[meego-commits] 23581: Changes to MeeGo:1.2.0:oss:Update:Testing/gimp

Han Dai no_reply at build.meego.com
Thu Aug 4 10:22:25 UTC 2011 

Hi,
I have made the following changes to gimp in project MeeGo:1.2.0:oss:Update:Testing. Please review and accept ASAP.

Thank You,
Han Dai

[This message was auto-generated]

---

Request #23581:

  submit:   home:daihan:branches:MeeGo:1.2.0:oss/gimp(r4)(cleanup) -> MeeGo:1.2.0:oss:Update:Testing/gimp


Message:
    Add a patch to fix BMC#12281,12284,12287,12290

State:   new          2011-08-04T03:22:21 daihan
Comment: None



changes files:
--------------
--- gimp.changes
+++ gimp.changes
@@ -0,0 +1,3 @@
+* Thu Aug 4 2011 Ye Gang <gang.ye at intel.com> -2.6.8
+- Add a patch to fix BMC#12287, BMC#12281, BMC#12284, BMC#12290
+

new:
----
  gimp-CVE-2010-454x-fix.patch

spec files:
-----------
--- gimp.spec
+++ gimp.spec
@@ -106,6 +106,7 @@
 # "Dialogs don't get minimized with single image window"
 Patch2:         gimp-2.6.6-minimize-dialogs.patch
 
+Patch3:         gimp-CVE-2010-454x-fix.patch
 %description
 GIMP (GNU Image Manipulation Program) is a powerful image composition and
 editing program, which can be extremely useful for creating logos and other
@@ -184,7 +185,7 @@
 %patch0 -p1 -b .xdg-open
 %patch1 -p1 -b .jpeg-units
 %patch2 -p1 -b .minimize-dialogs
-
+%patch3 -p1 -b .454x-fix
 %build
 # if [ ! -f configure ]; then
 #   ./autogen.sh --quiet $MYARCH_FLAGS --prefix=%{_prefix}

