x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.31.6-pixops-overflow-rebased.patch - platform/external/gentoo/overlays/gentoo - Git at Google

 From 6df428ba24d8f244d08c4a205053e26b28cee0a9 Mon Sep 17 00:00:00 2001
 From: Matthias Clasen <mclasen@redhat.com>
 Date: Mon, 24 Aug 2015 14:44:50 -0400
 Subject: [PATCH] Fix some more integer overflows

 The scaling code had a similar problem to the one fixed in the
 previous commit: Expressions like ptr = base + y * rowstride are
 prone to overflow if y and rowstride are (possibly large) integers.
 ---
  gdk-pixbuf/pixops/pixops.c | 44 ++++++++++++++++++++++----------------------
  1 file changed, 22 insertions(+), 22 deletions(-)

 diff --git a/gdk-pixbuf/pixops/pixops.c b/gdk-pixbuf/pixops/pixops.c
 index 993223e..33aa32e 100644
 --- a/gdk-pixbuf/pixops/pixops.c
 +++ b/gdk-pixbuf/pixops/pixops.c
 @@ -304,8 +304,8 @@ pixops_scale_nearest (guchar        *dest_buf,
        guchar       *dest;
        y_pos = ((i + render_y0) * y_step + y_step / 2) >> SCALE_SHIFT;
        y_pos = CLAMP (y_pos, 0, src_height - 1);
 -      src  = src_buf + y_pos * src_rowstride;
 -      dest = dest_buf + i * dest_rowstride;
 +      src  = src_buf + (gsize)y_pos * src_rowstride;
 +      dest = dest_buf + (gsize)i * dest_rowstride;

        x = render_x0 * x_step + x_step / 2;

 @@ -368,8 +368,8 @@ pixops_composite_nearest (guchar        *dest_buf,
        guchar       *dest;
        y_pos = ((i + render_y0) * y_step + y_step / 2) >> SCALE_SHIFT;
        y_pos = CLAMP (y_pos, 0, src_height - 1);
 -      src  = src_buf + y_pos * src_rowstride;
 -      dest = dest_buf + i * dest_rowstride;
 +      src  = src_buf + (gsize)y_pos * src_rowstride;
 +      dest = dest_buf + (gsize)i * dest_rowstride;

        x = render_x0 * x_step + x_step / 2;

 @@ -460,8 +460,8 @@ pixops_composite_color_nearest (guchar        *dest_buf,
        guchar       *dest;
        y_pos = ((i + render_y0) * y_step + y_step / 2) >> SCALE_SHIFT;
        y_pos = CLAMP (y_pos, 0, src_height - 1);
 -      src  = src_buf + y_pos * src_rowstride;
 -      dest = dest_buf + i * dest_rowstride;
 +      src  = src_buf + (gsize)y_pos * src_rowstride;
 +      dest = dest_buf + (gsize)i * dest_rowstride;

        x = render_x0 * x_step + x_step / 2;

 @@ -1303,7 +1303,7 @@ pixops_process (guchar         *dest_buf,
        guchar *new_outbuf;
        guint32 tcolor1, tcolor2;

 -      guchar *outbuf = dest_buf + dest_rowstride * i;
 +      guchar *outbuf = dest_buf + (gsize)dest_rowstride * i;
        guchar *outbuf_end = outbuf + dest_channels * (render_x1 - render_x0);

        if (((i + check_y) >> check_shift) & 1)
 @@ -1322,9 +1322,9 @@ pixops_process (guchar         *dest_buf,
  	  if (y_start <  0)
  	    line_bufs[j] = (guchar *)src_buf;
  	  else if (y_start < src_height)
 -	    line_bufs[j] = (guchar *)src_buf + src_rowstride * y_start;
 +	    line_bufs[j] = (guchar *)src_buf + (gsize)src_rowstride * y_start;
  	  else
 -	    line_bufs[j] = (guchar *)src_buf + src_rowstride * (src_height - 1);
 +	    line_bufs[j] = (guchar *)src_buf + (gsize)src_rowstride * (src_height - 1);

  	  y_start++;
  	}
 @@ -1348,7 +1348,7 @@ pixops_process (guchar         *dest_buf,
  	}

        new_outbuf = (*line_func) (run_weights, filter->x.n, filter->y.n,
 -				 outbuf, dest_x, dest_buf + dest_rowstride *
 +				 outbuf, dest_x, dest_buf + (gsize)dest_rowstride *
  				 i + run_end_index * dest_channels,
  				 dest_channels, dest_has_alpha,
  				 line_bufs, src_channels, src_has_alpha,
 @@ -1866,7 +1866,7 @@ _pixops_composite (guchar          *dest_buf,
    return;
  #endif

