From dec9ca22d70c0f0d4492333b4e8147afb038afd2 Mon Sep 17 00:00:00 2001 From: Dhiru Kholia Date: Thu, 30 Nov 2017 02:36:26 +0100 Subject: [PATCH] ico: Fix potential integer overflow Which relies on undefined behaviour. Instead of checking for an overflowed integer after the fact, check whether the addition would be possible at all. Fixes: CVE-2017-6312 https://bugzilla.gnome.org/show_bug.cgi?id=779012 --- gdk-pixbuf/io-ico.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/gdk-pixbuf/io-ico.c b/gdk-pixbuf/io-ico.c index 8729a0fb9..a86725751 100644 --- a/gdk-pixbuf/io-ico.c +++ b/gdk-pixbuf/io-ico.c @@ -333,10 +333,8 @@ static void DecodeHeader(guchar *Data, gint Bytes, for (l = State->entries; l != NULL; l = g_list_next (l)) { entry = l->data; - /* We know how many bytes are in the "header" part. */ - State->HeaderSize = entry->DIBoffset + INFOHEADER_SIZE; - - if (State->HeaderSize < 0) { + /* Avoid invoking undefined behavior in the State->HeaderSize calculation below */ + if (entry->DIBoffset > G_MAXINT - INFOHEADER_SIZE) { g_set_error (error, GDK_PIXBUF_ERROR, GDK_PIXBUF_ERROR_CORRUPT_IMAGE, @@ -344,6 +342,9 @@ static void DecodeHeader(guchar *Data, gint Bytes, return; } + /* We know how many bytes are in the "header" part. */ + State->HeaderSize = entry->DIBoffset + INFOHEADER_SIZE; + if (State->HeaderSize>State->BytesInHeaderBuf) { guchar *tmp=g_try_realloc(State->HeaderBuf,State->HeaderSize); if (!tmp) { -- 2.15.1