initial import

xcftools/security.patch

@@ -0,0 +1,61 @@
+From 59c38e3e45b9112c2bcb4392bccf56e297854f8a Mon Sep 17 00:00:00 2001
+From: Anton Gladky <gladk@debian.org>
+Date: Sat, 23 May 2020 17:44:33 +0200
+Subject: [PATCH] Prevent integer overflow in computeDimensions. #12
+
+Fix for CVE-2019-5086 and CVE-2019-5087
+
+The code checks the sizes of width and height and stop execution, if it exceeds
+maximal values.
+---
+ xcf-general.c | 16 ++++++++++++++++
+ xcftools.h    |  2 +-
+ 2 files changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/xcf-general.c b/xcf-general.c
+index b23c260..169b4f7 100644
+--- a/xcf-general.c
++++ b/xcf-general.c
+@@ -19,6 +19,7 @@
+ #include "xcftools.h"
+ #include <string.h>
+ #include <errno.h>
++#include <limits.h>
+ #ifdef HAVE_ICONV
+ # include <iconv.h>
+ #elif !defined(ICONV_CONST)
+@@ -182,6 +183,21 @@ xcfString(uint32_t ptr,uint32_t *after)
+ void
+ computeDimensions(struct tileDimensions *d)
+ {
++  // [ CVE-2019-5086 and CVE-2019-5087 ]
++  // This part of code is the check to prevent integer overflow, see CVE-2019-5086 and CVE-2019-5087
++
++  if ((d->c.l + d->width)*4 > INT_MAX) {
++    fprintf(stderr,("Width is too large (%d)! Stopping execution...\n"), (d->c.l + d->width));
++    exit(0);
++  }
++
++  if ((d->c.t + d->height)*4 > INT_MAX) {
++    fprintf(stderr,("Height is too large (%d)! Stopping execution...\n"), (d->c.t + d->height));
++    exit(0);
++  }
++
++  // [ CVE-2019-5086 and CVE-2019-5087 ]
++
+   d->c.r = d->c.l + d->width ;
+   d->c.b = d->c.t + d->height ;
+   d->tilesx = (d->width+TILE_WIDTH-1)/TILE_WIDTH ;
+diff --git a/xcftools.h b/xcftools.h
+index 5a1efcc..4bb02ea 100644
+--- a/xcftools.h
++++ b/xcftools.h
+@@ -121,7 +121,7 @@ FILE* openout(const char*);
+ void closeout(FILE *,const char*);
+ 
+ struct rect {
+-  int t, b, l, r ;
++  int64_t t, b, l, r ;
+ };
+ 
+ #define isSubrect(A,B) \