On Wed Dec 11, 2019 at 07:36:47PM -0500, trondd wrote: > Stuart Henderson <s...@spacehopper.org> wrote: > > > On 2019/12/10 21:58, trondd wrote: > > > A handful of CVEs were assigned for bugs in libsixel. Heap buffer > > > overflows and integer overflows. > > > > > > CVE-2019-19638 > > > CVE-2019-19635 > > > CVE-2019-19636 > > > CVE-2019-19637 > > > > > > A pull request pointing out the issues and patching them was submitted > > > about 10 days ago. The CVEs were assigned 3 days ago. > > > > > > https://github.com/saitoha/libsixel/pull/106 > > > > > > There hasn't been a response yet so instead of waiting for a new release > > > I'm being proactive to get the patches applied to the port of the current > > > version. > > > > Please would you add a quick comment to the patches? A reference to > > the PR and short description would be fine. > > > > > Tim. > > > > > Added the info to the patches.
Reads fine, thanks! ++cc maintainer. > > Tim. > > > Index: Makefile > =================================================================== > RCS file: /cvs/ports/graphics/libsixel/Makefile,v > retrieving revision 1.5 > diff -u -p -r1.5 Makefile > --- Makefile 12 Jul 2019 20:47:02 -0000 1.5 > +++ Makefile 12 Dec 2019 00:27:49 -0000 > @@ -9,6 +9,8 @@ SHARED_LIBS += sixel 1.0 # 1.6 > > CATEGORIES = graphics > > +REVISION = 0 > + > HOMEPAGE = https://github.com/saitoha/libsixel > > MAINTAINER = Frederic Cambus <fcam...@openbsd.org> > Index: patches/patch-include_sixel_h_in > =================================================================== > RCS file: patches/patch-include_sixel_h_in > diff -N patches/patch-include_sixel_h_in > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ patches/patch-include_sixel_h_in 12 Dec 2019 00:27:49 -0000 > @@ -0,0 +1,21 @@ > +$OpenBSD$ > + > +Addresses buffer overlow and integer overflow CVEs > +Patches from https://github.com/saitoha/libsixel/pull/106 > + > +CVE-2019-19638 > +CVE-2019-19635 > +CVE-2019-19636 > +CVE-2019-19637 > + > +Index: include/sixel.h.in > +--- include/sixel.h.in.orig > ++++ include/sixel.h.in > +@@ -60,6 +60,7 @@ typedef int SIXELSTATUS; > + #define SIXEL_BAD_ALLOCATION (SIXEL_RUNTIME_ERROR | 0x0001) /* malloc() > failed */ > + #define SIXEL_BAD_ARGUMENT (SIXEL_RUNTIME_ERROR | 0x0002) /* bad > argument detected */ > + #define SIXEL_BAD_INPUT (SIXEL_RUNTIME_ERROR | 0x0003) /* bad > input detected */ > ++#define SIXEL_BAD_INTEGER_OVERFLOW (SIXEL_RUNTIME_ERROR | 0x0004) /* > integer overflow */ > + > + #define SIXEL_NOT_IMPLEMENTED (SIXEL_FEATURE_ERROR | 0x0001) /* feature > not implemented */ > + > Index: patches/patch-src_frompnm_c > =================================================================== > RCS file: patches/patch-src_frompnm_c > diff -N patches/patch-src_frompnm_c > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ patches/patch-src_frompnm_c 12 Dec 2019 00:27:49 -0000 > @@ -0,0 +1,31 @@ > +$OpenBSD$ > + > +Addresses buffer overlow and integer overflow CVEs > +Patches from https://github.com/saitoha/libsixel/pull/106 > + > +CVE-2019-19638 > +CVE-2019-19635 > +CVE-2019-19636 > +CVE-2019-19637 > + > +Index: src/frompnm.c > +--- src/frompnm.c.orig > ++++ src/frompnm.c > +@@ -166,7 +166,7 @@ load_pnm(unsigned