f54ed005b1
Fix build + CVE-2011-2896 + crash (forwarded request 81711 from vuntz) OBS-URL: https://build.opensuse.org/request/show/81712 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gimp?expand=0&rev=64
110 lines
3.0 KiB
Diff
110 lines
3.0 KiB
Diff
From 0eae221c7c6eb84591d718587a17ea90c8852d5b Mon Sep 17 00:00:00 2001
|
|
From: Nils Philippsen <nils@redhat.com>
|
|
Date: Thu, 04 Aug 2011 10:47:44 +0000
|
|
Subject: file-gif-load: ensure return value of LZWReadByte() is <= 255
|
|
|
|
(cherry picked from commit b1a3de761362db982c0ddfaff60ab4a3c4267f32)
|
|
---
|
|
diff --git a/plug-ins/common/file-gif-load.c b/plug-ins/common/file-gif-load.c
|
|
index 9a0720b..a4d98fc 100644
|
|
--- a/plug-ins/common/file-gif-load.c
|
|
+++ b/plug-ins/common/file-gif-load.c
|
|
@@ -743,11 +743,11 @@ LZWReadByte (FILE *fd,
|
|
}
|
|
while (firstcode == clear_code);
|
|
|
|
- return firstcode;
|
|
+ return firstcode & 255;
|
|
}
|
|
|
|
if (sp > stack)
|
|
- return *--sp;
|
|
+ return (*--sp) & 255;
|
|
|
|
while ((code = GetCode (fd, code_size, FALSE)) >= 0)
|
|
{
|
|
@@ -770,7 +770,7 @@ LZWReadByte (FILE *fd,
|
|
sp = stack;
|
|
firstcode = oldcode = GetCode (fd, code_size, FALSE);
|
|
|
|
- return firstcode;
|
|
+ return firstcode & 255;
|
|
}
|
|
else if (code == end_code)
|
|
{
|
|
@@ -826,10 +826,10 @@ LZWReadByte (FILE *fd,
|
|
oldcode = incode;
|
|
|
|
if (sp > stack)
|
|
- return *--sp;
|
|
+ return (*--sp) & 255;
|
|
}
|
|
|
|
- return code;
|
|
+ return code & 255;
|
|
}
|
|
|
|
static gint32
|
|
--
|
|
cgit v0.9.0.2
|
|
From 62718f821b7c79a6860b8b25f0a21a91daa6e22d Mon Sep 17 00:00:00 2001
|
|
From: Nils Philippsen <nils@redhat.com>
|
|
Date: Thu, 04 Aug 2011 10:51:42 +0000
|
|
Subject: file-gif-load: fix heap corruption and buffer overflow (CVE-2011-2896)
|
|
|
|
(cherry picked from commit 376ad788c1a1c31d40f18494889c383f6909ebfc)
|
|
---
|
|
diff --git a/plug-ins/common/file-gif-load.c b/plug-ins/common/file-gif-load.c
|
|
index a4d98fc..8460ec0 100644
|
|
--- a/plug-ins/common/file-gif-load.c
|
|
+++ b/plug-ins/common/file-gif-load.c
|
|
@@ -697,7 +697,8 @@ LZWReadByte (FILE *fd,
|
|
static gint firstcode, oldcode;
|
|
static gint clear_code, end_code;
|
|
static gint table[2][(1 << MAX_LZW_BITS)];
|
|
- static gint stack[(1 << (MAX_LZW_BITS)) * 2], *sp;
|
|
+#define STACK_SIZE ((1 << (MAX_LZW_BITS)) * 2)
|
|
+ static gint stack[STACK_SIZE], *sp;
|
|
gint i;
|
|
|
|
if (just_reset_LZW)
|
|
@@ -772,7 +773,7 @@ LZWReadByte (FILE *fd,
|
|
|
|
return firstcode & 255;
|
|
}
|
|
- else if (code == end_code)
|
|
+ else if (code == end_code || code > max_code)
|
|
{
|
|
gint count;
|
|
guchar buf[260];
|
|
@@ -791,13 +792,14 @@ LZWReadByte (FILE *fd,
|
|
|
|
incode = code;
|
|
|
|
- if (code >= max_code)
|
|
+ if (code == max_code)
|
|
{
|
|
- *sp++ = firstcode;
|
|
+ if (sp < &(stack[STACK_SIZE]))
|
|
+ *sp++ = firstcode;
|
|
code = oldcode;
|
|
}
|
|
|
|
- while (code >= clear_code)
|
|
+ while (code >= clear_code && sp < &(stack[STACK_SIZE]))
|
|
{
|
|
*sp++ = table[1][code];
|
|
if (code == table[0][code])
|
|
@@ -808,7 +810,8 @@ LZWReadByte (FILE *fd,
|
|
code = table[0][code];
|
|
}
|
|
|
|
- *sp++ = firstcode = table[1][code];
|
|
+ if (sp < &(stack[STACK_SIZE]))
|
|
+ *sp++ = firstcode = table[1][code];
|
|
|
|
if ((code = max_code) < (1 << MAX_LZW_BITS))
|
|
{
|
|
--
|
|
cgit v0.9.0.2
|