Author: somlo Update of /cvs/nonfree/rpms/xv/EL-6 In directory old02.ovh.rpmfusion.lan:/tmp/cvs-serv16323 Modified Files: xv-3.10a-namemax.patch xv.spec Added Files: xv-3.10a-xvcut.patch Log Message: * Thu Mar 28 2013 Gabriel Somlo <somlo at cmu.edu> 3.10a.jumbopatch.20070520-18 - patch for cut/paste bug in 24+ bit mode (by Mark Brader <msb(a)vex.net>) - further buffer overflow fix for overly long command line argument xv-3.10a-xvcut.patch: xvcut.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) --- NEW FILE xv-3.10a-xvcut.patch --- When a selection containing no more than 256 distinct colors is copied from a 24-bit image, xv uses 8-bit color on the clipboard, presumably in order to optimize clipboard size if the selection is large. This patch fixes a bug that was causing the colormap it constructs to be stored one place off the correct position in the data structure. Signed-off-by: Mark Brader <msb(a)vex.net&gt; Acked-by: Gabriel Somlo <somlo(a)cmu.edu&gt; diff -NarU5 a/xvcut.c b/xvcut.c --- a/xvcut.c 2013-03-28 12:36:30.515468841 -0400 +++ b/xvcut.c 2013-03-28 12:37:34.639145150 -0400 @@ -676,13 +676,13 @@ for (k=0; k<nc; k++,cm+=3) { if (pr==cm[0] && pg==cm[1] && pb==cm[2]) break; } if (k==nc) { nc++; - cimg[CIMG_CMAP + nc*3 ] = pr; - cimg[CIMG_CMAP + nc*3 + 1] = pg; - cimg[CIMG_CMAP + nc*3 + 2] = pb; + cimg[CIMG_CMAP + k*3 ] = pr; + cimg[CIMG_CMAP + k*3 + 1] = pg; + cimg[CIMG_CMAP + k*3 + 2] = pb; } *dp++ = (byte) k; } } xv-3.10a-namemax.patch: xv.c | 9 ++++++--- xvtext.c | 2 +- 2 files changed, 7 insertions(+), 4 deletions(-) Index: xv-3.10a-namemax.patch =================================================================== RCS file: /cvs/nonfree/rpms/xv/EL-6/xv-3.10a-namemax.patch,v retrieving revision 1.2 retrieving revision 1.3 diff -u -r1.2 -r1.3 --- xv-3.10a-namemax.patch 14 Mar 2013 14:35:17 -0000 1.2 +++ xv-3.10a-namemax.patch 28 Mar 2013 20:40:41 -0000 1.3 @@ -1,6 +1,12 @@ -diff -NarU5 xv-3.10a.orig/xv.c xv-3.10a/xv.c ---- xv-3.10a.orig/xv.c 2013-03-14 09:37:32.095682131 -0400 -+++ xv-3.10a/xv.c 2013-03-14 09:55:10.629312017 -0400 +Under several circumstances, overly large filenames (or overly long command +line arguments) cause buffer overflows due to the lack of bounds checking in +the original xv source code. This patch is a first pass attempt at fixing that. + +Signed-off-by: Gabriel Somlo <somlo(a)cmu.edu&gt; + +diff -NarU5 a/xv.c b/xv.c +--- a/xv.c 2013-03-28 12:59:56.364082302 -0400 ++++ b/xv.c 2013-03-28 13:22:10.312576922 -0400 @@ -62,11 +62,11 @@ static double vexpand = 1.0; /* '-expand' argument */ static const char *maingeom = NULL; @@ -14,7 +20,38 @@ # ifndef TV_FONTSET # define TV_FONTSET "-*-fixed-medium-r-normal--%d-*" # endif -@@ -3998,11 +3998,11 @@ +@@ -2167,15 +2167,17 @@ + else if (filenum == PADDED) { + /* need fullfname (used for window/icon name), + basefname(compute