avoid buffer overflows in file-xwd plug-in

Resolves: CVE-2013-1913, CVE-2013-1978
2013-12-04 11:31:57 +01:00 · 2013-12-04 11:31:57 +01:00 · 317c5fc75a
commit 317c5fc75a
parent 674280c7a8
2 changed files with 188 additions and 1 deletions
--- a/gimp-2.8.10-CVE-2013-1913,1978.patch
+++ b/gimp-2.8.10-CVE-2013-1913,1978.patch
@ -0,0 +1,177 @@
 From e3a100aa5872a19c10aadcf27a569465970347fe Mon Sep 17 00:00:00 2001
 From: Nils Philippsen <nils@redhat.com>
 Date: Wed, 4 Dec 2013 11:17:11 +0100
 Subject: [PATCH] patch: CVE-2013-1913,1978
 Squashed commit of the following:
 commit 6a0912e7fe8b61e32c647d9ed3bc110b4a7f15cf
 Author: Nils Philippsen <nils@redhat.com>
 Date:   Tue Nov 26 10:49:42 2013 +0100
    file-xwd: sanity check # of colors and map entries (CVE-2013-1978)
    The number of colors in an image shouldn't be higher than the number of
    colormap entries. Additionally, consolidate post error cleanup in
    load_image().
    (cherry picked from commit 23f685931e5f000dd033a45c60c1e60d7f78caf4)
 commit 0e95c2790d753d898f2d7ad560b48e5f487cf460
 Author: Nils Philippsen <nils@redhat.com>
 Date:   Thu Nov 14 14:29:01 2013 +0100
    file-xwd: sanity check colormap size (CVE-2013-1913)
    (cherry picked from commit 32ae0f83e5748299641cceaabe3f80f1b3afd03e)
 ---
 plug-ins/common/file-xwd.c | 62 +++++++++++++++++++++++++++-------------------
 1 file changed, 37 insertions(+), 25 deletions(-)
 diff --git a/plug-ins/common/file-xwd.c b/plug-ins/common/file-xwd.c
 index 3240f7e..ba07afd 100644
 --- a/plug-ins/common/file-xwd.c
 +++ b/plug-ins/common/file-xwd.c
@@ -424,9 +424,9 @@ static gint32
 load_image (const gchar  *filename,
             GError      **error)
 {
 -  FILE            *ifp;
 +  FILE            *ifp = NULL;
   gint             depth, bpp;
 -  gint32           image_ID;
 +  gint32           image_ID = -1;
   L_XWDFILEHEADER  xwdhdr;
   L_XWDCOLOR      *xwdcolmap = NULL;
@@ -436,7 +436,7 @@ load_image (const gchar  *filename,
       g_set_error (error, G_FILE_ERROR, g_file_error_from_errno (errno),
                    _("Could not open '%s' for reading: %s"),
                    gimp_filename_to_utf8 (filename), g_strerror (errno));
 -      return -1;
 +      goto out;
     }
   read_xwd_header (ifp, &xwdhdr);
@@ -445,8 +445,7 @@ load_image (const gchar  *filename,
       g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
                    _("Could not read XWD header from '%s'"),
                    gimp_filename_to_utf8 (filename));
 -      fclose (ifp);
 -      return -1;
 +      goto out;
     }
 #ifdef XWD_COL_WAIT_DEBUG
@@ -461,8 +460,25 @@ load_image (const gchar  *filename,
   /* Position to start of XWDColor structures */
   fseek (ifp, (long)xwdhdr.l_header_size, SEEK_SET);
 +  /* Guard against insanely huge color maps -- gimp_image_set_colormap() only
 +   * accepts colormaps with 0..256 colors anyway. */
 +  if (xwdhdr.l_colormap_entries > 256)
 +    {
 +      g_message (_("'%s':\nIllegal number of colormap entries: %ld"),
 +                 gimp_filename_to_utf8 (filename),
 +                 (long)xwdhdr.l_colormap_entries);
 +      goto out;
 +    }
 +
   if (xwdhdr.l_colormap_entries > 0)
     {
 +      if (xwdhdr.l_colormap_entries < xwdhdr.l_ncolors)
