Dominique Leuenberger
7d230a8bba
- Add gdk-pixbuf-bgo779012-ico-overflow.patch: fix a potential integer overflow (boo#1027026 CVE-2017-6312). - Add gdk-pixbuf-gif-negative-array-indexes.patch and gdk-pixbuf-gif-uninitialized-variable.patch: protect against access to negative array indexes (BGO#778584). - Add gdk-pixbuf-tiff-overflow.patch: avoid overflow during size computation (bgo#779020). - Add gdk-pixbuf-icns-handle-short-blocklen.patch: protect against short block length when reading icns (boo#1027024 CVE-2017-6313). OBS-URL: https://build.opensuse.org/request/show/562058 OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/gdk-pixbuf?expand=0&rev=144
38 lines
1.2 KiB
Diff
38 lines
1.2 KiB
Diff
From 23e2a7c4b7794220ecd77389b3976c0767fc839d Mon Sep 17 00:00:00 2001
|
|
From: Tobias Mueller <muelli@cryptobitch.de>
|
|
Date: Wed, 14 Dec 2016 08:03:16 +0100
|
|
Subject: [PATCH] gif: Prevent access to negative array indexes
|
|
|
|
It seems that a pathological gif file can cause a negative array index
|
|
to be read. UBSAN reported this:
|
|
io-gif.c:509:44: runtime error: index -2 out of bounds for type 'guchar [280]'
|
|
io-gif.c:510:44: runtime error: index -1 out of bounds for type 'guchar [280]'
|
|
|
|
https://bugzilla.gnome.org/show_bug.cgi?id=778584
|
|
---
|
|
gdk-pixbuf/io-gif.c | 8 ++++++++
|
|
1 file changed, 8 insertions(+)
|
|
|
|
diff --git a/gdk-pixbuf/io-gif.c b/gdk-pixbuf/io-gif.c
|
|
index ef1001779..acbd1f3be 100644
|
|
--- a/gdk-pixbuf/io-gif.c
|
|
+++ b/gdk-pixbuf/io-gif.c
|
|
@@ -508,6 +508,14 @@ gif_lzw_fill_buffer (GifContext *context)
|
|
return -2;
|
|
}
|
|
|
|
+ if (context->code_last_byte < 2) {
|
|
+ g_set_error_literal (context->error,
|
|
+ GDK_PIXBUF_ERROR,
|
|
+ GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
|
|
+ _("Bad code encountered"));
|
|
+ return -2;
|
|
+ }
|
|
+
|
|
context->block_buf[0] = context->block_buf[context->code_last_byte - 2];
|
|
context->block_buf[1] = context->block_buf[context->code_last_byte - 1];
|
|
|
|
--
|
|
2.15.1
|
|
|