--- libgdiplus-2.6.7.orig/debian/postinst +++ libgdiplus-2.6.7/debian/postinst @@ -0,0 +1,8 @@ +#!/bin/sh +set -e + +if [ "$1" = "configure" ]; then + ldconfig +fi + +#DEBHELPER# --- libgdiplus-2.6.7.orig/debian/control +++ libgdiplus-2.6.7/debian/control @@ -0,0 +1,31 @@ +Source: libgdiplus +Section: libs +Priority: optional +Maintainer: Debian Mono Group +Uploaders: Mirco Bauer , Sebastian Dröge , Jo Shields +Build-Depends: + debhelper (>= 7.0.50~), + libglib2.0-dev (>= 2.2.3), + libx11-dev, + libxt-dev, + libfontconfig1-dev, + libfreetype6-dev, + libxft-dev (>= 2.0), + libpng12-dev, + libjpeg62-dev, + libtiff4-dev, + libgif-dev, + libexif-dev, + libcairo2-dev (>= 1.4) +Standards-Version: 3.9.1 +Homepage: http://www.mono-project.com/Libgdiplus +Vcs-Git: git://git.debian.org/git/pkg-mono/packages/libgdiplus.git +Vcs-Browser: http://git.debian.org/?p=pkg-mono/packages/libgdiplus.git + + +Package: libgdiplus +Architecture: i386 kfreebsd-i386 powerpc amd64 kfreebsd-amd64 ia64 arm armeb armel sparc s390 lpia +Depends: ${shlibs:Depends}, ${misc:Depends} +Description: interface library for System.Drawing of Mono + This package contains a GDI+ API compatible implementation needed by the + System.Drawing library of Mono. --- libgdiplus-2.6.7.orig/debian/watch +++ libgdiplus-2.6.7/debian/watch @@ -0,0 +1,2 @@ +version=2 +http://go-mono.com/sources-stable/ .+/libgdiplus-([\d\.]+)\.tar\.bz2 --- libgdiplus-2.6.7.orig/debian/compat +++ libgdiplus-2.6.7/debian/compat @@ -0,0 +1 @@ +5 --- libgdiplus-2.6.7.orig/debian/changelog +++ libgdiplus-2.6.7/debian/changelog @@ -0,0 +1,422 @@ +libgdiplus (2.6.7-2) experimental; urgency=high + + * SECURITY UPDATE: Import upstream commit fa0e3a1d516166c341d5, which + closes integer overflows in BMP, JPEG and TIFF handling. + (Closes: #594155) (CVE-2010-1526) + + -- Jo Shields Wed, 25 Aug 2010 08:51:05 +0100 + +libgdiplus (2.6.7-1) experimental; urgency=low + + * New upstream release + * debian/rules: + + Don't use ../tarballs in get-orig-source, this is against policy + * debian/control: + + Bump standards version to 3.9.1 + + Use Vcs-Git, not Vcs-Svn, and correct Vcs-Browser + + -- Jo Shields Fri, 06 Aug 2010 19:12:15 +0100 + +libgdiplus (2.6.4-2) experimental; urgency=low + + * git:upstream-2.6.4/debian/patches/libpng_1.4_compatibility_version_check_fix: + + Change version number check on libpng in src/pngcodec.c to >1.3.99, + rather than >1.2.43, as security releases on the 1.2 branch should be + treated in the old way, not the new 1.4-branch-way. + + -- Jo Shields Fri, 02 Jul 2010 14:43:49 +0100 + +libgdiplus (2.6.4-1) experimental; urgency=low + + * New upstream release + * debian/control, + debian/rules, + debian/libgdiplus.install, + debian/libgdiplus.dirs: + + Remove dpatch + + Port to Debhelper 7 + * debian/control: + + Bump standards version to 3.8.4 (no changes needed) + * debian/source/format: + + Force Debian source format 1.0 + + -- Jo Shields Fri, 21 May 2010 14:32:03 +0100 + +libgdiplus (2.4.2-1) unstable; urgency=low + + * New upstream release + * debian/rules: + + Modify get-orig-source rule to produce consistent md5sums + * debian/control: + + Bump standards version to 3.8.2 (no changes needed) + + Re-space build-depends line for easier reading + + -- Jo Shields Tue, 30 Jun 2009 10:31:21 +0100 + +libgdiplus (2.4-1) unstable; urgency=low + + * New upstream release + * debian/control: + + Bump standards version to 3.8.1 (no changes needed) + + -- Jo Shields Wed, 29 Apr 2009 14:00:08 +0100 + +libgdiplus (2.0-2) unstable; urgency=low + + * Upload to unstable. + + -- Mirco Bauer Wed, 25 Feb 2009 00:58:43 +0100 + +libgdiplus (2.0-1) experimental; urgency=low + + [ Jo Shields ] + * New upstream release. + * Added myself to Uploaders + * No-change standards version bump (3.8.0) + * debian/rules: + + No more need to disable glitz + + Clear debian-rules-ignores-make-clean-error lintian error by rewriting + make clean line + * debian/postinst: + + Clear postinst-must-call-ldconfig lintian error by adding a postinst + script to call ldconfig + * debian/control: + + Doesn't appear to depend directly on xrender anymore + + Remove poinltess dependency on libmono0 and libmono-dev + + [ Sebastian Dröge ] + * debian/control: + + Build depend on libgif-dev instead of the transitional libungif4-dev. + + Add lpia to the supported architectures. + + [ Mirco Bauer ] + * debian/rules: + + Fixed clean target, config.{status,log} must not be deleted before + running "make clean". + + Run "make clean" before unpatching. + * debian/control: + + Added Homepage, Vcs-Browser and Vcs-Svn fields. + + Enhanced package description. + + -- Mirco Bauer Sun, 16 Nov 2008 18:41:52 +0100 + +libgdiplus (1.9-1) unstable; urgency=high + + * New upstream release. + * debian/watch: + + Fix watch file (Closes: #449993). + + -- Sebastian Dröge Mon, 07 Apr 2008 09:35:06 +0200 + +libgdiplus (1.2.6-2) unstable; urgency=low + + * debian/control: + + Add sparc and s390 to the supported architectures as these are now + supported by mono. + + Use Mirco's debian.org mail address. + + -- Sebastian Dröge Sun, 23 Dec 2007 04:46:20 +0100 + +libgdiplus (1.2.6-1) unstable; urgency=low + + * New upstream release: + + debian/patches/01_external-cairo.dpatch, + debian/patches/99_autoreconf.dpatch: + - Dropped, merged upstream. + * debian/control: + + Drop Dave Beckett from Uploaders by his request. + + Updated Standards-Version to 3.7.3, no additional changes needed. + + -- Sebastian Dröge Thu, 13 Dec 2007 13:18:49 +0100 + +libgdiplus (1.2.5-1) unstable; urgency=low + + * New upstream release. + * debian/patches/01_missing-include.dpatch: + + Dropped, merged upstream. + * debian/patches/01_external-cairo.dpatch, + debian/patches/99_autoreconf.dpatch, + debian/rules, + debian/control: + + Link and build with the external cairo. Patch from upstream SVN. + + -- Sebastian Dröge Sun, 02 Sep 2007 13:10:57 +0200 + +libgdiplus (1.2.4-2) unstable; urgency=low + + * debian/patches/01_missing-include.dpatch: + + Add a missing include, resulting in a build failure (Closes: #434339). + Thanks to Cyril Brulebois for + the patch. + + -- Sebastian Dröge Fri, 10 Aug 2007 11:25:30 +0200 + +libgdiplus (1.2.4-1) unstable; urgency=low + + * Sebastian 'slomo' Dröge: + + New upstream release + + debian/rules, + debian/libgdiplus.install, + debian/libgdiplus.files: + - Migrate from dh_movefiles to dh_install. + + debian/rules: + - Remove Libs, Cflags and Requires fields from the pkg-config file. + These are absolutely not necessary as this library is not for linking + against it anyway and having these fields will only require + development packages of some packages to be installed to use + the