Compare commits
1 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 17d2b9bf78 |
@ -0,0 +1,50 @@
|
||||
From 4af78023ce7d3b5e3cec422a59bb4f48fa4f5886 Mon Sep 17 00:00:00 2001
|
||||
From: Matthias Clasen <mclasen@redhat.com>
|
||||
Date: Fri, 11 Jul 2025 11:02:05 -0400
|
||||
Subject: [PATCH] jpeg: Be more careful with chunked icc data
|
||||
|
||||
We we inadvertendly trusting the sequence numbers not to lie.
|
||||
If they do we would report a larger data size than we actually
|
||||
allocated, leading to out of bounds memory access in base64
|
||||
encoding later on.
|
||||
|
||||
This has been assigned CVE-2025-7345.
|
||||
|
||||
Fixes: #249
|
||||
---
|
||||
gdk-pixbuf/io-jpeg.c | 8 ++++++--
|
||||
1 file changed, 6 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/gdk-pixbuf/io-jpeg.c b/gdk-pixbuf/io-jpeg.c
|
||||
index 9cfd29718..103820c5a 100644
|
||||
--- a/gdk-pixbuf/io-jpeg.c
|
||||
+++ b/gdk-pixbuf/io-jpeg.c
|
||||
@@ -359,6 +359,7 @@ jpeg_parse_exif_app2_segment (JpegExifContext *context, jpeg_saved_marker_ptr ma
|
||||
context->icc_profile = g_new (gchar, chunk_size);
|
||||
/* copy the segment data to the profile space */
|
||||
memcpy (context->icc_profile, marker->data + 14, chunk_size);
|
||||
+ ret = TRUE;
|
||||
goto out;
|
||||
}
|
||||
|
||||
@@ -380,12 +381,15 @@ jpeg_parse_exif_app2_segment (JpegExifContext *context, jpeg_saved_marker_ptr ma
|
||||
/* copy the segment data to the profile space */
|
||||
memcpy (context->icc_profile + offset, marker->data + 14, chunk_size);
|
||||
|
||||
- /* it's now this big plus the new data we've just copied */
|
||||
- context->icc_profile_size += chunk_size;
|
||||
+ context->icc_profile_size = MAX (context->icc_profile_size, offset + chunk_size);
|
||||
|
||||
/* success */
|
||||
ret = TRUE;
|
||||
out:
|
||||
+ if (!ret) {
|
||||
+ g_free (context->icc_profile);
|
||||
+ context->icc_profile = NULL;
|
||||
+ }
|
||||
return ret;
|
||||
}
|
||||
|
||||
--
|
||||
2.50.0
|
||||
|
||||
@ -2,7 +2,7 @@
|
||||
|
||||
Name: gdk-pixbuf2
|
||||
Version: 2.36.12
|
||||
Release: 6%{?dist}
|
||||
Release: 7%{?dist}
|
||||
Summary: An image loading library
|
||||
|
||||
License: LGPLv2+
|
||||
@ -15,6 +15,7 @@ Source1: bug753605-atsize.jpg
|
||||
Patch0: Turn-off-mmx-support.diff
|
||||
# https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/merge_requests/172
|
||||
Patch1: CVE-2022-48622.patch
|
||||
Patch2: 0001-jpeg-Be-more-careful-with-chunked-icc-data.patch
|
||||
|
||||
BuildRequires: pkgconfig(gio-2.0) >= %{glib2_version}
|
||||
BuildRequires: libpng-devel
|
||||
@ -182,6 +183,10 @@ gdk-pixbuf-query-loaders-%{__isa_bits} --update-cache
|
||||
|
||||
|
||||
%changelog
|
||||
* Fri Jul 18 2025 Matthias Clasen <mclasen@redhat.com> - 2.36.12-7
|
||||
- Backport fixes for CVE-2025-7345
|
||||
- Resolves: RHEL-102346
|
||||
|
||||
* Wed May 15 2024 Tomas Popela <tpopela@redhat.com> - 2.36.12-6
|
||||
- Backport fixes for CVE-2022-48622
|
||||
- Apply patches with git to enable binary patching
|
||||
|
||||
Loading…
Reference in New Issue
Block a user