Dominique Leuenberger
7d230a8bba
- Add gdk-pixbuf-bgo779012-ico-overflow.patch: fix a potential integer overflow (boo#1027026 CVE-2017-6312). - Add gdk-pixbuf-gif-negative-array-indexes.patch and gdk-pixbuf-gif-uninitialized-variable.patch: protect against access to negative array indexes (BGO#778584). - Add gdk-pixbuf-tiff-overflow.patch: avoid overflow during size computation (bgo#779020). - Add gdk-pixbuf-icns-handle-short-blocklen.patch: protect against short block length when reading icns (boo#1027024 CVE-2017-6313). OBS-URL: https://build.opensuse.org/request/show/562058 OBS-URL: https://build.opensuse.org/package/show/GNOME:Factory/gdk-pixbuf?expand=0&rev=144
39 lines
1.3 KiB
Diff
39 lines
1.3 KiB
Diff
From 1e513abdb55529f888233d3c96b27352d83aad5f Mon Sep 17 00:00:00 2001
|
|
From: Bastien Nocera <hadess@hadess.net>
|
|
Date: Tue, 5 Dec 2017 10:26:49 +0100
|
|
Subject: [PATCH] tiff: Avoid overflowing buffer size computation
|
|
|
|
Use g_uint_checked_mul() to avoid overflowing the guint used for buffer
|
|
size calculation.
|
|
|
|
https://bugzilla.gnome.org/show_bug.cgi?id=779020
|
|
---
|
|
gdk-pixbuf/io-tiff.c | 11 +++++++++--
|
|
1 file changed, 9 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/gdk-pixbuf/io-tiff.c b/gdk-pixbuf/io-tiff.c
|
|
index 7ca0a565a..49fe60eee 100644
|
|
--- a/gdk-pixbuf/io-tiff.c
|
|
+++ b/gdk-pixbuf/io-tiff.c
|
|
@@ -529,8 +529,15 @@ make_available_at_least (TiffContext *context, guint needed)
|
|
need_alloc = context->used + needed;
|
|
if (need_alloc > context->allocated) {
|
|
guint new_size = 1;
|
|
- while (new_size < need_alloc)
|
|
- new_size *= 2;
|
|
+ while (new_size < need_alloc) {
|
|
+ if (!g_uint_checked_mul (&new_size, new_size, 2)) {
|
|
+ new_size = 0;
|
|
+ break;
|
|
+ }
|
|
+ }
|
|
+
|
|
+ if (new_size == 0)
|
|
+ return FALSE;
|
|
|
|
new_buffer = g_try_realloc (context->buffer, new_size);
|
|
if (new_buffer) {
|
|
--
|
|
2.15.1
|
|
|