diff options
Diffstat (limited to 'media-gfx/gifsicle/files/gifsicle-1.94-CVE-2023-46009.patch')
-rw-r--r-- | media-gfx/gifsicle/files/gifsicle-1.94-CVE-2023-46009.patch | 94 |
1 files changed, 94 insertions, 0 deletions
diff --git a/media-gfx/gifsicle/files/gifsicle-1.94-CVE-2023-46009.patch b/media-gfx/gifsicle/files/gifsicle-1.94-CVE-2023-46009.patch new file mode 100644 index 000000000000..6b82c8ecdd0c --- /dev/null +++ b/media-gfx/gifsicle/files/gifsicle-1.94-CVE-2023-46009.patch @@ -0,0 +1,94 @@ +diff -Naurp a/src/giffunc.c b/src/giffunc.c +--- a/src/giffunc.c 2021-09-20 13:19:00.000000000 +0200 ++++ b/src/giffunc.c 2024-02-04 14:05:47.811880522 +0100 +@@ -466,8 +466,10 @@ Gif_CopyImage(Gif_Image *src) + void Gif_MakeImageEmpty(Gif_Image* gfi) { + Gif_ReleaseUncompressedImage(gfi); + Gif_ReleaseCompressedImage(gfi); +- gfi->left = gfi->top = 0; +- gfi->width = gfi->height = 1; ++ gfi->left = gfi->left < 0xFFFE ? gfi->left : 0xFFFE; ++ gfi->top = gfi->top < 0xFFFE ? gfi->top : 0xFFFE; ++ gfi->width = 1; ++ gfi->height = 1; + gfi->transparent = 0; + Gif_CreateUncompressedImage(gfi, 0); + gfi->img[0][0] = 0; +diff -Naurp a/src/support.c b/src/support.c +--- a/src/support.c 2023-06-14 17:47:12.000000000 +0200 ++++ b/src/support.c 2024-02-04 14:05:51.307885109 +0100 +@@ -1421,9 +1421,9 @@ analyze_crop(int nmerger, Gt_Crop* crop, + } + } + +- if (t > b) ++ if (t > b) { + crop->w = crop->h = 0; +- else { ++ } else { + crop->x = l; + crop->y = t; + crop->w = r - l; +@@ -1618,7 +1618,8 @@ merge_frame_interval(Gt_Frameset *fset, + desti->comment = 0; + } + if (fr->comment) { +- if (!desti->comment) desti->comment = Gif_NewComment(); ++ if (!desti->comment) ++ desti->comment = Gif_NewComment(); + merge_comments(desti->comment, fr->comment); + /* delete the comment early to help with memory; set field to 0 so we + don't re-free it later */ +@@ -1628,10 +1629,22 @@ merge_frame_interval(Gt_Frameset *fset, + + if (fr->interlacing >= 0) + desti->interlace = fr->interlacing; +- if (fr->left >= 0) +- desti->left = fr->left + (fr->position_is_offset ? desti->left : 0); +- if (fr->top >= 0) +- desti->top = fr->top + (fr->position_is_offset ? desti->top : 0); ++ if (fr->left >= 0) { ++ int left = fr->left + (fr->position_is_offset ? desti->left : 0); ++ if (left + desti->width > 65535) { ++ error(1, "left position %d out of range", left); ++ return 0; ++ } ++ desti->left = left; ++ } ++ if (fr->top >= 0) { ++ int top = fr->top + (fr->position_is_offset ? desti->top : 0); ++ if (top + desti->height > 65535) { ++ error(1, "top position %d out of range", top); ++ return 0; ++ } ++ desti->top = top; ++ } + + if (fr->delay >= 0) + desti->delay = fr->delay; +diff -Naurp a/src/xform.c b/src/xform.c +--- a/src/xform.c 2023-06-14 17:48:05.000000000 +0200 ++++ b/src/xform.c 2024-02-04 14:05:47.812880524 +0100 +@@ -262,18 +262,18 @@ crop_image(Gif_Image* gfi, Gt_Frame* fr, + gfi->img[j] = old_img[c.y + j] + c.x; + gfi->img[c.h] = 0; + Gif_DeleteArray(old_img); ++ gfi->left += c.x - fr->left_offset; ++ gfi->top += c.y - fr->top_offset; + gfi->width = c.w; + gfi->height = c.h; +- } else if (preserve_total_crop) ++ } else if (preserve_total_crop) { + Gif_MakeImageEmpty(gfi); +- else { ++ } else { + Gif_DeleteArray(gfi->img); + gfi->img = 0; + gfi->width = gfi->height = 0; + } + +- gfi->left += c.x - fr->left_offset; +- gfi->top += c.y - fr->top_offset; + return gfi->img != 0; + } + |