pkg-config file. (Closes: #290492) + + -- Sebastian Dröge Wed, 16 May 2007 23:03:10 +0200 + +libgdiplus (1.2.3-3) unstable; urgency=low + + * Upload to unstable + * Sebastian 'slomo' Dröge: + + debian/control: + - Also add kfreebsd-amd64, armeb and armel to archs + (Closes: #408785, #415086) + + -- Sebastian Dröge Sun, 15 Apr 2007 22:07:34 +0200 + +libgdiplus (1.2.3-2) experimental; urgency=low + + * debian/control: + + Add kfreebsd-i386 support + + -- Sebastian Dröge Tue, 27 Feb 2007 14:40:18 +0100 + +libgdiplus (1.2.3-1) experimental; urgency=low + + * Sebastian 'slomo' Dröge: + + New upstream release + + -- Sebastian Dröge Tue, 27 Feb 2007 12:53:16 +0100 + +libgdiplus (1.2.2-1) experimental; urgency=low + + * Sebastian 'slomo' Dröge: + + New upstream release + + debian/control: + - Updated to use my debian.org mail address + + -- Sebastian Dröge Wed, 31 Jan 2007 09:57:41 +0100 + +libgdiplus (1.1.18-1) unstable; urgency=low + + * New upstream release + * Mirco 'meebey' Bauer: + + debian/watch: + - Updated location again. + + -- Debian Mono Group Mon, 16 Oct 2006 20:54:20 +0200 + +libgdiplus (1.1.17-1) unstable; urgency=low + + * Sebastian 'slomo' Dröge: + + New upstream release + + debian/control: + - Add libxrender-dev and libexif-dev to Build-Depends + + debian/watch: + - Updated location yet again + + debian/control: + - Added myself to Uploaders + - Updated Standards-Version (no changes needed) + + debian/compat, + debian/control: + - Updated to debhelper compat level 5 + + -- Debian Mono Group Sun, 3 Sep 2006 23:05:44 +0200 + +libgdiplus (1.1.13.6-1) unstable; urgency=low + + * New upstream release + * Mirco 'meebey' Bauer + + Added arm to arch list. (Closes: #374448) + + -- Debian Mono Group Mon, 19 Jun 2006 20:31:59 +0200 + +libgdiplus (1.1.13.4-1) unstable; urgency=low + + * New upstream release + + -- Debian Mono Group Sat, 11 Mar 2006 22:36:03 +0100 + +libgdiplus (1.1.13.2-1) unstable; urgency=low + + * New upstream release + * Mirco 'meebey' Bauer + + debian/patches/00list: + - Removed pixmap_remap_fix, already applied upstream. + + -- Debian Mono Group Mon, 30 Jan 2006 22:43:26 +0100 + +libgdiplus (1.1.13-1) unstable; urgency=low + + * New upstream release + + -- Debian Mono Group Mon, 16 Jan 2006 19:05:08 +0100 + +libgdiplus (1.1.10-2) unstable; urgency=low + + * Dave Beckett + + Replace xlibs-dev with libx11-dev, libxt-dev (Closes: #347112) + + debian/rules: make clean target tidy up cairo directory + + debian/rules: edit out references to source tree from libgdiplus.pc + + -- Debian Mono Group Mon, 9 Jan 2006 23:04:00 -0800 + +libgdiplus (1.1.10-1) unstable; urgency=low + + * New upstream release + * Mirco 'meebey' Bauer + + Added dpatch to build-deps. + + debian/patches/pixmap_remap_fix.dpatch: + - Patch to fix the build using current binutils + (thanks to Sebastian 'slomo' Dröge ) + + -- Debian Mono Group Sun, 13 Nov 2005 18:34:04 +0100 + +libgdiplus (1.1.9.1-1) unstable; urgency=low + + * New upstream release + * Mirco 'meebey' Bauer + + Added ia64 to arch field. + + -- Debian Mono Group Sun, 25 Sep 2005 21:22:45 +0200 + +libgdiplus (1.1.8-2) unstable; urgency=low + + * Dave Beckett + + rebuild against libglib2.0-0 in unstable (Closes: 321568) + + add myself to uploaders + + -- Debian Mono Group Sun, 7 Aug 2005 20:19:23 +0100 + +libgdiplus (1.1.8-1) unstable; urgency=low + + * New upstream release + * Mirco 'meebey' Bauer + + Updated to Standards Version 3.6.2.1 (no changes). + + debian/rules: + - Removed "cairo" hack for libgdiplus.pc. + + -- Debian Mono Group Sun, 24 Jul 2005 19:22:37 +0200 + +libgdiplus (1.1.7-2) unstable; urgency=low + + * upload to unstable + * Mirco 'meebey' Bauer + + really added amd64 to the arch list now. + + removed libglitz1-dev from Build-conflicts, using --disable-glitz in + configure now. + + added debian/watch file. + + -- Debian Mono Group Sun, 29 May 2005 19:59:03 +0200 + +libgdiplus (1.1.7-1) experimental; urgency=low + + * New upstream release + * Mirco 'meebey' Bauer + + moved section field to source package. + + added xlibs-dev, libfontconfig1-dev, libfreetype6-dev and libxft-dev + to build dependencies. + + removed s390 architecture, added amd64 architecture + (thanks to Kurt Roeckx for testing on an amd64 machine) + + removed libcairo1-dev build-dependency (Closes: #301113) + (uses embedded cairo 0.3.0, required because of big API change in 0.4.0) + + added libglitz1-dev to Build-Conflicts (it does not like cairo 0.3.0). + + -- Debian Mono Group Sat, 14 May 2005 18:39:38 +0200 + +libgdiplus (1.0.4-1) unstable; urgency=low + + * New upstream release + * Changed Maintainer to Debian Mono Group + * Mirco 'meebey' Bauer + + added s390 to arch list + + -- Debian Mono Group Sun, 05 Dec 2004 22:02:10 +0200 + +libgdiplus (1.0-2) unstable; urgency=low + + * Force dependency on libtiff4 to work around potential segfaults caused by + ABI changes + + -- Eduard Bloch Sun, 4 Jul 2004 16:29:02 +0200 + +libgdiplus (1.0-1) unstable; urgency=low + + * New upstream release + + -- Debian Mono Group Sun, 4 Jul 2004 15:52:08 +0200 + +libgdiplus (0.9-1) unstable; urgency=low + + * New upstream release + * Setting virtual build dependency to get rid of strict libmono + dependencies. And yes, it will make it installable with libmono (0.91-*) + (closes: #244697, #245916). + + -- Debian Mono Group Wed, 16 Jun 2004 23:09:02 +0200 + +libgdiplus (0.5-3) unstable; urgency=low + + * More Build-Dependencies, thanks to Daniel Schepler (closes: #252596) + + -- Eduard Bloch Tue, 1 Jun 2004 01:22:06 +0200 + +libgdiplus (0.5-2) unstable; urgency=low + + * Rebuilt with the correct libmono + + -- Eduard Bloch Tue, 1 Jun 2004 01:09:09 +0200 + +libgdiplus (0.5-1) unstable; urgency=low + + * New upstream release + + -- Eduard Bloch Sun, 30 May 2004 14:28:28 +0200 + +libgdiplus (0.2-2) unstable; urgency=low + + * Set the exact build-dep on the current libmono version + + -- Eduard Bloch Wed, 7 Apr 2004 01:21:15 +0200 + +libgdiplus (0.2-1) unstable; urgency=low + + * New upstream release + * removing the -Werror cookie after configure + + -- Eduard Bloch Wed, 7 Apr 2004 01:12:25 +0200 + +libgdiplus (0.1-4) unstable; urgency=low + + * updated build conflicts to the new mono version (0.30.2) + * removed all arches but i386 and powerpc from the list (libmono needed) + + -- Eduard Bloch Fri, 27 Feb 2004 13:06:11 +0100 + +libgdiplus (0.1-3) unstable; urgency=low + + * adjusted Build-Depends/Conflicts to mono 0.30.1 version (closes: #235080) + + -- Eduard Bloch Tue, 24 Feb 2004 12:52:14 +0100 + +libgdiplus (0.1-2) unstable; urgency=low + + * Dave Beckett: + + Build-Dep on libcairo1-dev, libglib2.0-dev (>= 2.2.3), libmono-dev + + Fixed