from fullfname) */ + + i = LoadPad(&pinfo, fullfname); ++ if (!i) goto FAILED; /* shouldn't happen */ ++ + fullname = fullfname; + strcpy(filename, fullfname); ++ if (strlen(BaseName(fullfname)) > NAME_MAX) goto FAILED; + strcpy(basefname, BaseName(fullfname)); + +- if (!i) goto FAILED; /* shouldn't happen */ + + if (killpage) { /* kill old page files, if any */ + KillPageFiles(pageBaseName, numPages); + pageBaseName[0] = '\0'; + numPages = 1; +@@ -2236,10 +2238,11 @@ + #else + else fullname = namelist[filenum]; + #endif + + strcpy(fullfname, fullname); ++ if (strlen(BaseName(fullfname)) > NAME_MAX) goto FAILED; + strcpy(basefname, BaseName(fullname)); + + + /* chop off trailing ".Z", ".z", or ".gz" from displayed basefname, if any */ + if (strlen(basefname)>2 && strcmp(basefname+strlen(basefname)-2,".Z")==0) +@@ -3998,11 +4001,11 @@ /***********************************/ static void setWinIconNames(name) @@ -27,9 +64,9 @@ strcpy(winname, winTitle); strcpy(iconname, winTitle); } -diff -NarU5 xv-3.10a.orig/xvtext.c xv-3.10a/xvtext.c ---- xv-3.10a.orig/xvtext.c 2013-03-14 09:37:32.129684079 -0400 -+++ xv-3.10a/xvtext.c 2013-03-14 09:38:44.288818545 -0400 +diff -NarU5 a/xvtext.c b/xvtext.c +--- a/xvtext.c 2013-03-28 12:59:56.400084367 -0400 ++++ b/xvtext.c 2013-03-28 13:02:26.056666623 -0400 @@ -51,11 +51,11 @@ # define TV_MSCODE 7 Index: xv.spec =================================================================== RCS file: /cvs/nonfree/rpms/xv/EL-6/xv.spec,v retrieving revision 1.10 retrieving revision 1.11 diff -u -r1.10 -r1.11 --- xv.spec 14 Mar 2013 14:35:17 -0000 1.10 +++ xv.spec 28 Mar 2013 20:40:41 -0000 1.11 @@ -3,7 +3,7 @@ Name: xv Version: %{vprog}.jumbopatch.%{vjumbo} -Release: 17%{?dist} +Release: 18%{?dist} Summary: Interactive image display program for X Summary(de.UTF-8): X-basierender Bild-Viewer für praktische sämtliche Grafiken Summary(es.UTF-8): Visualizador de imágenes para X para cuasi todos los formatos de imágenes @@ -30,6 +30,7 @@ Patch4: xv-wait.patch Patch5: xv-3.10a-libpng15.patch Patch6: xv-3.10a-namemax.patch +Patch7: xv-3.10a-xvcut.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: libtiff-devel libpng-devel jasper-devel desktop-file-utils %if "%{?rhel}" != "4" @@ -146,6 +147,9 @@ # NAME_MAX buffer overflow fix %patch6 -p1 +# cut/paste fix for 24bit+ images +%patch7 -p1 + # Include permission to distribute %{__install} -m 0644 -p %{SOURCE2} . @@ -281,6 +285,10 @@ %doc %{_docdir}/%{name}-%{vprog}/manuals/ %changelog +* Thu Mar 28 2013 Gabriel Somlo <somlo at cmu.edu> 3.10a.jumbopatch.20070520-18 +- patch for cut/paste bug in 24+ bit mode (by Mark Brader <msb(a)vex.net>) +- further buffer overflow fix for overly long command line argument + * Thu Mar 14 2013 Gabriel Somlo <somlo at cmu.edu> 3.10a.jumbopatch.20070520-17 - additional fix for long filename buffer overflow