Author: somlo
Update of /cvs/nonfree/rpms/xv/F-17
In directory old02.ovh.rpmfusion.lan:/tmp/cvs-serv16176
Modified Files:
xv-3.10a-namemax.patch xv.spec
Added Files:
xv-3.10a-xvcut.patch
Log Message:
* Thu Mar 28 2013 Gabriel Somlo <somlo at cmu.edu> 3.10a.jumbopatch.20070520-18
- patch for cut/paste bug in 24+ bit mode (by Mark Brader <msb(a)vex.net>)
- further buffer overflow fix for overly long command line argument
xv-3.10a-xvcut.patch:
xvcut.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- NEW FILE xv-3.10a-xvcut.patch ---
When a selection containing no more than 256 distinct colors is copied
from a 24-bit image, xv uses 8-bit color on the clipboard, presumably
in order to optimize clipboard size if the selection is large.
This patch fixes a bug that was causing the colormap it constructs
to be stored one place off the correct position in the data structure.
Signed-off-by: Mark Brader <msb(a)vex.net>
Acked-by: Gabriel Somlo <somlo(a)cmu.edu>
diff -NarU5 a/xvcut.c b/xvcut.c
--- a/xvcut.c 2013-03-28 12:36:30.515468841 -0400
+++ b/xvcut.c 2013-03-28 12:37:34.639145150 -0400
@@ -676,13 +676,13 @@
for (k=0; k<nc; k++,cm+=3) {
if (pr==cm[0] && pg==cm[1] && pb==cm[2]) break;
}
if (k==nc) {
nc++;
- cimg[CIMG_CMAP + nc*3 ] = pr;
- cimg[CIMG_CMAP + nc*3 + 1] = pg;
- cimg[CIMG_CMAP + nc*3 + 2] = pb;
+ cimg[CIMG_CMAP + k*3 ] = pr;
+ cimg[CIMG_CMAP + k*3 + 1] = pg;
+ cimg[CIMG_CMAP + k*3 + 2] = pb;
}
*dp++ = (byte) k;
}
}
xv-3.10a-namemax.patch:
xv.c | 9 ++++++---
xvtext.c | 2 +-
2 files changed, 7 insertions(+), 4 deletions(-)
Index: xv-3.10a-namemax.patch
===================================================================
RCS file: /cvs/nonfree/rpms/xv/F-17/xv-3.10a-namemax.patch,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- xv-3.10a-namemax.patch 14 Mar 2013 14:34:57 -0000 1.2
+++ xv-3.10a-namemax.patch 28 Mar 2013 20:40:18 -0000 1.3
@@ -1,6 +1,12 @@
-diff -NarU5 xv-3.10a.orig/xv.c xv-3.10a/xv.c
---- xv-3.10a.orig/xv.c 2013-03-14 09:37:32.095682131 -0400
-+++ xv-3.10a/xv.c 2013-03-14 09:55:10.629312017 -0400
+Under several circumstances, overly large filenames (or overly long command
+line arguments) cause buffer overflows due to the lack of bounds checking in
+the original xv source code. This patch is a first pass attempt at fixing that.