 -  new_dest_buf = dest_buf + dest_y * dest_rowstride + dest_x * dest_channels;
 +  new_dest_buf = dest_buf + (gsize)dest_y * dest_rowstride + (gsize)dest_x * dest_channels;
    render_x0 = dest_x - offset_x;
    render_y0 = dest_y - offset_y;
    render_x1 = dest_x + dest_region_width  - offset_x;
 @@ -2026,7 +2026,7 @@ pixops_medialib_composite (guchar          *dest_buf,
    if (!use_medialib)
      {
        /* Use non-mediaLib version */
 -      _pixops_composite_real (dest_buf + dest_y * dest_rowstride + dest_x *
 +      _pixops_composite_real (dest_buf + (gsize)dest_y * dest_rowstride + (gsize)dest_x *
  			      dest_channels, dest_x - offset_x, dest_y -
  			      offset_y, dest_x + dest_region_width - offset_x,
  			      dest_y + dest_region_height - offset_y,
 @@ -2068,8 +2068,8 @@ pixops_medialib_composite (guchar          *dest_buf,
          }
        else
          {
 -	  mlib_u8 *data = dest_buf + (dest_y * dest_rowstride) +
 -				     (dest_x * dest_channels);
 +	  mlib_u8 *data = dest_buf + (gsize)dest_y * dest_rowstride +
 +				     (gsize)dest_x * dest_channels;

            mlib_ImageSetStruct (&img_dest, MLIB_BYTE, dest_channels,
  			       dest_region_width, dest_region_height,
 @@ -2136,8 +2136,8 @@ pixops_medialib_composite (guchar          *dest_buf,
                else
                  {
                    /* Should not happen - Use non-mediaLib version */
 -                  _pixops_composite_real (dest_buf + dest_y * dest_rowstride +
 -                                          dest_x * dest_channels,
 +                  _pixops_composite_real (dest_buf + (gsize)dest_y * dest_rowstride +
 +                                          (gsize)dest_x * dest_channels,
                                            dest_x - offset_x, dest_y - offset_y,
                                            dest_x + dest_region_width - offset_x,
                                            dest_y + dest_region_height - offset_y,
 @@ -2260,7 +2260,7 @@ _pixops_scale (guchar          *dest_buf,
    return;
  #endif

 -  new_dest_buf = dest_buf + dest_y * dest_rowstride + dest_x * dest_channels;
 +  new_dest_buf = dest_buf + (gsize)dest_y * dest_rowstride + (gsize)dest_x * dest_channels;
    render_x0    = dest_x - offset_x;
    render_y0    = dest_y - offset_y;
    render_x1    = dest_x + dest_region_width  - offset_x;
 @@ -2314,8 +2314,8 @@ pixops_medialib_scale     (guchar          *dest_buf,
     */
    if (!use_medialib)
      {
 -      _pixops_scale_real (dest_buf + dest_y * dest_rowstride + dest_x *
 -			  dest_channels, dest_x - offset_x, dest_y - offset_y,
 +      _pixops_scale_real (dest_buf + (gsize)dest_y * dest_rowstride + (gsize)dest_x *
 +			  dest_channels, dest_x - offset_x, dest_y - offset_y,
  			  dest_x + dest_region_width - offset_x,
  			  dest_y + dest_region_height - offset_y,
  			  dest_rowstride, dest_channels, dest_has_alpha,
 @@ -2343,8 +2343,8 @@ pixops_medialib_scale     (guchar          *dest_buf,
          }
        else
          {
 -	  mlib_u8 *data = dest_buf + (dest_y * dest_rowstride) +
 -				     (dest_x * dest_channels);
 +	  mlib_u8 *data = dest_buf + (gsize)dest_y * dest_rowstride +
 +				     (gsize)dest_x * dest_channels;

            mlib_ImageSetStruct (&img_dest, MLIB_BYTE, dest_channels,
  			       dest_region_width, dest_region_height,
 @@ -2379,7 +2379,7 @@ pixops_medialib_scale     (guchar          *dest_buf,
                int channels  = 3;
                int rowstride = (channels * src_width + 3) & ~3;