libgdiplus.pc to use the correct cairo versioned dependency. + * Eduard Bloch: + + Changes to the fixes above to relax the mono version dependency and + not use Sed + + -- Dave Beckett Mon, 16 Feb 2004 23:53:54 +0000 + +libgdiplus (0.1-1) unstable; urgency=low + + * Initial Release (closes: #230896) + + -- Eduard Bloch Sat, 7 Feb 2004 22:37:11 +0100 + --- libgdiplus-2.6.7.orig/debian/gbp.conf +++ libgdiplus-2.6.7/debian/gbp.conf @@ -0,0 +1,3 @@ +[DEFAULT] +debian-branch = master-experimental +upstream-branch = upstream-experimental --- libgdiplus-2.6.7.orig/debian/rules +++ libgdiplus-2.6.7/debian/rules @@ -0,0 +1,64 @@ +#!/usr/bin/make -f + +#export DH_VERBOSE=1 +MAKEFILE = $(firstword $(MAKEFILE_LIST)) +DEBIAN_DIR = $(dir $(MAKEFILE)) +SOURCE_DIR = $(DEBIAN_DIR)/.. + +DEB_VERSION = $(shell dpkg-parsechangelog -l$(DEBIAN_DIR)/changelog | grep ^Version | cut -d" " -f2) +DEB_SOURCE_NAME = $(shell dpkg-parsechangelog -l$(DEBIAN_DIR)/changelog | grep ^Source | cut -d" " -f2) +VERSION = $(shell echo $(DEB_VERSION) | cut -d"-" -f1 | sed 's/+dfsg.*//') + + +DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE) +DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE) + +CFLAGS = -Wall -g + +ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS))) + CFLAGS += -O0 +else + CFLAGS += -O2 +endif +ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS))) + INSTALL_PROGRAM += -s +endif + +get-orig-source: + uscan \ + --package $(DEB_SOURCE_NAME) \ + --watchfile $(DEBIAN_DIR)/watch \ + --upstream-version $(VERSION) \ + --download-version $(VERSION) \ + --destdir . \ + --force-download \ + --rename + bzcat ./$(DEB_SOURCE_NAME)_$(VERSION).orig.tar.bz2 | \ + gzip -9fn -c - > ./$(DEB_SOURCE_NAME)_$(VERSION).orig.tar.gz + rm ./$(DEB_SOURCE_NAME)_$(VERSION).orig.tar.bz2 + +override_dh_auto_configure: + CFLAGS="$(CFLAGS)" ./configure \ + --host=$(DEB_HOST_GNU_TYPE) --build=$(DEB_BUILD_GNU_TYPE) \ + --prefix=/usr --mandir=\$${prefix}/share/man --infodir=\$${prefix}/share/info \ + --with-cairo=system + perl -pe 's/-Werror//' -i src/Makefile + +override_dh_auto_build: + $(MAKE) + perl -pe 's,^Requires:.*,,; s,^Libs:.*,,; s,^Cflags:.*,,;' -i libgdiplus.pc + +override_dh_makeshlibs: + dh_makeshlibs -V + +override_dh_auto_install: + dh_auto_install + rm debian/libgdiplus/usr/lib/lib*.*a + +override_dh_auto_clean: + [ ! -f Makefile ] || $(MAKE) clean + rm -f config.status config.log + rm -f cairo/config.status cairo/config.log + +%: + dh $@ --- libgdiplus-2.6.7.orig/debian/copyright +++ libgdiplus-2.6.7/debian/copyright @@ -0,0 +1,38 @@ +This package was debianized by Eduard Bloch on +Sat, 7 Feb 2004 22:37:11 +0100. + +It was downloaded from http://www.mono-project.com/downloads/index.html + +Upstream Authors: + +Alexandre Pigolkine +Duncan Mak +Jordi Mas +Miguel de Icaza +Ravindra Kumar + +Copyright: + +Libgdiplus is available under the terms of the MIT X11 license: + +Copyright (c) 2001-2004 Novell + +Permission is hereby granted, free of charge, to any person obtaining a +copy of this software and associated documentation files (the +"Software"), to deal in the Software without restriction, including +without limitation the rights to use, copy, modify, merge, publish, +distribute, sublicense, and/or sell copies of the Software, and to +permit persons to whom the Software is furnished to do so, subject