other changes:
--------------

++++++ gimp-CVE-2010-454x-fix.patch (new)
--- gimp-CVE-2010-454x-fix.patch
+++ gimp-CVE-2010-454x-fix.patch
+diff -Nur gimp-2.6.8/plug-ins/common/file-psp.c new/plug-ins/common/file-psp.c
+--- gimp-2.6.8/plug-ins/common/file-psp.c	2009-07-21 04:20:51.000000000 +0800
++++ new/plug-ins/common/file-psp.c	2011-04-19 14:51:56.000000000 +0800
+@@ -1246,13 +1246,14 @@
+             fread (buf, runcount, 1, f);
+           if (bytespp == 1)
+             {
++	      runcount = MIN (runcount, endq - q);
+               memmove (q, buf, runcount);
+               q += runcount;
+             }
+           else
+             {
+               p = buf;
+-              for (i = 0; i < runcount; i++)
++              for (i = 0; i < runcount && q < endq; i++)
+                 {
+                   *q = *p++;
+                   q += bytespp;
+diff -Nur gimp-2.6.8/plug-ins/common/sphere-designer.c new/plug-ins/common/sphere-designer.c
+--- gimp-2.6.8/plug-ins/common/sphere-designer.c	2009-07-22 04:43:49.000000000 +0800
++++ new/plug-ins/common/sphere-designer.c	2011-04-19 14:36:28.000000000 +0800
+@@ -1992,6 +1992,7 @@
+   gchar    endbuf[21 * (G_ASCII_DTOSTR_BUF_SIZE + 1)];
+   gchar   *end = endbuf;
+   gchar    line[1024];
++  gchar    fmt_str[16];
+   gint     i;
+   texture *t;
+   gint     majtype, type;
+@@ -2016,6 +2017,8 @@
+ 
+   s.com.numtexture = 0;
+ 
++  snprintf (fmt_str, sizeof (fmt_str), "%%d %%d %%%lds", sizeof (endbuf) - 1);
++
+   while (!feof (f))
+     {
+ 
+@@ -2026,7 +2029,7 @@
+       t = &s.com.texture[i];
+       setdefaults (t);
+ 
+-      if (sscanf (line, "%d %d %s", &t->majtype, &t->type, end) != 3)
++      if (sscanf (line, fmt_str, &t->majtype, &t->type, end) != 3)
+         t->color1.x = g_ascii_strtod (end, &end);
+       if (end && errno != ERANGE)
+         t->color1.y = g_ascii_strtod (end, &end);
+diff -Nur gimp-2.6.8/plug-ins/gfig/gfig-style.c new/plug-ins/gfig/gfig-style.c
+--- gimp-2.6.8/plug-ins/gfig/gfig-style.c	2009-07-21 04:20:51.000000000 +0800
++++ new/plug-ins/gfig/gfig-style.c	2011-04-19 14:41:22.000000000 +0800
+@@ -165,6 +165,7 @@
+   gchar *ptr;
+   gchar *tmpstr;
+   gchar *endptr;
++  gchar  fmt_str[32];
+   gchar  colorstr_r[G_ASCII_DTOSTR_BUF_SIZE];
+   gchar  colorstr_g[G_ASCII_DTOSTR_BUF_SIZE];
+   gchar  colorstr_b[G_ASCII_DTOSTR_BUF_SIZE];
+@@ -172,6 +173,10 @@
+ 
+   style_entry->r = style_entry->g = style_entry->b = style_entry->a = 0.;
+ 
++  snprintf (fmt_str, sizeof (fmt_str), "%%lds %%lds %%lds %%lds",
++	    sizeof (colorstr_r) - 1, sizeof (colorstr_g) - 1,
++	    sizeof (colorstr_b) - 1, sizeof (colorstr_a) - 1);
++
+   while (n < nitems)
+     {
+       ptr = strchr (text[n], ':');
+@@ -181,7 +186,7 @@
+           ptr++;
+           if (!strcmp (tmpstr, name))
+             {
+-              sscanf (ptr, "%s %s %s %s", colorstr_r, colorstr_g, colorstr_b, colorstr_a);
++              sscanf (ptr, fmt_str, colorstr_r, colorstr_g, colorstr_b, colorstr_a);
+               style_entry->r = g_ascii_strtod (colorstr_r, &endptr);
+               style_entry->g = g_ascii_strtod (colorstr_g, &endptr);
+               style_entry->b = g_ascii_strtod (colorstr_b, &endptr);
+diff -Nur gimp-2.6.8/plug-ins/lighting/lighting-ui.c new/plug-ins/lighting/lighting-ui.c
+--- gimp-2.6.8/plug-ins/lighting/lighting-ui.c	2009-07-21 04:20:51.000000000 +0800
++++ new/plug-ins/lighting/lighting-ui.c	2011-04-19 15:27:21.000000000 +0800
+@@ -1342,6 +1342,7 @@
+   gchar          buffer3[G_ASCII_DTOSTR_BUF_SIZE];
+   gchar          type_label[21];
+   gchar         *endptr;
++  gchar          fmt_str[32];
+ 
+   if (response_id == GTK_RESPONSE_OK)
+     {
+@@ -1381,23 +1382,41 @@
+                   return;
+                 }
+ 
+-              fscanf (fp, " Position: %s %s %s", buffer1, buffer2, buffer3);
+-              source->position.x = g_ascii_strtod (buffer1, &endptr);
++              snprintf (fmt_str, sizeof (fmt_str),
++			" Position: %%%lds %%%lds %%%lds",
++			sizeof (buffer1) - 1,
++			sizeof (buffer2) - 1,
++			sizeof (buffer3) - 1);
++	      fscanf (fp, fmt_str, buffer1, buffer2, buffer3);
++	      source->position.x = g_ascii_strtod (buffer1, &endptr);
+               source->position.y = g_ascii_strtod (buffer2, &endptr);
+               source->position.z = g_ascii_strtod (buffer3, &endptr);
+ 
+-              fscanf (fp, " Direction: %s %s %s", buffer1, buffer2, buffer3);
++              snprintf (fmt_str, sizeof (fmt_str),
++			" Direction: %%%lds %%%lds %%%lds",
++			sizeof (buffer1) - 1,
++			sizeof (buffer2) - 1,
++			sizeof (buffer3) - 1);
++	      fscanf (fp, fmt_str, buffer1, buffer2, buffer3);
+               source->direction.x = g_ascii_strtod (buffer1, &endptr);
+               source->direction.y = g_ascii_strtod (buffer2, &endptr);
+               source->direction.z = g_ascii_strtod (buffer3, &endptr);
+ 
+-              fscanf (fp, " Color: %s %s %s", buffer1, buffer2, buffer3);
++              snprintf (fmt_str, sizeof (fmt_str),
++			" Color: %%%lds %%%lds %%%lds",
++			sizeof (buffer1) - 1,
++			sizeof (buffer2) - 1,
++			sizeof (buffer3) - 1);
++	      fscanf (fp, fmt_str, buffer1, buffer2, buffer3);
+               source->color.r = g_ascii_strtod (buffer1, &endptr);
+               source->color.g = g_ascii_strtod (buffer2, &endptr);
+               source->color.b = g_ascii_strtod (buffer3, &endptr);
+               source->color.a = 1.0;
+ 
+-              fscanf (fp, " Intensity: %s", buffer1);
++              snprintf (fmt_str, sizeof (fmt_str),
++			" Intensity: %%%lds",
++			sizeof (buffer1) - 1);
++	      fscanf (fp, fmt_str, buffer1);
+               source->intensity = g_ascii_strtod (buffer1, &endptr);
+ 
+             }

More information about the MeeGo-commits mailing list