9b25b59e1a
CVE-2025-15279 GUtils BMP File Parsing Heap-based Buffer Overflow - Resolves: RHEL-138144 CVE-2025-15275 SFD File Parsing Heap-based Buffer Overflow - Resolves: RHEL-138126 CVE-2025-15269 SFD File Parsing Use-After-Free
36 lines
1.2 KiB
Diff
36 lines
1.2 KiB
Diff
From a0eedb850e1216cece0f9be61bfd45ddfc4a719d Mon Sep 17 00:00:00 2001
|
|
From: Ahmet Furkan Kavraz <kavraz@amazon.com>
|
|
Date: Fri, 9 Jan 2026 13:39:17 +0000
|
|
Subject: [PATCH] Fix CVE-2025-15279: Move bounds check inside cnt >= 3 block
|
|
|
|
Move the bounds check to inside the 'if (cnt >= 3)' block. This fixes
|
|
the issue where cnt == 0, cnt == 1, and cnt == 2 require different ii
|
|
calculations (end-of-line, end-of-bitmap, delta) and the bounds check
|
|
before the conditional would incorrectly reject valid operations.
|
|
|
|
CVE-2025-15279
|
|
CVSS: 7.8 (High)
|
|
ZDI-CAN-27517
|
|
---
|
|
gutils/gimagereadbmp.c | 6 +++---
|
|
1 file changed, 3 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/gutils/gimagereadbmp.c b/gutils/gimagereadbmp.c
|
|
index 133336787c..ad365158cc 100644
|
|
--- a/gutils/gimagereadbmp.c
|
|
+++ b/gutils/gimagereadbmp.c
|
|
@@ -190,10 +190,10 @@ static int readpixels(FILE *file,struct bmpheader *head) {
|
|
head->byte_pixels[ii++] = ch;
|
|
} else {
|
|
cnt = getc(file);
|
|
- if (cnt < 0 || ii + cnt > head->height * head->width) {
|
|
- return 0;
|
|
- }
|
|
if ( cnt>= 3 ) {
|
|
+ if (ii + cnt > head->height * head->width) {
|
|
+ return 0;
|
|
+ }
|
|
int odd = cnt&1;
|
|
while ( --cnt>=0 )
|
|
head->byte_pixels[ii++] = getc(file);
|