Dominique Leuenberger
7d230a8bba
- Add gdk-pixbuf-bgo779012-ico-overflow.patch: fix a potential integer overflow (boo#1027026 CVE-2017-6312). - Add gdk-pixbuf-gif-negative-array-indexes.patch and gdk-pixbuf-gif-uninitialized-variable.patch: protect against access to negative array indexes (BGO#778584). - Add gdk-pixbuf-tiff-overflow.patch: avoid overflow during size computation (bgo#779020). - Add gdk-pixbuf-icns-handle-short-blocklen.patch: protect against short block length when reading icns (boo#1027024 CVE-2017-6313). OBS-URL: https://build.opensuse.org/request/show/562058 OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/gdk-pixbuf?expand=0&rev=144
31 lines
1009 B
Diff
31 lines
1009 B
Diff
From 210b16399a492d05efb209615a143920b24251f4 Mon Sep 17 00:00:00 2001
|
|
From: Bastien Nocera <hadess@hadess.net>
|
|
Date: Tue, 5 Dec 2017 11:51:02 +0100
|
|
Subject: [PATCH] icns: Protect against too short blocklen (CVE-2017-6313)
|
|
|
|
The blocklen needs to be at least header sized to be valid, otherwise we
|
|
can underflow picture data or mask data lengths.
|
|
|
|
https://bugzilla.gnome.org/show_bug.cgi?id=779016
|
|
---
|
|
gdk-pixbuf/io-icns.c | 3 ++-
|
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/gdk-pixbuf/io-icns.c b/gdk-pixbuf/io-icns.c
|
|
index a432e463f..41732b153 100644
|
|
--- a/gdk-pixbuf/io-icns.c
|
|
+++ b/gdk-pixbuf/io-icns.c
|
|
@@ -95,7 +95,8 @@ load_resources (unsigned size, IN gpointer data, gsize datalen,
|
|
blocklen = GUINT32_FROM_BE (header->size);
|
|
|
|
/* Check that blocklen isn't garbage */
|
|
- if (blocklen > icnslen - (current - bytes))
|
|
+ if (blocklen > icnslen - (current - bytes) ||
|
|
+ blocklen < sizeof (IcnsBlockHeader))
|
|
return FALSE;
|
|
|
|
switch (size)
|
|
--
|
|
2.15.1
|
|
|