x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-alpha-overflow-rebased.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79

From 2937faff06629e224f113a9af73eba59f65c3845 Mon Sep 17 00:00:00 2001
From: Matthias Clasen <mclasen@redhat.com>
Date: Mon, 24 Aug 2015 15:20:08 -0400
Subject: [PATCH] Avoid integer overflow in gdk_pixbuf_add_alpha

Same as before: don't do ptr = base + y * rowstride if y and
rowstride are integers.

This should fix http://bugzilla.gnome/org/753569
---
 gdk-pixbuf/gdk-pixbuf-util.c | 23 +++++++++++++++--------
 1 file changed, 15 insertions(+), 8 deletions(-)

diff --git a/gdk-pixbuf/gdk-pixbuf-util.c b/gdk-pixbuf/gdk-pixbuf-util.c
index 6fbaa8e..6eea4c3 100644
--- a/gdk-pixbuf/gdk-pixbuf-util.c
+++ b/gdk-pixbuf/gdk-pixbuf-util.c
@@ -65,12 +65,18 @@ gdk_pixbuf_add_alpha (const GdkPixbuf *pixbuf,
 {
 	GdkPixbuf *new_pixbuf;
 	int x, y;
+	const guint8 *src_pixels;
+	guint8 *ret_pixels;
+	const guchar *src;
+	guchar *dest;
 
 	g_return_val_if_fail (GDK_IS_PIXBUF (pixbuf), NULL);
 	g_return_val_if_fail (pixbuf->colorspace == GDK_COLORSPACE_RGB, NULL);
 	g_return_val_if_fail (pixbuf->n_channels == 3 || pixbuf->n_channels == 4, NULL);
 	g_return_val_if_fail (pixbuf->bits_per_sample == 8, NULL);
 
+	src_pixels = pixbuf->pixels;
+
 	if (pixbuf->has_alpha) {
 		new_pixbuf = gdk_pixbuf_copy (pixbuf);
 		if (!new_pixbuf)
@@ -81,17 +87,18 @@ gdk_pixbuf_add_alpha (const GdkPixbuf *pixbuf,
 	} else {
                 new_pixbuf = gdk_pixbuf_new (GDK_COLORSPACE_RGB, TRUE, 8, pixbuf->width, pixbuf->height);
         }
-        
+
 	if (!new_pixbuf)
 		return NULL;
 
-	for (y = 0; y < pixbuf->height; y++) {
-		guchar *src, *dest;
+	ret_pixels = new_pixbuf->pixels;
+
+	for (y = 0; y < pixbuf->height; y++, src_pixels += pixbuf->rowstride, ret_pixels += new_pixbuf->rowstride) {
 		guchar tr, tg, tb;
 
-		src = pixbuf->pixels + y * pixbuf->rowstride;
-		dest = new_pixbuf->pixels + y * new_pixbuf->rowstride;
-                
+                src = src_pixels;
+                dest = ret_pixels;
+
                 if (pixbuf->has_alpha) {
                         /* Just subst color, we already copied everything else */
                         for (x = 0; x < pixbuf->width; x++) {
@@ -100,12 +107,12 @@ gdk_pixbuf_add_alpha (const GdkPixbuf *pixbuf,
                                 src += 4;
                                 dest += 4;
                         }
-                } else {                        
+                } else {
                         for (x = 0; x < pixbuf->width; x++) {
                                 tr = *dest++ = *src++;
                                 tg = *dest++ = *src++;
                                 tb = *dest++ = *src++;
-                                
+
                                 if (substitute_color && tr == r && tg == g && tb == b)
                                         *dest++ = 0;
                                 else
-- 
2.5.1