixops: Chane variable type + +n_weights is used to do overflow checks. So by reducing the size to 32 +bits signed we overflow earlier. This is necessary because further down +the code lots of code uses int variables to iterate over this variable +and we don't want those to overflow. + +The correct fix would be to make all those variables gsize too, but +that's way more invasive and requires different checks in different +places so I'm not gonna do that now. +And as long as scale factors are not expected to reach G_MAXINT it's not +really necessary to do this change anyway. + +https://bugzilla.gnome.org/show_bug.cgi?id=753908 +--- + gdk-pixbuf/pixops/pixops.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/gdk-pixbuf/pixops/pixops.c b/gdk-pixbuf/pixops/pixops.c +index 7f2cbff..b7951c7 100644 +--- a/gdk-pixbuf/pixops/pixops.c ++++ b/gdk-pixbuf/pixops/pixops.c +@@ -1272,7 +1272,7 @@ make_filter_table (PixopsFilter *filter) + int i_offset, j_offset; + int n_x = filter->x.n; + int n_y = filter->y.n; +- gsize n_weights; ++ int n_weights; + int *weights; + + n_weights = SUBSAMPLE * SUBSAMPLE * n_x; +-- +2.5.1 + diff --git a/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-png-overflow.patch b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-png-overflow.patch new file mode 100644 index 0000000..83c67b5 --- /dev/null +++ b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-png-overflow.patch @@ -0,0 +1,72 @@ +From 8714ab407c54d5989d15a78eb15550c2d52d95b8 Mon Sep 17 00:00:00 2001 +From: Matthias Clasen <mcla...@redhat.com> +Date: Mon, 24 Aug 2015 14:13:37 -0400 +Subject: [PATCH] png: Fix some integer overflows + +The png loader was not careful enough in some places. Width * height +can overflow an integer. + +This should fix http://bugzilla.gnome.org/734556. +--- + gdk-pixbuf/io-png.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/gdk-pixbuf/io-png.c b/gdk-pixbuf/io-png.c +index 3336b1e..5690875 100644 +--- a/gdk-pixbuf/io-png.c ++++ b/gdk-pixbuf/io-png.c +@@ -267,6 +267,7 @@ gdk_pixbuf__png_image_load (FILE *f, GError **error) + gchar *density_str; + guint32 retval; + gint compression_type; ++ gpointer ptr; + + #ifdef PNG_USER_MEM_SUPPORTED + png_ptr = png_create_read_struct_2 (PNG_LIBPNG_VER_STRING, +@@ -326,8 +327,8 @@ gdk_pixbuf__png_image_load (FILE *f, GError **error) + + rows = g_new (png_bytep, h); + +- for (i = 0; i < h; i++) +- rows[i] = pixbuf->pixels + i * pixbuf->rowstride; ++ for (i = 0, ptr = pixbuf->pixels; i < h; i++, ptr += pixbuf->rowstride) ++ rows[i] = ptr; + + png_read_image (png_ptr, rows); + png_read_end (png_ptr, info_ptr); +@@ -745,6 +746,7 @@ png_row_callback (png_structp png_read_ptr, + { + LoadContext* lc; + guchar* old_row = NULL; ++ gsize rowstride; + + lc = png_get_progressive_ptr(png_read_ptr); + +@@ -770,8 +772,9 @@ png_row_callback (png_structp png_read_ptr, + lc->max_row_seen_in_chunk = MAX(lc->max_row_seen_in_chunk, ((gint)row_num)); + lc->last_row_seen_in_chunk = row_num; + lc->last_pass_seen_in_chunk = pass_num; +- +- old_row = lc->pixbuf->pixels + (row_num * lc->pixbuf->rowstride); ++ ++ rowstride = lc->pixbuf->rowstride; ++ old_row = lc->pixbuf->pixels + (row_num * rowstride); + + png_progressive_combine_row(lc->png_read_ptr, old_row, new_row); + } +@@ -1123,11 +1126,9 @@ static gboolean real_save_png (GdkPixbuf *pixbuf, + png_set_shift (png_ptr, &sig_bit); + png_set_packing (png_ptr); + +- ptr = pixels; +- for (y = 0; y < h; y++) { ++ for (y = 0, ptr = pixels; y < h; y++, ptr += rowstride) { + row_ptr = (png_bytep)ptr; + png_write_rows (png_ptr, &row_ptr, 1); +- ptr += rowstride; + } + + png_write_end (png_ptr, info_ptr); +-- +2.5.1 + diff --git a/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-rotate-overflow.patch b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-rotate-overflow.patch new file mode 100644 index 0000000..fa6b90c --- /dev/null +++ b/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-rotate-overflow.patch @@ -0,0 +1,27 @@ +From 4f68cb78a5277f169b9531e6998c00c7976594e4 Mon Sep 17 00:00:00 2001 +From: Matthias Clasen <mcla...@redhat.com> +Date: Mon, 24 Aug 2015 15:29:36 -0400 +Subject: [PATCH] Avoid integer overflow in gdk_pixbuf_rotate_simple + +Same as before: don't do ptr = base + y * rowstride if y and +rowstride are integers. +--- + gdk-pixbuf/gdk-pixbuf-scale.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/gdk-pixbuf/gdk-pixbuf-scale.c b/gdk-pixbuf/gdk-pixbuf-scale.c +index 4288c65..475126a 100644 +--- a/gdk-pixbuf/gdk-pixbuf-scale.c ++++ b/gdk-pixbuf/gdk-pixbuf-scale.c +@@ -396,7 +396,7 @@ gdk_pixbuf_composite_color_simple (const GdkPixbuf *src, + return dest; + } + +-#define OFFSET(pb, x, y) ((x) * (pb)->n_channels + (y) * (pb)->rowstride) ++#define OFFSET(pb, x, y) ((x) * (pb)->n_channels + (gsize)(y) * (pb)->rowstride) + + /** + * gdk_pixbuf_rotate_simple: +-- +2.5.1 + diff --git a/x11-libs/gdk-pixbuf/gdk-pixbuf-2.31.5.ebuild b/x11-libs/gdk-pixbuf/gdk-pixbuf-2.31.6.ebuild similarity index 86% rename from x11-libs/gdk-pixbuf/gdk-pixbuf-2.31.5.ebuild rename to x11-libs/gdk-pixbuf/gdk-pixbuf-2.31.6.ebuild index e59d782..1ae90b6 100644 --- a/x11-libs/gdk-pixbuf/gdk-pixbuf-2.31.5.ebuild +++ b/x11-libs/gdk-pixbuf/gdk-pixbuf-2.31.6.ebuild @@ -1,6 +1,6 @@ # Copyright 1999-2015 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: $ +# $Id$ EAPI="5" GCONF_DEBUG="no" @@ -47,6 +47,19 @@ MULTILIB_CHOST_TOOLS=( ) src_prepare() { + # Upstream patches from 2.31.x + epatch "${FILESDIR}"/${PN}-2.31.6-pixops-variable-type.patch \ + "${FILESDIR}"/${PN}-2.31.6-pixops-gcc-optimizer.patch \ + "${FILESDIR}"/${PN}-2.31.6-png-overflow.patch \ + "${FILESDIR}"/${PN}-2.31.6-jpeg-overflow.patch \ + "${FILESDIR}"/${PN}-2.31.6-pixops-overflow.patch \ + "${FILESDIR}"/${PN}-2.31.6-alpha-overflow.patch \ + "${FILESDIR}"/${PN}-2.31.6-rotate-overflow.patch #556314 + + # ERROR: cve-2015-4491 - missing test plan + # FIXME - check if this works in 2.31.7 + sed -e 's/cve-2015-4491$(EXEEXT)//' -i tests/Makefile.in || die + # This will avoid polluting the pkg-config file with versioned libpng, # which is causing problems with libpng14 -> libpng15 upgrade # See upstream bug #667068
