commit c2a40a92fe3df4111ed9da51fe3368c079b86926 Author: Tobias Mueller Date: Wed Jul 12 20:36:11 2017 +0200 jpeg: Throw error when number of color components is unsupported Explicitly check "3" or "4" output color components. gdk-pixbuf assumed that the value of output_components to be either 3 or 4, but not an invalid value (9) or an unsupported value (1). The way the buffer size was deduced was using a naive "== 4" check, with a 1, 3 or 9 color component picture getting the same buffer size, a size just sufficient for 3 color components, causing invalid writes later when libjpeg-turbo was decoding the image. CVE-2017-2862 Sent by from Marcin 'Icewall' Noga of Cisco Talos https://bugzilla.gnome.org/show_bug.cgi?id=784866 diff --git a/gdk-pixbuf/io-jpeg.c b/gdk-pixbuf/io-jpeg.c index dd88a350a..1c0eba1a9 100644 --- a/gdk-pixbuf/io-jpeg.c +++ b/gdk-pixbuf/io-jpeg.c @@ -1051,6 +1051,7 @@ gdk_pixbuf__jpeg_image_load_increment (gpointer data, if (!context->got_header) { int rc; gchar* comment; + gboolean has_alpha; jpeg_save_markers (cinfo, JPEG_APP0+1, 0xffff); jpeg_save_markers (cinfo, JPEG_APP0+2, 0xffff); @@ -1089,10 +1090,24 @@ gdk_pixbuf__jpeg_image_load_increment (gpointer data, } } jpeg_calc_output_dimensions (cinfo); - - context->pixbuf = gdk_pixbuf_new (GDK_COLORSPACE_RGB, - cinfo->output_components == 4 ? TRUE : FALSE, - 8, + + if (cinfo->output_components == 3) { + has_alpha = FALSE; + } else if (cinfo->output_components == 4) { + has_alpha = TRUE; + } else { + g_set_error (error, + GDK_PIXBUF_ERROR, + GDK_PIXBUF_ERROR_CORRUPT_IMAGE, + _("Unsupported number of color components (%d)"), + cinfo->output_components); + retval = FALSE; + goto out; + } + + context->pixbuf = gdk_pixbuf_new (GDK_COLORSPACE_RGB, + has_alpha, + 8, cinfo->output_width, cinfo->output_height);