+
+Signed-off-by: Gabriel Somlo <somlo(a)cmu.edu>
+
+diff -NarU5 a/xv.c b/xv.c
+--- a/xv.c 2013-03-28 12:59:56.364082302 -0400
++++ b/xv.c 2013-03-28 13:22:10.312576922 -0400
@@ -62,11 +62,11 @@
static double vexpand = 1.0; /* '-expand' argument */
static const char *maingeom = NULL;
@@ -14,7 +20,38 @@
# ifndef TV_FONTSET
# define TV_FONTSET "-*-fixed-medium-r-normal--%d-*"
# endif
-@@ -3998,11 +3998,11 @@
+@@ -2167,15 +2167,17 @@
+ else if (filenum == PADDED) {
+ /* need fullfname (used for window/icon name),
+ basefname(compute from fullfname) */
+
+ i = LoadPad(&pinfo, fullfname);
++ if (!i) goto FAILED; /* shouldn't happen */
++
+ fullname = fullfname;
+ strcpy(filename, fullfname);
++ if (strlen(BaseName(fullfname)) > NAME_MAX) goto FAILED;
+ strcpy(basefname, BaseName(fullfname));
+
+- if (!i) goto FAILED; /* shouldn't happen */
+
+ if (killpage) { /* kill old page files, if any */
+ KillPageFiles(pageBaseName, numPages);
+ pageBaseName[0] = '\0';
+ numPages = 1;
+@@ -2236,10 +2238,11 @@
+ #else
+ else fullname = namelist[filenum];
+ #endif
+
+ strcpy(fullfname, fullname);
++ if (strlen(BaseName(fullfname)) > NAME_MAX) goto FAILED;
+ strcpy(basefname, BaseName(fullname));
+
+
+ /* chop off trailing ".Z", ".z", or ".gz" from displayed
basefname, if any */
+ if (strlen(basefname)>2 &&
strcmp(basefname+strlen(basefname)-2,".Z")==0)
+@@ -3998,11 +4001,11 @@
/***********************************/
static void setWinIconNames(name)
@@ -27,9 +64,9 @@
strcpy(winname, winTitle);
strcpy(iconname, winTitle);
}
-diff -NarU5 xv-3.10a.orig/xvtext.c xv-3.10a/xvtext.c
---- xv-3.10a.orig/xvtext.c 2013-03-14 09:37:32.129684079 -0400
-+++ xv-3.10a/xvtext.c 2013-03-14 09:38:44.288818545 -0400
+diff -NarU5 a/xvtext.c b/xvtext.c
+--- a/xvtext.c 2013-03-28 12:59:56.400084367 -0400
++++ b/xvtext.c 2013-03-28 13:02:26.056666623 -0400
@@ -51,11 +51,11 @@
# define TV_MSCODE 7
Index: xv.spec
===================================================================
RCS file: /cvs/nonfree/rpms/xv/F-17/xv.spec,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -r1.11 -r1.12
--- xv.spec 14 Mar 2013 14:34:57 -0000 1.11
+++ xv.spec 28 Mar 2013 20:40:18 -0000 1.12
@@ -3,7 +3,7 @@
Name: xv
Version: %{vprog}.jumbopatch.%{vjumbo}
-Release: 17%{?dist}
+Release: 18%{?dist}
Summary: Interactive image display program for X
Summary(de.UTF-8): X-basierender Bild-Viewer für praktische sämtliche Grafiken
Summary(es.UTF-8): Visualizador de imágenes para X para cuasi todos los formatos de
imágenes
@@ -30,6 +30,7 @@
Patch4: xv-wait.patch
Patch5: xv-3.10a-libpng15.patch
Patch6: xv-3.10a-namemax.patch
+Patch7: xv-3.10a-xvcut.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: libtiff-devel libpng-devel jasper-devel desktop-file-utils
%if "%{?rhel}" != "4"
@@ -146,6 +147,9 @@
# NAME_MAX buffer overflow fix
%patch6 -p1
+# cut/paste fix for 24bit+ images
+%patch7 -p1
+
# Include permission to distribute
%{__install} -m 0644 -p %{SOURCE2} .
@@ -281,6 +285,10 @@
%doc %{_docdir}/%{name}-%{vprog}/manuals/
%changelog
+* Thu Mar 28 2013 Gabriel Somlo <somlo at cmu.edu> 3.10a.jumbopatch.20070520-18
+- patch for cut/paste bug in 24+ bit mode (by Mark Brader <msb(a)vex.net>)
+- further buffer overflow fix for overly long command line argument
+
* Thu Mar 14 2013 Gabriel Somlo <somlo at cmu.edu> 3.10a.jumbopatch.20070520-17
- additional fix for long filename buffer overflow