pool/gdk-pixbuf
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
7fcb12fb15
gdk-pixbuf/gdk-pixbuf-bgo779012-ico-overflow.patch
Dominique Leuenberger 7d230a8bba Accepting request 562058 from home:mgorse:branches:GNOME:Factory 
- Add gdk-pixbuf-bgo779012-ico-overflow.patch: fix a potential
  integer overflow (boo#1027026 CVE-2017-6312).
- Add gdk-pixbuf-gif-negative-array-indexes.patch and
  gdk-pixbuf-gif-uninitialized-variable.patch: protect against
  access to negative array indexes (BGO#778584).
- Add gdk-pixbuf-tiff-overflow.patch: avoid overflow during size
  computation (bgo#779020).
- Add gdk-pixbuf-icns-handle-short-blocklen.patch: protect against
  short block length when reading icns (boo#1027024
  CVE-2017-6313).

OBS-URL: https://build.opensuse.org/request/show/562058
OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/gdk-pixbuf?expand=0&rev=144
2018-01-08 12:31:19 +00:00

47 lines
1.5 KiB
Diff
Raw Blame History

From dec9ca22d70c0f0d4492333b4e8147afb038afd2 Mon Sep 17 00:00:00 2001
From: Dhiru Kholia <dhiru.kholia@gmail.com>
Date: Thu, 30 Nov 2017 02:36:26 +0100
Subject: [PATCH] ico: Fix potential integer overflow
Which relies on undefined behaviour. Instead of checking for an
overflowed integer after the fact, check whether the addition would
be possible at all.
Fixes: CVE-2017-6312
https://bugzilla.gnome.org/show_bug.cgi?id=779012
---
gdk-pixbuf/io-ico.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/gdk-pixbuf/io-ico.c b/gdk-pixbuf/io-ico.c
index 8729a0fb9..a86725751 100644
--- a/gdk-pixbuf/io-ico.c
+++ b/gdk-pixbuf/io-ico.c
@@ -333,10 +333,8 @@ static void DecodeHeader(guchar *Data, gint Bytes,
for (l = State->entries; l != NULL; l = g_list_next (l)) {
entry = l->data;
- /* We know how many bytes are in the "header" part. */
- State->HeaderSize = entry->DIBoffset + INFOHEADER_SIZE;
-
- if (State->HeaderSize < 0) {
+ /* Avoid invoking undefined behavior in the State->HeaderSize calculation below */
+ if (entry->DIBoffset > G_MAXINT - INFOHEADER_SIZE) {
g_set_error (error,
GDK_PIXBUF_ERROR,
GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
@@ -344,6 +342,9 @@ static void DecodeHeader(guchar *Data, gint Bytes,
return;
}
+ /* We know how many bytes are in the "header" part. */
+ State->HeaderSize = entry->DIBoffset + INFOHEADER_SIZE;
+
if (State->HeaderSize>State->BytesInHeaderBuf) {
guchar *tmp=g_try_realloc(State->HeaderBuf,State->HeaderSize);
if (!tmp) {
--
2.15.1
Reference in New Issue View Git Blame Copy Permalink