gdk-pixbuf/gdk-pixbuf-icns-handle-short-blocklen.patch

From 210b16399a492d05efb209615a143920b24251f4 Mon Sep 17 00:00:00 2001
From: Bastien Nocera <hadess@hadess.net>
Date: Tue, 5 Dec 2017 11:51:02 +0100
Subject: [PATCH] icns: Protect against too short blocklen (CVE-2017-6313)

The blocklen needs to be at least header sized to be valid, otherwise we
can underflow picture data or mask data lengths.

https://bugzilla.gnome.org/show_bug.cgi?id=779016
---
 gdk-pixbuf/io-icns.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/gdk-pixbuf/io-icns.c b/gdk-pixbuf/io-icns.c
index a432e463f..41732b153 100644
--- a/gdk-pixbuf/io-icns.c
+++ b/gdk-pixbuf/io-icns.c
@@ -95,7 +95,8 @@ load_resources (unsigned size, IN gpointer data, gsize datalen,
       blocklen = GUINT32_FROM_BE (header->size);
 
       /* Check that blocklen isn't garbage */
-      if (blocklen > icnslen - (current - bytes))
+      if (blocklen > icnslen - (current - bytes) ||
+	  blocklen < sizeof (IcnsBlockHeader))
         return FALSE;
 
       switch (size)
-- 
2.15.1
Accepting request 562058 from home:mgorse:branches:GNOME:Factory - Add gdk-pixbuf-bgo779012-ico-overflow.patch: fix a potential integer overflow (boo#1027026 CVE-2017-6312). - Add gdk-pixbuf-gif-negative-array-indexes.patch and gdk-pixbuf-gif-uninitialized-variable.patch: protect against access to negative array indexes (BGO#778584). - Add gdk-pixbuf-tiff-overflow.patch: avoid overflow during size computation (bgo#779020). - Add gdk-pixbuf-icns-handle-short-blocklen.patch: protect against short block length when reading icns (boo#1027024 CVE-2017-6313). OBS-URL: https://build.opensuse.org/request/show/562058 OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/gdk-pixbuf?expand=0&rev=144 2018-01-08 13:31:19 +01:00			`From 210b16399a492d05efb209615a143920b24251f4 Mon Sep 17 00:00:00 2001`
			`From: Bastien Nocera <hadess@hadess.net>`
			`Date: Tue, 5 Dec 2017 11:51:02 +0100`
			`Subject: [PATCH] icns: Protect against too short blocklen (CVE-2017-6313)`

			`The blocklen needs to be at least header sized to be valid, otherwise we`
			`can underflow picture data or mask data lengths.`

			`https://bugzilla.gnome.org/show_bug.cgi?id=779016`
			`---`
			`gdk-pixbuf/io-icns.c \| 3 ++-`
			`1 file changed, 2 insertions(+), 1 deletion(-)`

			`diff --git a/gdk-pixbuf/io-icns.c b/gdk-pixbuf/io-icns.c`
			`index a432e463f..41732b153 100644`
			`--- a/gdk-pixbuf/io-icns.c`
			`+++ b/gdk-pixbuf/io-icns.c`
			`@@ -95,7 +95,8 @@ load_resources (unsigned size, IN gpointer data, gsize datalen,`
			`blocklen = GUINT32_FROM_BE (header->size);`

			`/* Check that blocklen isn't garbage */`
			`- if (blocklen > icnslen - (current - bytes))`
			`+ if (blocklen > icnslen - (current - bytes) \|\|`
			`+ blocklen < sizeof (IcnsBlockHeader))`
			`return FALSE;`

			`switch (size)`
			`--`
			`2.15.1`