char /* in */ *p, > + height = 0; > + for (; *s >= '0' && *s <= '9'; ++s) { > + height = height * 10 + (*s - '0'); > +- if (width > PNM_MAX_WIDTH) { > ++ if (height > PNM_MAX_HEIGHT) { > + status = SIXEL_RUNTIME_ERROR; > + sprintf( > + message, > +@@ -193,7 +193,7 @@ load_pnm(unsigned char /* in */ *p, > + for (; *s >= '0' && *s <= '9'; ++s) { > + deps = deps * 10 + (*s - '0'); > + } > +- if (width > PNM_MAX_WIDTH) { > ++ if (deps > PNM_MAX_DEPTH) { > + status = SIXEL_RUNTIME_ERROR; > + sprintf( > + message, > Index: patches/patch-src_fromsixel_c > =================================================================== > RCS file: patches/patch-src_fromsixel_c > diff -N patches/patch-src_fromsixel_c > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ patches/patch-src_fromsixel_c 12 Dec 2019 00:27:49 -0000 > @@ -0,0 +1,87 @@ > +$OpenBSD$ > + > +Addresses buffer overlow and integer overflow CVEs > +Patches from https://github.com/saitoha/libsixel/pull/106 > + > +CVE-2019-19638 > +CVE-2019-19635 > +CVE-2019-19636 > +CVE-2019-19637 > + > +Index: src/fromsixel.c > +--- src/fromsixel.c.orig > ++++ src/fromsixel.c > +@@ -52,6 +52,7 @@ > + #include <stdio.h> > + #include <ctype.h> /* isdigit */ > + #include <string.h> /* memcpy */ > ++#include <limits.h> > + > + #if defined(HAVE_INTTYPES_H) > + # include <inttypes.h> > +@@ -367,7 +368,17 @@ parser_context_init(parser_context_t *context) > + return status; > + } > + > ++SIXELSTATUS safe_addition_for_params(parser_context_t *context, unsigned > char *p){ > ++ int x; > + > ++ x = *p - '0'; /* 0 <= x <= 9 */ > ++ if ((context->param > INT_MAX / 10) || (x > INT_MAX - context->param * > 10)) { > ++ return SIXEL_BAD_INTEGER_OVERFLOW; > ++ } > ++ context->param = context->param * 10 + x; > ++ return SIXEL_OK; > ++} > ++ > + /* convert sixel data into indexed pixel bytes and palette data */ > + SIXELAPI SIXELSTATUS > + sixel_decode_raw_impl( > +@@ -446,7 +457,10 @@ sixel_decode_raw_impl( > + if (context->param < 0) { > + context->param = 0; > + } > +- context->param = context->param * 10 + *p - '0'; > ++ status = safe_addition_for_params(context, p); > ++ if (SIXEL_FAILED(status)) { > ++ goto end; > ++ } > + p++; > + break; > + case ';': > +@@ -647,7 +661,10 @@ sixel_decode_raw_impl( > + case '7': > + case '8': > + case '9': > +- context->param = context->param * 10 + *p - '0'; > ++ status = safe_addition_for_params(context, p); > ++ if (SIXEL_FAILED(status)) { > ++ goto end; > ++ } > + p++; > + break; > + case ';': > +@@ -721,7 +738,10 @@ sixel_decode_raw_impl( > + case '7': > + case '8': > + case '9': > +- context->param = context->param * 10 + *p - '0'; > ++ status = safe_addition_for_params(context, p); > ++ if (SIXEL_FAILED(status)) { > ++ goto end; > ++ } > + p++; > + break; > + default: > +@@ -753,7 +773,10 @@ sixel_decode_raw_impl( > + case '7': > + case '8': > + case '9': > +- context->param = context->param * 10 + *p - '0'; > ++ status = safe_addition_for_params(context, p); > ++ if (SIXEL_FAILED(status)) { > ++ goto end; > ++ } > + p++; > + break; > + case ';': > Index: patches/patch-src_status_c > =================================================================== > RCS file: patches/patch-src_status_c > diff -N patches/patch-src_status_c > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ patches/patch-src_status_c 12 Dec 2019 00:27:49 -0000 > @@ -0,0 +1,31 @@ > +$OpenBSD$ > + > +Addresses buffer overlow and integer overflow CVEs > +Patches from https://github.com/saitoha/libsixel/pull/106 > + > +CVE-2019-19638 > +CVE-2019-19635 > +CVE-2019-19636 > +CVE-2019-19637 > + > +Index: src/status.c > +--- src/status.c.orig > ++++ src/status.c > +@@ -46,6 +46,7 @@ > + #define SIXEL_MESSAGE_BAD_ALLOCATION ("runtime error: bad allocation > error") > + #define SIXEL_MESSAGE_BAD_ARGUMENT ("runtime error: bad argument > detected") > + #define SIXEL_MESSAGE_BAD_INPUT ("runtime error: bad input > detected") > ++#define SIXEL_MESSAGE_BAD_INTEGER_OVERFLOW ("runtime error: integer > overflow") > + #define SIXEL_MESSAGE_RUNTIME_ERROR ("runtime error") > + #define SIXEL_MESSAGE_LOGIC_ERROR ("logic error") > + #define SIXEL_MESSAGE_NOT_IMPLEMENTED ("feature error: not implemented") > +@@ -117,6 +118,9 @@ sixel_helper_format_error( > + break; > + case SIXEL_BAD_INPUT: > + error_string = SIXEL_MESSAGE_BAD_INPUT; > ++ break; > ++ case SIXEL_BAD_INTEGER_OVERFLOW: > ++ error_string = SIXEL_MESSAGE_BAD_INTEGER_OVERFLOW; > + break; > + default: > + error_string = SIXEL_MESSAGE_RUNTIME_ERROR; > Index: patches/patch-src_tosixel_c > =================================================================== > RCS file: patches/patch-src_tosixel_c > diff -N patches/patch-src_tosixel_c > --- /dev/null 1 Jan 1970 00:00:00 -0000 > +++ patches/patch-src_tosixel_c 12 Dec 2019 00:27:49 -0000 > @@ -0,0 +1,61 @@ > +$OpenBSD$ > + > +Addresses buffer overlow and integer overflow CVEs > +Patches from https://github.com/saitoha/libsixel/pull/106 > + > +CVE-2019-19638 > +CVE-2019-19635 > +CVE-2019-19636 > +CVE-2019-19637 > + > +Index: src/tosixel.c > +--- src/tosixel.c.orig > ++++ src/tosixel.c > +@@ -21,6 +21,7 @@ > + #include <stdio.h> > + #include <stdlib.h> > + #include <string.h> > ++#include <limits.h> > + > + #if defined(HAVE_INTTYPES_H) > + # include <inttypes.h> > +@@ -502,6 +503,7 @@ sixel_encode_body( > + int mx; > + int len; > + int pix; > ++ int check_integer_overflow; > + unsigned char *map = NULL; > + sixel_node_t *np, *tp, top; > + int fillable; > +@@ -557,8 +559,30 @@ sixel_encode_body( > + fillable = 1; > + } > + for (x = 0; x < width; x++) { > +- pix = pixels[y * width + x]; /* color index */ > ++ if (y > INT_MAX / width) { > ++ /* integer overflow */ > ++ status = SIXEL_BAD_INTEGER_OVERFLOW; > ++ goto end; > ++ } > ++ check_integer_overflow = y * width; > ++ if (check_integer_overflow > INT_MAX - x) { > ++ /* integer overflow */ > ++ status = SIXEL_BAD_INTEGER_OVERFLOW; > ++ goto end; > ++ } > ++ pix = pixels[check_integer_overflow + x]; /* color index */ > + if (pix >= 0 && pix < ncolors && pix != keycolor) { > ++ if (pix > INT_MAX / width) { > ++ /* integer overflow */ > ++ status = SIXEL_BAD_INTEGER_OVERFLOW; > ++ goto end; > ++ } > ++ check_integer_overflow = pix * width; > ++ if (check_integer_overflow > INT_MAX - x) { > ++ /* integer overflow */ > ++ status = SIXEL_BAD_INTEGER_OVERFLOW; > ++ goto end; > ++ } > + map[pix * width + x] |= (1 << i); > + } > + else if (!palstate) { >
