Add patches for CVE-2009-2369 and CVE-2009-2625.

Bump PKGREVISION.


(taca)

@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.4 2010/01/18 09:59:45 wiz Exp $
+# $NetBSD: Makefile,v 1.5 2010/02/16 17:35:34 taca Exp $
 #
 
 .include "Makefile.common"
 
-PKGREVISION=		5
+PKGREVISION=		6
 COMMENT=		GTK-based implementation of the wxWidgets GUI library
 
 post-build:

@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.3 2009/10/23 11:16:55 plunky Exp $
+$NetBSD: distinfo,v 1.4 2010/02/16 17:35:34 taca Exp $
 
 SHA1 (wxGTK-2.6.3-libtool.diff3.bz2) = 657566a9384a4bc160dffd26678b5e0c6a1cb5b2
 RMD160 (wxGTK-2.6.3-libtool.diff3.bz2) = 233af8dd61317ed1771c1862c6cec65f131b6de0
@@ -10,3 +10,7 @@
 SHA1 (patch-ab) = 3e9c6bc0df33e466390a4f6483b1c84e2eb9257b
 SHA1 (patch-ac) = 50bd7d4291e44dac1d2bbbae1b12167177f5ef01
 SHA1 (patch-ad) = fb51bb80451d39ba2bba53d42722327888b4a0be
+SHA1 (patch-ae) = d6fcc9b21fd457e79c32f2dc47166dc7afbd65b1
+SHA1 (patch-af) = 96e29001bcf1fbc33f4cb185f25f53a6901ce9d2
+SHA1 (patch-ag) = ccaac341ecd589dbde465f49064dd2ab480fc639
+SHA1 (patch-ah) = e7da6aacd004048d0d07965df09e97cef5a76551

$NetBSD: patch-ae,v 1.1 2010/02/16 17:35:34 taca Exp $

deal with CVE-2009-2369.

--- src/common/image.cpp.orig	2006-03-21 23:42:10.000000000 +0000
+++ src/common/image.cpp
@@ -192,6 +192,10 @@ bool wxImage::Create( int width, int hei
 
     m_refData = new wxImageRefData();
 
+    if (width <= 0 || height <= 0 || width > INT_MAX / 3 / height) {
+	UnRef();
+	return false;
+    }
     M_IMGDATA->m_data = (unsigned char *) malloc( width*height*3 );
     if (!M_IMGDATA->m_data)
     {

$NetBSD: patch-af,v 1.1 2010/02/16 17:35:34 taca Exp $

deal with CVE-2009-2369.

--- src/common/imagpng.cpp.orig	2006-03-21 23:42:10.000000000 +0000
+++ src/common/imagpng.cpp
@@ -570,18 +570,16 @@ wxPNGHandler::LoadFile(wxImage *image,
     if (!image->Ok())
         goto error;
 
-    lines = (unsigned char **)malloc( (size_t)(height * sizeof(unsigned char *)) );
+    // initialize all line pointers to NULL to ensure that they can be safely
+    // free()d if an error occurs before all of them could be allocated
+    lines = (unsigned char **)calloc(height, sizeof(unsigned char *));
     if ( !lines )
         goto error;
 
     for (i = 0; i < height; i++)
     {
         if ((lines[i] = (unsigned char *)malloc( (size_t)(width * (sizeof(unsigned char) * 4)))) == NULL)
-        {
-            for ( unsigned int n = 0; n < i; n++ )
-                free( lines[n] );
             goto error;
-        }
     }
 
     png_read_image( png_ptr, lines );

$NetBSD: patch-ag,v 1.1 2010/02/16 17:35:34 taca Exp $

deal with CVE-2009-2369.

--- src/common/imagtiff.cpp.orig	2006-03-21 23:42:10.000000000 +0000
+++ src/common/imagtiff.cpp
@@ -232,15 +232,25 @@ bool wxTIFFHandler::LoadFile( wxImage *i
     }
 
     uint32 w, h;
-    uint32 npixels;
     uint32 *raster;
 
     TIFFGetField( tif, TIFFTAG_IMAGEWIDTH, &w );
     TIFFGetField( tif, TIFFTAG_IMAGELENGTH, &h );
 
-    npixels = w * h;
+    // guard against integer overflow during multiplication which could result
+    // in allocating a too small buffer and then overflowing it
+    const double bytesNeeded = (double)w * (double)h * sizeof(uint32);
+    if ( bytesNeeded >= 4294967295U /* UINT32_MAX */ )
+    {
+	if ( verbose )
+	    wxLogError( _("TIFF: Image size is abnormally big.") );
+
+	TIFFClose(tif);
+
+	return false;
+    }
 
-    raster = (uint32*) _TIFFmalloc( npixels * sizeof(uint32) );
+    raster = (uint32*) _TIFFmalloc( bytesNeeded );
 
     if (!raster)
     {

$NetBSD: patch-ah,v 1.1 2010/02/16 17:35:34 taca Exp $

deal with CVE-2009-2625.

--- src/expat/lib/xmltok_impl.c.orig	2006-03-21 23:42:06.000000000 +0000
+++ src/expat/lib/xmltok_impl.c
@@ -1741,7 +1741,7 @@ PREFIX(updatePosition)(const ENCODING *e
                        const char *end,
                        POSITION *pos)
 {
-  while (ptr != end) {
+  while (ptr <= end) {
     switch (BYTE_TYPE(enc, ptr)) {
 #define LEAD_CASE(n) \
     case BT_LEAD ## n: \