gdk-pixbuf/gdk-pixbuf-tiff-overflow.patch

From 1e513abdb55529f888233d3c96b27352d83aad5f Mon Sep 17 00:00:00 2001
From: Bastien Nocera <hadess@hadess.net>
Date: Tue, 5 Dec 2017 10:26:49 +0100
Subject: [PATCH] tiff: Avoid overflowing buffer size computation

Use g_uint_checked_mul() to avoid overflowing the guint used for buffer
size calculation.

https://bugzilla.gnome.org/show_bug.cgi?id=779020
---
 gdk-pixbuf/io-tiff.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/gdk-pixbuf/io-tiff.c b/gdk-pixbuf/io-tiff.c
index 7ca0a565a..49fe60eee 100644
--- a/gdk-pixbuf/io-tiff.c
+++ b/gdk-pixbuf/io-tiff.c
@@ -529,8 +529,15 @@ make_available_at_least (TiffContext *context, guint needed)
         need_alloc = context->used + needed;
         if (need_alloc > context->allocated) {
                 guint new_size = 1;
-                while (new_size < need_alloc)
-                        new_size *= 2;
+                while (new_size < need_alloc) {
+                        if (!g_uint_checked_mul (&new_size, new_size, 2)) {
+                                new_size = 0;
+                                break;
+                        }
+                }
+
+                if (new_size == 0)
+                        return FALSE;
 
                 new_buffer = g_try_realloc (context->buffer, new_size);
                 if (new_buffer) {
-- 
2.15.1
Accepting request 562058 from home:mgorse:branches:GNOME:Factory - Add gdk-pixbuf-bgo779012-ico-overflow.patch: fix a potential integer overflow (boo#1027026 CVE-2017-6312). - Add gdk-pixbuf-gif-negative-array-indexes.patch and gdk-pixbuf-gif-uninitialized-variable.patch: protect against access to negative array indexes (BGO#778584). - Add gdk-pixbuf-tiff-overflow.patch: avoid overflow during size computation (bgo#779020). - Add gdk-pixbuf-icns-handle-short-blocklen.patch: protect against short block length when reading icns (boo#1027024 CVE-2017-6313). OBS-URL: https://build.opensuse.org/request/show/562058 OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/gdk-pixbuf?expand=0&rev=144 2018-01-08 12:31:19 +00:00			`From 1e513abdb55529f888233d3c96b27352d83aad5f Mon Sep 17 00:00:00 2001`
			`From: Bastien Nocera <hadess@hadess.net>`
			`Date: Tue, 5 Dec 2017 10:26:49 +0100`
			`Subject: [PATCH] tiff: Avoid overflowing buffer size computation`

			`Use g_uint_checked_mul() to avoid overflowing the guint used for buffer`
			`size calculation.`

			`https://bugzilla.gnome.org/show_bug.cgi?id=779020`
			`---`
			`gdk-pixbuf/io-tiff.c \| 11 +++++++++--`
			`1 file changed, 9 insertions(+), 2 deletions(-)`

			`diff --git a/gdk-pixbuf/io-tiff.c b/gdk-pixbuf/io-tiff.c`
			`index 7ca0a565a..49fe60eee 100644`
			`--- a/gdk-pixbuf/io-tiff.c`
			`+++ b/gdk-pixbuf/io-tiff.c`
			`@@ -529,8 +529,15 @@ make_available_at_least (TiffContext *context, guint needed)`
			`need_alloc = context->used + needed;`
			`if (need_alloc > context->allocated) {`
			`guint new_size = 1;`
			`- while (new_size < need_alloc)`
			`- new_size *= 2;`
			`+ while (new_size < need_alloc) {`
			`+ if (!g_uint_checked_mul (&new_size, new_size, 2)) {`
			`+ new_size = 0;`
			`+ break;`
			`+ }`
			`+ }`
			`+`
			`+ if (new_size == 0)`
			`+ return FALSE;`

			`new_buffer = g_try_realloc (context->buffer, new_size);`
			`if (new_buffer) {`
			`--`
			`2.15.1`