Fix CVE 2006-4484. Should be backported.

diff --git a/extras/contrib/src/Makefile b/extras/contrib/src/Makefile
index 550f8d151443a5777e1d0db7ff48499ad98070ee..36e6ec2d96b51fb66c92c5948b06a4803c66d2a6 100644 (file)
--- a/extras/contrib/src/Makefile
+++ b/extras/contrib/src/Makefile
@@ -2012,6 +2012,7 @@ SDL_image-$(SDL_IMAGE_VERSION).tar.gz:
 SDL_image: SDL_image-$(SDL_IMAGE_VERSION).tar.gz 
        $(EXTRACT_GZ)
        patch -p0 < Patches/SDL_image.patch
+       patch -p0 < Patches/SDL_image-CVE-2006-4484.patch
 
 .SDL_image: SDL_image .SDL .png .jpeg .tiff
        (cd $<; $(HOSTCC) ./configure $(HOSTCONF) --prefix=$(PREFIX) CFLAGS="$(CFLAGS)" --enable-tif --disable-sdltest && make && make install)

diff --git a/extras/contrib/src/Patches/SDL_image-CVE-2006-4484.patch b/extras/contrib/src/Patches/SDL_image-CVE-2006-4484.patch
new file mode 100644 (file)
index 0000000..de82772
--- /dev/null
+++ b/extras/contrib/src/Patches/SDL_image-CVE-2006-4484.patch
@@ -0,0 +1,15 @@
+Common subdirectories: sdl-image1.2-1.2.5/debian and sdl-image1.2-1.2.5-fixed/debian
+diff -up sdl-image1.2-1.2.5/IMG_gif.c sdl-image1.2-1.2.5-fixed/IMG_gif.c
+--- sdl-image1.2-1.2.5/IMG_gif.c       2008-01-30 19:49:29.000000000 -0500
++++ sdl-image1.2-1.2.5-fixed/IMG_gif.c 2008-01-30 19:52:56.000000000 -0500
+@@ -418,6 +418,10 @@ LWZReadByte(SDL_RWops *src, int flag, in
+     static int stack[(1 << (MAX_LWZ_BITS)) * 2], *sp;
+     register int i;
+ 
++    /* Fixed buffer overflow found by Michael Skladnikiewicz */
++    if (input_code_size > MAX_LWZ_BITS)
++        return -1;
++
+     if (flag) {
+       set_code_size = input_code_size;
+       code_size = set_code_size + 1;