diff -Nru advancecomp-2.1/debian/changelog advancecomp-2.1/debian/changelog --- advancecomp-2.1/debian/changelog 2019-03-17 21:28:03.000000000 +0000 +++ advancecomp-2.1/debian/changelog 2019-05-18 20:50:20.000000000 +0000 @@ -1,3 +1,13 @@ +advancecomp (2.1-2.1) unstable; urgency=medium + + * Non-maintainer upload. + * Fix a buffer overflow caused by invalid images (CVE-2019-8383) + (Closes: #928730) + * Fix a buffer overflow caused by invalid chunks (CVE-2019-8379) + (Closes: #928729) + + -- Salvatore Bonaccorso Sat, 18 May 2019 22:50:20 +0200 + advancecomp (2.1-2) unstable; urgency=high [ Salvatore Bonaccorso ] diff -Nru advancecomp-2.1/debian/patches/Fix-a-buffer-overflow-caused-by-invalid-chunks.patch advancecomp-2.1/debian/patches/Fix-a-buffer-overflow-caused-by-invalid-chunks.patch --- advancecomp-2.1/debian/patches/Fix-a-buffer-overflow-caused-by-invalid-chunks.patch 1970-01-01 00:00:00.000000000 +0000 +++ advancecomp-2.1/debian/patches/Fix-a-buffer-overflow-caused-by-invalid-chunks.patch 2019-05-18 20:50:20.000000000 +0000 @@ -0,0 +1,94 @@ +From: Andrea Mazzoleni +Date: Fri, 4 Jan 2019 20:49:48 +0100 +Subject: Fix a buffer overflow caused by invalid chunks +Origin: https://github.com/amadvance/advancecomp/commit/7894a6e684ce68ddff9f4f4919ab8e3911ac8040 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-8379 +Bug-Debian: https://bugs.debian.org/928729 +Bug: https://sourceforge.net/p/advancemame/bugs/271/ + +--- + pngex.cc | 26 +++++++++++++++++++++++++- + 1 file changed, 25 insertions(+), 1 deletion(-) + +diff --git a/pngex.cc b/pngex.cc +index 55d16f5d066e..3f5b49f101b0 100644 +--- a/pngex.cc ++++ b/pngex.cc +@@ -163,6 +163,10 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size) + + switch (type) { + case ADV_MNG_CN_MHDR : ++ if (size < 28) { ++ cout << " invalid chunk size"; ++ break; ++ } + cout << " width:" << be_uint32_read(data+0) << " height:" << be_uint32_read(data+4) << " frequency:" << be_uint32_read(data+8); + cout << " simplicity:" << be_uint32_read(data+24); + cout << "(bit"; +@@ -174,6 +178,10 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size) + cout << ")"; + break; + case ADV_MNG_CN_DHDR : ++ if (size < 4) { ++ cout << " invalid chunk size"; ++ break; ++ } + cout << " id:" << be_uint16_read(data+0); + switch (data[2]) { + case 0 : cout << " img:unspecified"; break; +@@ -243,6 +251,10 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size) + } + break; + case ADV_MNG_CN_DEFI : ++ if (size < 2) { ++ cout << " invalid chunk size"; ++ break; ++ } + cout << " id:" << be_uint16_read(data+0); + if (size >= 3) { + switch (data[2]) { +@@ -266,6 +278,10 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size) + } + break; + case ADV_MNG_CN_MOVE : ++ if (size < 13) { ++ cout << " invalid chunk size"; ++ break; ++ } + cout << " id_from:" << be_uint16_read(data+0) << " id_to:" << be_uint16_read(data+2); + switch (data[4]) { + case 0 : cout << " type:replace"; break; +@@ -275,6 +291,10 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size) + cout << " x:" << (int)be_uint32_read(data + 5) << " y:" << (int)be_uint32_read(data + 9); + break; + case ADV_MNG_CN_PPLT : ++ if (size < 1) { ++ cout << " invalid chunk size"; ++ break; ++ } + switch (data[0]) { + case 0 : cout << " type:replacement_rgb"; break; + case 1 : cout << " type:delta_rgb"; break; +@@ -285,7 +305,7 @@ void png_print_chunk(unsigned type, unsigned char* data, unsigned size) + default : cout << " type:?"; break; + } + i = 1; +- while (i +Date: Fri, 4 Jan 2019 20:49:25 +0100 +Subject: Fix a buffer overflow caused by invalid images +Origin: https://github.com/amadvance/advancecomp/commit/78a56b21340157775be2462a19276b4d31d2bd01 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-8383 +Bug-Debian: https://bugs.debian.org/928730 +Bug: https://sourceforge.net/p/advancemame/bugs/272/ + +--- + lib/png.c | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +diff --git a/lib/png.c b/lib/png.c +index 0939a5a0f041..cbf140b2ca6d 100644 +--- a/lib/png.c ++++ b/lib/png.c +@@ -603,6 +603,7 @@ adv_error adv_png_read_ihdr( + unsigned pixel; + unsigned width; + unsigned width_align; ++ unsigned scanline; + unsigned height; + unsigned depth; + int r; +@@ -719,9 +720,23 @@ adv_error adv_png_read_ihdr( + goto err_ptr; + } + +- *dat_size = height * (width_align * pixel + 1); ++ /* check for overflow */ ++ if (pixel == 0 || width_align >= UINT_MAX / pixel) { ++ error_set("Invalid image size"); ++ goto err_ptr; ++ } ++ ++ scanline = width_align * pixel + 1; ++ ++ /* check for overflow */ ++ if (scanline == 0 || height >= UINT_MAX / scanline) { ++ error_set("Invalid image size"); ++ goto err_ptr; ++ } ++ ++ *dat_size = height * scanline; + *dat_ptr = malloc(*dat_size); +- *pix_scanline = width_align * pixel + 1; ++ *pix_scanline = scanline; + *pix_ptr = *dat_ptr + 1; + + z.zalloc = 0; +-- +2.11.0 + diff -Nru advancecomp-2.1/debian/patches/series advancecomp-2.1/debian/patches/series --- advancecomp-2.1/debian/patches/series 2019-03-17 21:27:35.000000000 +0000 +++ advancecomp-2.1/debian/patches/series 2019-05-18 20:50:20.000000000 +0000 @@ -1 +1,3 @@ Fix-a-buffer-overflow-with-image-of-invalid-size.patch +Fix-a-buffer-overflow-caused-by-invalid-images.patch +Fix-a-buffer-overflow-caused-by-invalid-chunks.patch