fix heap corruption and buffer overflow in file-gif-load plugin
(CVE-2011-2896)
This commit is contained in:
Nils Philippsen
parent
04e188de2e
commit
27bebf13f8
108
gimp-2.6.11-gif-load.patch
Normal file
108
gimp-2.6.11-gif-load.patch
Normal file
@ -0,0 +1,108 @@
|
|||||||
|
From 631856a2021d60d29e96d07872c06246eff25a96 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Nils Philippsen <nils@redhat.com>
|
||||||
|
Date: Fri, 12 Aug 2011 14:44:52 +0200
|
||||||
|
Subject: [PATCH] patch: gif-load
|
||||||
|
|
||||||
|
Squashed commit of the following:
|
||||||
|
|
||||||
|
commit 366d6b546e8fb91909550a61abeafc11672667c4
|
||||||
|
Author: Nils Philippsen <nils@redhat.com>
|
||||||
|
Date: Thu Aug 4 12:51:42 2011 +0200
|
||||||
|
|
||||||
|
file-gif-load: fix heap corruption and buffer overflow (CVE-2011-2896)
|
||||||
|
(cherry picked from commit 376ad788c1a1c31d40f18494889c383f6909ebfc)
|
||||||
|
|
||||||
|
commit 3c5864851ea5fe8f89d273ee8ac4df0c1101b315
|
||||||
|
Author: Nils Philippsen <nils@redhat.com>
|
||||||
|
Date: Thu Aug 4 12:47:44 2011 +0200
|
||||||
|
|
||||||
|
file-gif-load: ensure return value of LZWReadByte() is <= 255
|
||||||
|
(cherry picked from commit b1a3de761362db982c0ddfaff60ab4a3c4267f32)
|
||||||
|
---
|
||||||
|
plug-ins/common/file-gif-load.c | 25 ++++++++++++++-----------
|
||||||
|
1 files changed, 14 insertions(+), 11 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/plug-ins/common/file-gif-load.c b/plug-ins/common/file-gif-load.c
|
||||||
|
index 9a0720b..8460ec0 100644
|
||||||
|
--- a/plug-ins/common/file-gif-load.c
|
||||||
|
+++ b/plug-ins/common/file-gif-load.c
|
||||||
|
@@ -697,7 +697,8 @@ LZWReadByte (FILE *fd,
|
||||||
|
static gint firstcode, oldcode;
|
||||||
|
static gint clear_code, end_code;
|
||||||
|
static gint table[2][(1 << MAX_LZW_BITS)];
|
||||||
|
- static gint stack[(1 << (MAX_LZW_BITS)) * 2], *sp;
|
||||||
|
+#define STACK_SIZE ((1 << (MAX_LZW_BITS)) * 2)
|
||||||
|
+ static gint stack[STACK_SIZE], *sp;
|
||||||
|
gint i;
|
||||||
|
|
||||||
|
if (just_reset_LZW)
|
||||||
|
@@ -743,11 +744,11 @@ LZWReadByte (FILE *fd,
|
||||||
|
}
|
||||||
|
while (firstcode == clear_code);
|
||||||
|
|
||||||
|
- return firstcode;
|
||||||
|
+ return firstcode & 255;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (sp > stack)
|
||||||
|
- return *--sp;
|
||||||
|
+ return (*--sp) & 255;
|
||||||
|
|
||||||
|
while ((code = GetCode (fd, code_size, FALSE)) >= 0)
|
||||||
|
{
|
||||||
|
@@ -770,9 +771,9 @@ LZWReadByte (FILE *fd,
|
||||||
|
sp = stack;
|
||||||
|
firstcode = oldcode = GetCode (fd, code_size, FALSE);
|
||||||
|
|
||||||
|
- return firstcode;
|
||||||
|
+ return firstcode & 255;
|
||||||
|
}
|
||||||
|
- else if (code == end_code)
|
||||||
|
+ else if (code == end_code || code > max_code)
|
||||||
|
{
|
||||||
|
gint count;
|
||||||
|
guchar buf[260];
|
||||||
|
@@ -791,13 +792,14 @@ LZWReadByte (FILE *fd,
|
||||||
|
|
||||||
|
incode = code;
|
||||||
|
|
||||||
|
- if (code >= max_code)
|
||||||
|
