pool/gdk-pixbuf
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
6ee81d3597
gdk-pixbuf/gdk-pixbuf-cve-2017-2862-jpeg-channels.patch
Dominique Leuenberger 88750fa0a2 Accepting request 510608 from home:hpjansson:bsc1048289-gf 
- Add fixes for crashes, taken from upstream git (CVE-2017-2862,
  CVE-2017-2870, bgo#784866, bgo#780269):
  gdk-pixbuf-cve-2017-2862-jpeg-channels.patch
  gdk-pixbuf-cve-2017-2870-tiff-mul-overflow.patch

OBS-URL: https://build.opensuse.org/request/show/510608
OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/gdk-pixbuf?expand=0&rev=130
2017-07-16 19:03:40 +00:00

64 lines
2.0 KiB
Diff
Raw Blame History

commit c2a40a92fe3df4111ed9da51fe3368c079b86926
Author: Tobias Mueller <muelli@cryptobitch.de>
Date: Wed Jul 12 20:36:11 2017 +0200
jpeg: Throw error when number of color components is unsupported
Explicitly check "3" or "4" output color components.
gdk-pixbuf assumed that the value of output_components to be either
3 or 4, but not an invalid value (9) or an unsupported value (1).
The way the buffer size was deduced was using a naive "== 4" check,
with a 1, 3 or 9 color component picture getting the same buffer size,
a size just sufficient for 3 color components, causing invalid writes
later when libjpeg-turbo was decoding the image.
CVE-2017-2862
Sent by from Marcin 'Icewall' Noga of Cisco Talos
https://bugzilla.gnome.org/show_bug.cgi?id=784866
diff --git a/gdk-pixbuf/io-jpeg.c b/gdk-pixbuf/io-jpeg.c
index dd88a350a..1c0eba1a9 100644
--- a/gdk-pixbuf/io-jpeg.c
+++ b/gdk-pixbuf/io-jpeg.c
@@ -1051,6 +1051,7 @@ gdk_pixbuf__jpeg_image_load_increment (gpointer data,
if (!context->got_header) {
int rc;
gchar* comment;
+ gboolean has_alpha;
jpeg_save_markers (cinfo, JPEG_APP0+1, 0xffff);
jpeg_save_markers (cinfo, JPEG_APP0+2, 0xffff);
@@ -1089,10 +1090,24 @@ gdk_pixbuf__jpeg_image_load_increment (gpointer data,
}
}
jpeg_calc_output_dimensions (cinfo);
-
- context->pixbuf = gdk_pixbuf_new (GDK_COLORSPACE_RGB,
- cinfo->output_components == 4 ? TRUE : FALSE,
- 8,
+
+ if (cinfo->output_components == 3) {
+ has_alpha = FALSE;
+ } else if (cinfo->output_components == 4) {
+ has_alpha = TRUE;
+ } else {
+ g_set_error (error,
+ GDK_PIXBUF_ERROR,
+ GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+ _("Unsupported number of color components (%d)"),
+ cinfo->output_components);
+ retval = FALSE;
+ goto out;
+ }
+
+ context->pixbuf = gdk_pixbuf_new (GDK_COLORSPACE_RGB,
+ has_alpha,
+ 8,
cinfo->output_width,
cinfo->output_height);
Reference in New Issue View Git Blame Copy Permalink