 -              tmp_buf = g_malloc (src_rowstride * src_height);
 +              tmp_buf = g_malloc_n (src_rowstride, src_height);

                if (src_buf != NULL)
                  {
 --
 2.5.1
	From 6df428ba24d8f244d08c4a205053e26b28cee0a9 Mon Sep 17 00:00:00 2001
	From: Matthias Clasen <mclasen@redhat.com>
	Date: Mon, 24 Aug 2015 14:44:50 -0400
	Subject: [PATCH] Fix some more integer overflows

	The scaling code had a similar problem to the one fixed in the
	previous commit: Expressions like ptr = base + y * rowstride are
	prone to overflow if y and rowstride are (possibly large) integers.
	---
	gdk-pixbuf/pixops/pixops.c \| 44 ++++++++++++++++++++++----------------------
	1 file changed, 22 insertions(+), 22 deletions(-)

	diff --git a/gdk-pixbuf/pixops/pixops.c b/gdk-pixbuf/pixops/pixops.c
	index 993223e..33aa32e 100644
	--- a/gdk-pixbuf/pixops/pixops.c
	+++ b/gdk-pixbuf/pixops/pixops.c
	@@ -304,8 +304,8 @@ pixops_scale_nearest (guchar *dest_buf,
	guchar *dest;
	y_pos = ((i + render_y0) * y_step + y_step / 2) >> SCALE_SHIFT;
	y_pos = CLAMP (y_pos, 0, src_height - 1);
	- src = src_buf + y_pos * src_rowstride;
	- dest = dest_buf + i * dest_rowstride;
	+ src = src_buf + (gsize)y_pos * src_rowstride;
	+ dest = dest_buf + (gsize)i * dest_rowstride;

	x = render_x0 * x_step + x_step / 2;

	@@ -368,8 +368,8 @@ pixops_composite_nearest (guchar *dest_buf,
	guchar *dest;
	y_pos = ((i + render_y0) * y_step + y_step / 2) >> SCALE_SHIFT;
	y_pos = CLAMP (y_pos, 0, src_height - 1);
	- src = src_buf + y_pos * src_rowstride;
	- dest = dest_buf + i * dest_rowstride;
	+ src = src_buf + (gsize)y_pos * src_rowstride;
	+ dest = dest_buf + (gsize)i * dest_rowstride;

	x = render_x0 * x_step + x_step / 2;

	@@ -460,8 +460,8 @@ pixops_composite_color_nearest (guchar *dest_buf,
	guchar *dest;
	y_pos = ((i + render_y0) * y_step + y_step / 2) >> SCALE_SHIFT;
	y_pos = CLAMP (y_pos, 0, src_height - 1);
	- src = src_buf + y_pos * src_rowstride;
	- dest = dest_buf + i * dest_rowstride;
	+ src = src_buf + (gsize)y_pos * src_rowstride;
	+ dest = dest_buf + (gsize)i * dest_rowstride;

	x = render_x0 * x_step + x_step / 2;

	@@ -1303,7 +1303,7 @@ pixops_process (guchar *dest_buf,
	guchar *new_outbuf;
	guint32 tcolor1, tcolor2;

	- guchar outbuf = dest_buf + dest_rowstride i;
	+ guchar outbuf = dest_buf + (gsize)dest_rowstride i;
	guchar outbuf_end = outbuf + dest_channels (render_x1 - render_x0);

	if (((i + check_y) >> check_shift) & 1)
	@@ -1322,9 +1322,9 @@ pixops_process (guchar *dest_buf,
	if (y_start < 0)
	line_bufs[j] = (guchar *)src_buf;
	else if (y_start < src_height)
	- line_bufs[j] = (guchar )src_buf + src_rowstride y_start;
	+ line_bufs[j] = (guchar )src_buf + (gsize)src_rowstride y_start;
	else
	- line_bufs[j] = (guchar )src_buf + src_rowstride (src_height - 1);
	+ line_bufs[j] = (guchar )src_buf + (gsize)src_rowstride (src_height - 1);

	y_start++;
	}
	@@ -1348,7 +1348,7 @@ pixops_process (guchar *dest_buf,
	}

	new_outbuf = (*line_func) (run_weights, filter->x.n, filter->y.n,
	- outbuf, dest_x, dest_buf + dest_rowstride *
	+ outbuf, dest_x, dest_buf + (gsize)dest_rowstride *
	i + run_end_index * dest_channels,
	dest_channels, dest_has_alpha,
	line_bufs, src_channels, src_has_alpha,
	@@ -1866,7 +1866,7 @@ _pixops_composite (guchar *dest_buf,
	return;
	#endif

