pool/gdk-pixbuf
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
b09d959fa0
gdk-pixbuf/gdk-pixbuf-bgo769738-bmp-overflow.patch
Bjørn Lie 7eea91dac6 Accepting request 424115 from home:zhangxiaofei:branches:GNOME:Factory 
- Add fixes for some crashes, taken from upstream git (bsc#988745
  bsc#991450 CVE-2016-6352):
  gdk-pixbuf-bgo768688-bmp-overflow.patch
  gdk-pixbuf-bgo768484-ico-set-errors.patch
  gdk-pixbuf-bgo769738-bmp-overflow.patch
  gdk-pixbuf-bgo769170-ico-headers.patch

OBS-URL: https://build.opensuse.org/request/show/424115
OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/gdk-pixbuf?expand=0&rev=111
2016-09-01 09:33:46 +00:00

58 lines
2.1 KiB
Diff
Raw Blame History

From 779429ce34e439c01d257444fe9d6739e72a2024 Mon Sep 17 00:00:00 2001
From: Tobias Mueller <gnome-bugs@muelli.cryptobitch.de>
Date: Tue, 12 Jul 2016 15:20:00 +0000
Subject: [PATCH] bmp: Detect integer overflow of the line width
Instead of risking crashes or OOM, return an error if
we detect integer overflow.
The commit also includes a test image that triggers
this overflow when used with pixbuf-read.
https://bugzilla.gnome.org/show_bug.cgi?id=768738
---
gdk-pixbuf/io-bmp.c | 21 ++++++++++++---------
.../randomly-modified/bmp-line-overflow.bmp | Bin 0 -> 74 bytes
2 files changed, 12 insertions(+), 9 deletions(-)
create mode 100644 tests/test-images/randomly-modified/bmp-line-overflow.bmp
diff --git a/gdk-pixbuf/io-bmp.c b/gdk-pixbuf/io-bmp.c
index 748ebae..08e3c76 100644
--- a/gdk-pixbuf/io-bmp.c
+++ b/gdk-pixbuf/io-bmp.c
@@ -254,6 +254,7 @@ static gboolean DecodeHeader(unsigned char *BFH, unsigned char *BIH,
GError **error)
{
gint clrUsed;
+ guint bytesPerPixel;
/* First check for the two first bytes content. A sane
BMP file must start with bytes 0x42 0x4D. */
@@ -380,15 +381,17 @@ static gboolean DecodeHeader(unsigned char *BFH, unsigned char *BIH,
return FALSE;
}
- if (State->Type == 32)
- State->LineWidth = State->Header.width * 4;
- else if (State->Type == 24)
- State->LineWidth = State->Header.width * 3;
- else if (State->Type == 16)
- State->LineWidth = State->Header.width * 2;
- else if (State->Type == 8)
- State->LineWidth = State->Header.width * 1;
- else if (State->Type == 4)
+ if ((State->Type >= 8) && (State->Type <= 32) && (State->Type % 8 == 0)) {
+ bytesPerPixel = State->Type / 8;
+ State->LineWidth = State->Header.width * bytesPerPixel;
+ if (State->Header.width != State->LineWidth / bytesPerPixel) {
+ g_set_error_literal (error,
+ GDK_PIXBUF_ERROR,
+ GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+ _("BMP image width too large"));
+ return FALSE;
+ }
+ } else if (State->Type == 4)
State->LineWidth = (State->Header.width + 1) / 2;
else if (State->Type == 1) {
State->LineWidth = State->Header.width / 8;
Reference in New Issue View Git Blame Copy Permalink