Version in base suite: 2.6.3.2.1.5
Version in overlay suite: (not present)

Base version: wxwidgets2.6_2.6.3.2.1.5
Target version: wxwidgets2.6_2.6.3.2.1.5+etch1
Base file: /org/ftp.debian.org/ftp/pool/main/w/wxwidgets2.6/wxwidgets2.6_2.6.3.2.1.5.dsc
Target file: /org/ftp.debian.org/queue/o-p-u-new/wxwidgets2.6_2.6.3.2.1.5+etch1.dsc

 debian/changelog        |    8 ++++++++
 src/common/imagpng.cpp  |    8 +++-----
 src/common/imagtiff.cpp |   16 +++++++++++++---
 3 files changed, 24 insertions(+), 8 deletions(-)

diff -Nru wxwidgets2.6-2.6.3.2.1.5/debian/changelog wxwidgets2.6-2.6.3.2.1.5+etch1/debian/changelog
--- wxwidgets2.6-2.6.3.2.1.5/debian/changelog	2006-08-15 22:00:08.000000000 +0000
+++ wxwidgets2.6-2.6.3.2.1.5+etch1/debian/changelog	2009-09-17 17:22:19.000000000 +0000
@@ -1,3 +1,11 @@
+wxwidgets2.6 (2.6.3.2.1.5+etch1) oldstable-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Fixed Integer overflow in the wxImage::Create function.
+    (CVE-2009-2369) (Closes: #537175)
+
+ -- Giuseppe Iuculano <giuseppe@iuculano.it>  Thu, 17 Sep 2009 19:21:27 +0200
+
 wxwidgets2.6 (2.6.3.2.1.5) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru wxwidgets2.6-2.6.3.2.1.5/src/common/imagpng.cpp wxwidgets2.6-2.6.3.2.1.5+etch1/src/common/imagpng.cpp
--- wxwidgets2.6-2.6.3.2.1.5/src/common/imagpng.cpp	2006-05-01 04:38:40.000000000 +0000
+++ wxwidgets2.6-2.6.3.2.1.5+etch1/src/common/imagpng.cpp	2009-09-17 17:19:58.000000000 +0000
@@ -570,18 +570,16 @@
     if (!image->Ok())
         goto error;
 
-    lines = (unsigned char **)malloc( (size_t)(height * sizeof(unsigned char *)) );
+    // initialize all line pointers to NULL to ensure that they can be safely
+    // free()d if an error occurs before all of them could be allocated
+    lines = (unsigned char **)calloc(height, sizeof(unsigned char *));
     if ( !lines )
         goto error;
 
     for (i = 0; i < height; i++)
     {
         if ((lines[i] = (unsigned char *)malloc( (size_t)(width * (sizeof(unsigned char) * 4)))) == NULL)
-        {
-            for ( unsigned int n = 0; n < i; n++ )
-                free( lines[n] );
             goto error;
-        }
     }
 
     png_read_image( png_ptr, lines );
diff -Nru wxwidgets2.6-2.6.3.2.1.5/src/common/imagtiff.cpp wxwidgets2.6-2.6.3.2.1.5+etch1/src/common/imagtiff.cpp
--- wxwidgets2.6-2.6.3.2.1.5/src/common/imagtiff.cpp	2006-05-01 04:38:40.000000000 +0000
+++ wxwidgets2.6-2.6.3.2.1.5+etch1/src/common/imagtiff.cpp	2009-09-17 17:19:58.000000000 +0000
@@ -232,15 +232,25 @@
     }
 
     uint32 w, h;
-    uint32 npixels;
     uint32 *raster;
 
     TIFFGetField( tif, TIFFTAG_IMAGEWIDTH, &w );
     TIFFGetField( tif, TIFFTAG_IMAGELENGTH, &h );
 
-    npixels = w * h;
+    // guard against integer overflow during multiplication which could result
+    // in allocating a too small buffer and then overflowing it
+    const double bytesNeeded = (double)w * (double)h * sizeof(uint32);
+    if ( bytesNeeded >= 4294967295U /* UINT32_MAX */ )
+    {
+        if ( verbose )
+            wxLogError( _("TIFF: Image size is abnormally big.") );
+
+        TIFFClose(tif);
+
+        return false;
+    }
 
-    raster = (uint32*) _TIFFmalloc( npixels * sizeof(uint32) );
+    raster = (uint32*) _TIFFmalloc( bytesNeeded );
 
     if (!raster)
     {