	- new_dest_buf = dest_buf + dest_y * dest_rowstride + dest_x * dest_channels;
	+ new_dest_buf = dest_buf + (gsize)dest_y * dest_rowstride + (gsize)dest_x * dest_channels;
	render_x0 = dest_x - offset_x;
	render_y0 = dest_y - offset_y;
	render_x1 = dest_x + dest_region_width - offset_x;
	@@ -2026,7 +2026,7 @@ pixops_medialib_composite (guchar *dest_buf,
	if (!use_medialib)
	{
	/* Use non-mediaLib version */
	- _pixops_composite_real (dest_buf + dest_y * dest_rowstride + dest_x *
	+ _pixops_composite_real (dest_buf + (gsize)dest_y * dest_rowstride + (gsize)dest_x *
	dest_channels, dest_x - offset_x, dest_y -
	offset_y, dest_x + dest_region_width - offset_x,
	dest_y + dest_region_height - offset_y,
	@@ -2068,8 +2068,8 @@ pixops_medialib_composite (guchar *dest_buf,
	}
	else
	{
	- mlib_u8 data = dest_buf + (dest_y dest_rowstride) +
	- (dest_x * dest_channels);
	+ mlib_u8 data = dest_buf + (gsize)dest_y dest_rowstride +
	+ (gsize)dest_x * dest_channels;

	mlib_ImageSetStruct (&img_dest, MLIB_BYTE, dest_channels,
	dest_region_width, dest_region_height,
	@@ -2136,8 +2136,8 @@ pixops_medialib_composite (guchar *dest_buf,
	else
	{
	/* Should not happen - Use non-mediaLib version */
	- _pixops_composite_real (dest_buf + dest_y * dest_rowstride +
	- dest_x * dest_channels,
	+ _pixops_composite_real (dest_buf + (gsize)dest_y * dest_rowstride +
	+ (gsize)dest_x * dest_channels,
	dest_x - offset_x, dest_y - offset_y,
	dest_x + dest_region_width - offset_x,
	dest_y + dest_region_height - offset_y,
	@@ -2260,7 +2260,7 @@ _pixops_scale (guchar *dest_buf,
	return;
	#endif

	- new_dest_buf = dest_buf + dest_y * dest_rowstride + dest_x * dest_channels;
	+ new_dest_buf = dest_buf + (gsize)dest_y * dest_rowstride + (gsize)dest_x * dest_channels;
	render_x0 = dest_x - offset_x;
	render_y0 = dest_y - offset_y;
	render_x1 = dest_x + dest_region_width - offset_x;
	@@ -2314,8 +2314,8 @@ pixops_medialib_scale (guchar *dest_buf,
	*/
	if (!use_medialib)
	{
	- _pixops_scale_real (dest_buf + dest_y * dest_rowstride + dest_x *
	- dest_channels, dest_x - offset_x, dest_y - offset_y,
	+ _pixops_scale_real (dest_buf + (gsize)dest_y * dest_rowstride + (gsize)dest_x *
	+ dest_channels, dest_x - offset_x, dest_y - offset_y,
	dest_x + dest_region_width - offset_x,
	dest_y + dest_region_height - offset_y,
	dest_rowstride, dest_channels, dest_has_alpha,
	@@ -2343,8 +2343,8 @@ pixops_medialib_scale (guchar *dest_buf,
	}
	else
	{
	- mlib_u8 data = dest_buf + (dest_y dest_rowstride) +
	- (dest_x * dest_channels);
	+ mlib_u8 data = dest_buf + (gsize)dest_y dest_rowstride +
	+ (gsize)dest_x * dest_channels;

	mlib_ImageSetStruct (&img_dest, MLIB_BYTE, dest_channels,
	dest_region_width, dest_region_height,
	@@ -2379,7 +2379,7 @@ pixops_medialib_scale (guchar *dest_buf,
	int channels = 3;
	int rowstride = (channels * src_width + 3) & ~3;

	- tmp_buf = g_malloc (src_rowstride * src_height);
	+ tmp_buf = g_malloc_n (src_rowstride, src_height);

	if (src_buf != NULL)
	{
	--
	2.5.1