+ if (code == max_code)
|
||||||
|
{
|
||||||
|
- *sp++ = firstcode;
|
||||||
|
+ if (sp < &(stack[STACK_SIZE]))
|
||||||
|
+ *sp++ = firstcode;
|
||||||
|
code = oldcode;
|
||||||
|
}
|
||||||
|
|
||||||
|
- while (code >= clear_code)
|
||||||
|
+ while (code >= clear_code && sp < &(stack[STACK_SIZE]))
|
||||||
|
{
|
||||||
|
*sp++ = table[1][code];
|
||||||
|
if (code == table[0][code])
|
||||||
|
@@ -808,7 +810,8 @@ LZWReadByte (FILE *fd,
|
||||||
|
code = table[0][code];
|
||||||
|
}
|
||||||
|
|
||||||
|
- *sp++ = firstcode = table[1][code];
|
||||||
|
+ if (sp < &(stack[STACK_SIZE]))
|
||||||
|
+ *sp++ = firstcode = table[1][code];
|
||||||
|
|
||||||
|
if ((code = max_code) < (1 << MAX_LZW_BITS))
|
||||||
|
{
|
||||||
|
@@ -826,10 +829,10 @@ LZWReadByte (FILE *fd,
|
||||||
|
oldcode = incode;
|
||||||
|
|
||||||
|
if (sp > stack)
|
||||||
|
- return *--sp;
|
||||||
|
+ return (*--sp) & 255;
|
||||||
|
}
|
||||||
|
|
||||||
|
- return code;
|
||||||
|
+ return code & 255;
|
||||||
|
}
|
||||||
|
|
||||||
|
static gint32
|
||||||
|
--
|
||||||
|
1.7.6
|
||||||
|
|
||||||
@ -153,6 +153,8 @@ Patch9: gimp-2.6.11-CVE-2010-4540,4541,4542.patch
|
|||||||
Patch10: gimp-2.6.11-shell-dnd-quit-crash.patch
|
Patch10: gimp-2.6.11-shell-dnd-quit-crash.patch
|
||||||
# backport: fix goption warning on startup
|
# backport: fix goption warning on startup
|
||||||
Patch11: gimp-2.6.11-startup-warning.patch
|
Patch11: gimp-2.6.11-startup-warning.patch
|
||||||
|
# CVE-2011-2896: fix heap corruption and buffer overflow, upstreamed
|
||||||
|
Patch12: gimp-2.6.11-gif-load.patch
|
||||||
# files changed by autoreconf after applying the above
|
# files changed by autoreconf after applying the above
|
||||||
Patch100: gimp-2.6.11-11-autoreconf.patch.bz2
|
Patch100: gimp-2.6.11-11-autoreconf.patch.bz2
|
||||||
|
|
||||||
@ -245,6 +247,7 @@ EOF
|
|||||||
%patch9 -p1 -b .CVE-2010-4540,4541,4542
|
%patch9 -p1 -b .CVE-2010-4540,4541,4542
|
||||||
%patch10 -p1 -b .shell-dnd-quit-crash
|
%patch10 -p1 -b .shell-dnd-quit-crash
|
||||||
%patch11 -p1 -b .startup-warning
|
%patch11 -p1 -b .startup-warning
|
||||||
|
%patch12 -p1 -b .gif-load
|
||||||
|
|
||||||
%patch100 -p1 -b .autoreconf
|
%patch100 -p1 -b .autoreconf
|
||||||
|
|
||||||
@ -514,6 +517,8 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
|
|||||||
%changelog
|
%changelog
|
||||||
* Fri Aug 12 2011 Nils Philippsen <nils@redhat.com> - 2:2.6.11-21
|
* Fri Aug 12 2011 Nils Philippsen <nils@redhat.com> - 2:2.6.11-21
|
||||||
- actually apply startup-warning patch
|
- actually apply startup-warning patch
|
||||||
|
- fix heap corruption and buffer overflow in file-gif-load plugin
|
||||||
|
(CVE-2011-2896)
|
||||||
|
|
||||||
* Thu Aug 04 2011 Nils Philippsen <nils@redhat.com> - 2:2.6.11-20
|
* Thu Aug 04 2011 Nils Philippsen <nils@redhat.com> - 2:2.6.11-20
|
||||||
- fix goption warning on startup, patch by Mikael Magnusson
|
- fix goption warning on startup, patch by Mikael Magnusson
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user