pool/gdk-pixbuf
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
6ee81d3597
gdk-pixbuf/gdk-pixbuf-cve-2017-2870-tiff-mul-overflow.patch
Dominique Leuenberger 88750fa0a2 Accepting request 510608 from home:hpjansson:bsc1048289-gf 
- Add fixes for crashes, taken from upstream git (CVE-2017-2862,
  CVE-2017-2870, bgo#784866, bgo#780269):
  gdk-pixbuf-cve-2017-2862-jpeg-channels.patch
  gdk-pixbuf-cve-2017-2870-tiff-mul-overflow.patch

OBS-URL: https://build.opensuse.org/request/show/510608
OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/gdk-pixbuf?expand=0&rev=130
2017-07-16 19:03:40 +00:00

63 lines
2.2 KiB
Diff
Raw Blame History

commit 31a6cff3dfc6944aad4612a9668b8ad39122e48b
Author: Ludovico de Nittis <aasonykk@gmail.com>
Date: Sun Mar 19 16:11:13 2017 +0100
tiff: Check for integer overflows in multiplication
The checks currently in use are not sufficient, because they depend on
undefined behaviour:
rowstride = width * 4;
if (rowstride / 4 != width) { /* overflow */
If the multiplication has already overflowed, the compiler may decide
to optimize the if out and thus we do not handle the erroneous case.
Rearrange the checks to avoid the undefined behaviour.
Note that gcc doesn't seem to be impacted, though a defined behaviour is
obviously preferred.
CVE-2017-2870
https://bugzilla.gnome.org/show_bug.cgi?id=780269
diff --git a/gdk-pixbuf/io-tiff.c b/gdk-pixbuf/io-tiff.c
index fb5d55095..7d055cfa8 100644
--- a/gdk-pixbuf/io-tiff.c
+++ b/gdk-pixbuf/io-tiff.c
@@ -124,18 +124,18 @@ tiff_image_parse (TIFF *tiff, TiffContext *context, GError **error)
_("Width or height of TIFF image is zero"));
return NULL;
}
-
- rowstride = width * 4;
- if (rowstride / 4 != width) { /* overflow */
+
+ if (width > G_MAXINT / 4) { /* overflow */
g_set_error_literal (error,
GDK_PIXBUF_ERROR,
GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
_("Dimensions of TIFF image too large"));
return NULL;
}
-
- bytes = height * rowstride;
- if (bytes / rowstride != height) { /* overflow */
+
+ rowstride = width * 4;
+
+ if (height > G_MAXINT / rowstride) { /* overflow */
g_set_error_literal (error,
GDK_PIXBUF_ERROR,
GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
@@ -143,6 +143,8 @@ tiff_image_parse (TIFF *tiff, TiffContext *context, GError **error)
return NULL;
}
+ bytes = height * rowstride;
+
if (context && context->size_func) {
gint w = width;
gint h = height;
Reference in New Issue View Git Blame Copy Permalink