Fix the security issues with ICO and XPM loading as detailed at:

http://www.freebsd.org/ports/portaudit/3d1e9267-073f-11d9-b45d-000c41e2cdad.html

Adapted from:	gtk+ CVS
Approved by:	portmgr (implicit)

2 files changed, 54 insertions, 1 deletions

diff --git a/graphics/gdk-pixbuf/Makefile b/graphics/gdk-pixbuf/Makefile
index 69cf76d2f4eb..131e45cab78a 100644
--- a/graphics/gdk-pixbuf/Makefile
+++ b/graphics/gdk-pixbuf/Makefile
@@ -7,7 +7,7 @@
 
 PORTNAME?=	gdk-pixbuf
 PORTVERSION=	0.22.0
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES?=	graphics
 MASTER_SITES=	${MASTER_SITE_GNOME}
 MASTER_SITE_SUBDIR=	sources/gdk-pixbuf/0.22
diff --git a/graphics/gdk-pixbuf/files/patch-pixbuf-security b/graphics/gdk-pixbuf/files/patch-pixbuf-security
new file mode 100644
index 000000000000..44c4eb8da4b9
--- /dev/null
+++ b/graphics/gdk-pixbuf/files/patch-pixbuf-security
@@ -0,0 +1,53 @@
+--- gdk-pixbuf/io-ico.c.orig	Mon Oct 11 15:44:43 2004
++++ gdk-pixbuf/io-ico.c	Mon Oct 11 15:47:29 2004
+@@ -330,6 +330,10 @@
+ 
+ 	State->HeaderSize+=I;
+ 
++	if (State->HeaderSize < 0) {
++		return FALSE;
++	}
++
+  	if (State->HeaderSize>State->BytesInHeaderBuf) {
+ 		guchar *tmp=realloc(State->HeaderBuf,State->HeaderSize);
+ 		if (!tmp)
+--- gdk-pixbuf/io-xpm.c.orig	Mon Oct 11 15:47:42 2004
++++ gdk-pixbuf/io-xpm.c	Mon Oct 11 16:01:13 2004
+@@ -352,16 +352,33 @@
+ 		return NULL;
+ 	}
+ 	sscanf (buffer, "%d %d %d %d", &w, &h, &n_col, &cpp);
+-	if (cpp >= 32) {
+-		g_warning ("XPM has more than 31 chars per pixel.");
++	if (cpp <= 0 || cpp >= 32) {
++		g_warning ("XPM has invalid number of chars per pixel");
++		return NULL;
++	}
++
++	if (n_col <= 0 || n_col >= G_MAXINT / (cpp + 1)) {
++		g_warning ("XPM file has invalid number of colors");
+ 		return NULL;
+ 	}
+ 
+ 	/* The hash is used for fast lookups of color from chars */
+ 	color_hash = g_hash_table_new (g_str_hash, g_str_equal);
+ 
+-	name_buf = g_new (gchar, n_col * (cpp + 1));
+-	colors = g_new (_XPMColor, n_col);
++	name_buf = (gchar *) g_try_malloc (n_col * (cpp + 1));
++	if (!name_buf) {
++		g_warning ("Cannot allocate memory for loading XPM image");
++		g_hash_table_destroy (color_hash);
++		return NULL;
++	}
++
++	colors = (_XPMColor *) g_try_malloc (sizeof (_XPMColor) * n_col);
++	if (!colors) {
++		g_warning ("Cannot allocate memory for loading XPM image");
++		g_hash_table_destroy (color_hash);
++		g_free (name_buf);
++		return NULL;
++	}
+ 
+ 	for (cnt = 0; cnt < n_col; cnt++) {
+ 		gchar *color_name;