to +the following conditions: + +The above copyright notice and this permission notice shall be included +in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS +OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. +IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY +CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, +TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE +SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + --- libgdiplus-2.6.7.orig/debian/source/format +++ libgdiplus-2.6.7/debian/source/format @@ -0,0 +1 @@ +1.0 --- libgdiplus-2.6.7.orig/src/jpegcodec.c +++ libgdiplus-2.6.7/src/jpegcodec.c @@ -282,6 +282,7 @@ BYTE *lines[4] = {NULL, NULL, NULL, NULL}; GpStatus status; int stride; + unsigned long long int size; destbuf = NULL; result = NULL; @@ -323,20 +324,21 @@ if (cinfo.num_components == 1) { result->cairo_format = CAIRO_FORMAT_A8; - result->active_bitmap->stride = cinfo.image_width; result->active_bitmap->pixel_format = PixelFormat8bppIndexed; + size = 1; } else if (cinfo.num_components == 3) { /* libjpeg gives us RGB for many formats and * we convert to RGB format when needed. JPEG * does not support alpha (transparency). */ result->cairo_format = CAIRO_FORMAT_ARGB32; - result->active_bitmap->stride = 4 * cinfo.image_width; result->active_bitmap->pixel_format = PixelFormat24bppRGB; + size = 4; } else if (cinfo.num_components == 4) { result->cairo_format = CAIRO_FORMAT_ARGB32; - result->active_bitmap->stride = 4 * cinfo.image_width; result->active_bitmap->pixel_format = PixelFormat32bppRGB; - } + size = 4; + } else + goto error; switch (cinfo.jpeg_color_space) { case JCS_GRAYSCALE: @@ -360,7 +362,12 @@ break; } - stride = result->active_bitmap->stride; + size *= cinfo.image_width; + /* stride is a (signed) _int_ and once multiplied by 4 it should hold a value that can be allocated by GdipAlloc + * this effectively limits 'width' to 536870911 pixels */ + if (size > G_MAXINT32) + goto error; + stride = result->active_bitmap->stride = size; /* Request cairo-compat output */ /* libjpeg can do only following conversions, @@ -397,7 +404,13 @@ jpeg_start_decompress (&cinfo); - destbuf = GdipAlloc (stride * cinfo.output_height); + /* ensure total 'size' does not overflow an integer and fits inside our 2GB limit */ + size *= cinfo.output_height; + if (size > G_MAXINT32) { + status = OutOfMemory; + goto error; + } + destbuf = GdipAlloc (size); if (destbuf == NULL) { status = OutOfMemory; goto error; --- libgdiplus-2.6.7.orig/src/bmpcodec.c +++ libgdiplus-2.6.7/src/bmpcodec.c @@ -781,7 +781,6 @@ int colours; BOOL os2format = FALSE; BOOL upsidedown = TRUE; - int size; int size_read; BYTE *data_read = NULL; int line; @@ -793,6 +792,7 @@ ARGB green_mask = 0; ARGB blue_mask = 0; int red_shift = 0; + unsigned long long int size; status = gdip_read_BITMAPINFOHEADER (pointer, &bmi, source, &os2format, &upsidedown); if (status != Ok) @@ -860,23 +860,30 @@ result->active_bitmap->width = bmi.biWidth; result->active_bitmap->height = bmi.biHeight; + /* biWidth and biHeight are LONG (32 bits signed integer) */ + size = bmi.biWidth; + switch (result->active_bitmap->pixel_format) { case PixelFormat1bppIndexed: - result->active_bitmap->stride = (result->active_bitmap->width + 7) / 8; + result->active_bitmap->stride = (size + 7) / 8; break; case PixelFormat4bppIndexed: - result->active_bitmap->stride = (result->active_bitmap->width + 1) / 2; + result->active_bitmap->stride = (size + 1) / 2; break; case PixelFormat8bppIndexed: - result->active_bitmap->stride = result->active_bitmap->width; - break; - case PixelFormat24bppRGB: - result->active_bitmap->stride = result->active_bitmap->width * 4; + result->active_bitmap->stride = size; break; default: /* For other types, we assume 32 bit and translate into 32 bit from source format */ result->active_bitmap->pixel_format = PixelFormat32bppRGB; - result->active_bitmap->stride = result->active_bitmap->width * 4; + /* fall-thru */ + case PixelFormat24bppRGB: + /* stride is a (signed) _int_ and once multiplied by 4 it should hold a value that can be allocated by GdipAlloc + * this effectively limits 'width' to 536870911 pixels */ + size *= 4; + if (size > G_MAXINT32) + goto error; + result->active_bitmap->stride = size; break; } @@ -922,7 +929,14 @@ data_read = NULL; } - pixels = GdipAlloc (result->active_bitmap->stride * result->active_bitmap->height); + size = result->active_bitmap->stride; + /* ensure total 'size' does not overflow an integer and fits inside our 2GB limit */ + size *= result->active_bitmap->height; + if (size > G_MAXINT32) { + status = OutOfMemory; + goto error; + } + pixels = GdipAlloc (size); if (pixels == NULL) { status = OutOfMemory; goto error; --- libgdiplus-2.6.7.orig/src/tiffcodec.c +++ libgdiplus-2.6.7/src/tiffcodec.c @@ -1104,6 +1104,8 @@ frame = gdip_frame_add(result, &gdip_image_frameDimension_page_guid); for (page = 0; page < num_of_pages; page++) { + unsigned long long int size; + bitmap_data = gdip_frame_add_bitmapdata(frame); if (bitmap_data == NULL) { goto error; @@ -1139,14 +1141,25 @@ bitmap_data->image_flags |= ImageFlagsHasRealDPI; } - bitmap_data->stride = tiff_image.width * 4; + /* width and height are uint32, but TIFF uses 32 bits offsets (so it's real size limit is 4GB), + * however libtiff uses signed int (int32 not uint32) as offsets so we limit ourselves to 2GB */ + size = tiff_image.width; + /* stride is a (signed) _int_ and once multiplied by 4 it should hold a value that can be allocated by GdipAlloc + * this effectively limits 'width' to 536870911 pixels */ + size *= sizeof (guint32); + if (size > G_MAXINT32) + goto error; + bitmap_data->stride = size; bitmap_data->width = tiff_image.width; bitmap_data->height = tiff_image.height; bitmap_data->reserved = GBD_OWN_SCAN0; bitmap_data->image_flags |= ImageFlagsColorSpaceRGB | ImageFlagsHasRealPixelSize | ImageFlagsReadOnly; - num_of_pixels = tiff_image.width * tiff_image.height; - pixbuf = GdipAlloc(num_of_pixels * sizeof(guint32)); + /* ensure total 'size' does not overflow an integer and fits inside our 2GB limit */ + size *= tiff_image.height; + if (size > G_MAXINT32) + goto error; + pixbuf = GdipAlloc (size); if (pixbuf == NULL) { goto error; } @@ -1168,9 +1181,9 @@ memcpy(pixbuf + (bitmap_data->stride * (tiff_image.height - i - 1)), pixbuf_row, bitmap_data->stride); } - /* Now flip from ARGB to ABGR */ + /* Now flip from ARGB to ABGR processing one pixel (4 bytes) at the time */ pixbuf_ptr = (guint32 *)pixbuf; - for (i = 0; i < num_of_pixels; i++) { + for (i = 0; i < (size >> 2); i++) { *pixbuf_ptr = (*pixbuf_ptr & 0xff000000) | ((*pixbuf_ptr & 0x00ff0000) >> 16) | (*pixbuf_ptr & 0x0000ff00) |