Package: imlib2 / 1.4.8-1

Metadata

Package Version Patches format
imlib2 1.4.8-1 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
01_removed data dir.patch | (download)

Makefile.am | 2 1 + 1 - 0 !
configure.ac | 3 0 + 3 - 0 !
2 files changed, 1 insertion(+), 4 deletions(-)

 do not install files under data/
02_fix gif with no cmap.patch | (download)

src/modules/loaders/loader_gif.c | 15 11 + 4 - 0 !
1 file changed, 11 insertions(+), 4 deletions(-)

 do not segfault when loading gif without color map
03_CVE 2011 5326.patch | (download)

src/lib/ellipse.c | 24 24 + 0 - 0 !
1 file changed, 24 insertions(+)

 fix potential divide-by-zero in imlib_image_draw_ellipse().

Attempting to draw a 2x1 ellipse with e.g. imlib_image_draw_ellipse(x, y, 2, 1)
causes a divide-by-zero.
It seems happy enough to draw 1x1, 1x2 and 2x2, but not 2x1.

Patch by Simon Lees.

https://bugs.debian.org/639414

04_CVE 2016 3993.patch | (download)

src/lib/updates.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 fix off-by-one oob read in __imlib_mergeupdate().

Patch by Yuriy M. Kaminskiy.

https://bugs.debian.org/819818

05_CVE 2016 3994.patch | (download)

src/modules/loaders/loader_gif.c | 38 17 + 21 - 0 !
1 file changed, 17 insertions(+), 21 deletions(-)

 gif loader: fix out-of-bound reads from colormap.

Bug-Debian: http://bugs.debian.org/785369
Note: removes all special-casing from the inner loop, optimize for common case.
06_CVE 2016 4024.patch | (download)

src/lib/image.h | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 fix integer overflow resulting in insufficient heap allocation

IMAGE_DIMENSIONS_OK ensures that image width and height are less then
46340, so that maximum number of pixels is ~2**31.

Unfortunately, there are a lot of code that allocates image data with
something like

   malloc(w * h * sizeof(DATA32));

Obviously, on 32-bit machines this results in integer overflow,
insufficient heap allocation, with [massive] out-of-bounds heap
overwrite.
Either X_MAX should be reduced to 32767, or (w)*(h) should be checked to
not exceed ULONG_MAX/sizeof(DATA32).

Security implications:
*) for 32-bit machines: insufficient heap allocation and heap overwrite
in many image loaders, with escalation potential to remote code
execution;
*) for 64-bit machines: it seems, no impact.