gdk-pixbuf/gdk-pixbuf-bgo779012-ico-overflow.patch

From dec9ca22d70c0f0d4492333b4e8147afb038afd2 Mon Sep 17 00:00:00 2001
From: Dhiru Kholia <dhiru.kholia@gmail.com>
Date: Thu, 30 Nov 2017 02:36:26 +0100
Subject: [PATCH] ico: Fix potential integer overflow

Which relies on undefined behaviour. Instead of checking for an
overflowed integer after the fact, check whether the addition would
be possible at all.

Fixes: CVE-2017-6312

https://bugzilla.gnome.org/show_bug.cgi?id=779012
---
 gdk-pixbuf/io-ico.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/gdk-pixbuf/io-ico.c b/gdk-pixbuf/io-ico.c
index 8729a0fb9..a86725751 100644
--- a/gdk-pixbuf/io-ico.c
+++ b/gdk-pixbuf/io-ico.c
@@ -333,10 +333,8 @@ static void DecodeHeader(guchar *Data, gint Bytes,
 	for (l = State->entries; l != NULL; l = g_list_next (l)) {
 		entry = l->data;
 
-		/* We know how many bytes are in the "header" part. */
-		State->HeaderSize = entry->DIBoffset + INFOHEADER_SIZE;
-
-		if (State->HeaderSize < 0) {
+		/* Avoid invoking undefined behavior in the State->HeaderSize calculation below */
+		if (entry->DIBoffset > G_MAXINT - INFOHEADER_SIZE) {
 			g_set_error (error,
 			             GDK_PIXBUF_ERROR,
 			             GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
@@ -344,6 +342,9 @@ static void DecodeHeader(guchar *Data, gint Bytes,
 			return;
 		}
 
+		/* We know how many bytes are in the "header" part. */
+		State->HeaderSize = entry->DIBoffset + INFOHEADER_SIZE;
+
 		if (State->HeaderSize>State->BytesInHeaderBuf) {
 			guchar *tmp=g_try_realloc(State->HeaderBuf,State->HeaderSize);
 			if (!tmp) {
-- 
2.15.1
Accepting request 562058 from home:mgorse:branches:GNOME:Factory - Add gdk-pixbuf-bgo779012-ico-overflow.patch: fix a potential integer overflow (boo#1027026 CVE-2017-6312). - Add gdk-pixbuf-gif-negative-array-indexes.patch and gdk-pixbuf-gif-uninitialized-variable.patch: protect against access to negative array indexes (BGO#778584). - Add gdk-pixbuf-tiff-overflow.patch: avoid overflow during size computation (bgo#779020). - Add gdk-pixbuf-icns-handle-short-blocklen.patch: protect against short block length when reading icns (boo#1027024 CVE-2017-6313). OBS-URL: https://build.opensuse.org/request/show/562058 OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/gdk-pixbuf?expand=0&rev=144 2018-01-08 13:31:19 +01:00			`From dec9ca22d70c0f0d4492333b4e8147afb038afd2 Mon Sep 17 00:00:00 2001`
			`From: Dhiru Kholia <dhiru.kholia@gmail.com>`
			`Date: Thu, 30 Nov 2017 02:36:26 +0100`
			`Subject: [PATCH] ico: Fix potential integer overflow`

			`Which relies on undefined behaviour. Instead of checking for an`
			`overflowed integer after the fact, check whether the addition would`
			`be possible at all.`

			`Fixes: CVE-2017-6312`

			`https://bugzilla.gnome.org/show_bug.cgi?id=779012`
			`---`
			`gdk-pixbuf/io-ico.c \| 9 +++++----`
			`1 file changed, 5 insertions(+), 4 deletions(-)`

			`diff --git a/gdk-pixbuf/io-ico.c b/gdk-pixbuf/io-ico.c`
			`index 8729a0fb9..a86725751 100644`
			`--- a/gdk-pixbuf/io-ico.c`
			`+++ b/gdk-pixbuf/io-ico.c`
			`@@ -333,10 +333,8 @@ static void DecodeHeader(guchar *Data, gint Bytes,`
			`for (l = State->entries; l != NULL; l = g_list_next (l)) {`
			`entry = l->data;`

			`- /* We know how many bytes are in the "header" part. */`
			`- State->HeaderSize = entry->DIBoffset + INFOHEADER_SIZE;`
			`-`
			`- if (State->HeaderSize < 0) {`
			`+ /* Avoid invoking undefined behavior in the State->HeaderSize calculation below */`
			`+ if (entry->DIBoffset > G_MAXINT - INFOHEADER_SIZE) {`
			`g_set_error (error,`
			`GDK_PIXBUF_ERROR,`
			`GDK_PIXBUF_ERROR_CORRUPT_IMAGE,`
			`@@ -344,6 +342,9 @@ static void DecodeHeader(guchar *Data, gint Bytes,`
			`return;`
			`}`

			`+ /* We know how many bytes are in the "header" part. */`
			`+ State->HeaderSize = entry->DIBoffset + INFOHEADER_SIZE;`
			`+`
			`if (State->HeaderSize>State->BytesInHeaderBuf) {`
			`guchar *tmp=g_try_realloc(State->HeaderBuf,State->HeaderSize);`
			`if (!tmp) {`
			`--`
			`2.15.1`