 +        {
 +          g_message (_("'%s':\nNumber of colormap entries < number of colors"),
 +                     gimp_filename_to_utf8 (filename));
 +          goto out;
 +        }
 +
       xwdcolmap = g_new (L_XWDCOLOR, xwdhdr.l_colormap_entries);
       read_xwd_cols (ifp, &xwdhdr, xwdcolmap);
@@ -482,9 +498,7 @@ load_image (const gchar  *filename,
       if (xwdhdr.l_file_version != 7)
         {
           g_message (_("Can't read color entries"));
 -          g_free (xwdcolmap);
 -          fclose (ifp);
 -          return (-1);
 +          goto out;
         }
     }
@@ -492,9 +506,7 @@ load_image (const gchar  *filename,
     {
       g_message (_("'%s':\nNo image width specified"),
                  gimp_filename_to_utf8 (filename));
 -      g_free (xwdcolmap);
 -      fclose (ifp);
 -      return (-1);
 +      goto out;
     }
   if (xwdhdr.l_pixmap_width > GIMP_MAX_IMAGE_SIZE
@@ -502,27 +514,21 @@ load_image (const gchar  *filename,
     {
       g_message (_("'%s':\nImage width is larger than GIMP can handle"),
                  gimp_filename_to_utf8 (filename));
 -      g_free (xwdcolmap);
 -      fclose (ifp);
 -      return (-1);
 +      goto out;
     }
   if (xwdhdr.l_pixmap_height <= 0)
     {
       g_message (_("'%s':\nNo image height specified"),
                  gimp_filename_to_utf8 (filename));
 -      g_free (xwdcolmap);
 -      fclose (ifp);
 -      return (-1);
 +      goto out;
     }
   if (xwdhdr.l_pixmap_height > GIMP_MAX_IMAGE_SIZE)
     {
       g_message (_("'%s':\nImage height is larger than GIMP can handle"),
                  gimp_filename_to_utf8 (filename));
 -      g_free (xwdcolmap);
 -      fclose (ifp);
 -      return (-1);
 +      goto out;
     }
   gimp_progress_init_printf (_("Opening '%s'"),
@@ -571,11 +577,6 @@ load_image (const gchar  *filename,
     }
   gimp_progress_update (1.0);
 -  fclose (ifp);
 -
 -  if (xwdcolmap)
 -    g_free (xwdcolmap);
 -
   if (image_ID == -1 && ! (error && *error))
     g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
                  _("XWD-file %s has format %d, depth %d and bits per pixel %d. "
@@ -583,6 +584,17 @@ load_image (const gchar  *filename,
                  gimp_filename_to_utf8 (filename),
                  (gint) xwdhdr.l_pixmap_format, depth, bpp);
 +out:
 +  if (ifp)
 +    {
 +      fclose (ifp);
 +    }
 +
 +  if (xwdcolmap)
 +    {
 +      g_free (xwdcolmap);
 +    }
 +
   return image_ID;
 }
 -- 
 1.8.4.2
--- a/gimp.spec
+++ b/gimp.spec
@ -82,7 +82,7 @@ Summary:        GNU Image Manipulation Program
 Name:           gimp
 Epoch:          2
 Version:        2.8.10
-Release:        %{?prerelprefix}1%{dotprerel}%{dotgitrev}%{?dist}
+Release:        %{?prerelprefix}2%{dotprerel}%{dotgitrev}%{?dist}
 # Compute some version related macros
 # Ugly hack, you need to get your quoting backslashes/percent signs straight
@ -206,6 +206,12 @@ Patch0:         gimp-%{version}%{dashprerel}-git%{gitrev}.patch.bz2
 # Fedora specific.
 Patch1:         gimp-2.8.2-cm-system-monitor-profile-by-default.patch
 # Avoid buffer overflows in the XWD loader
 # CVE-2013-1913, CVE-2013-1978
 # Upstream commit 7f2322e4ced8ba393abc5a0aa15a607f340f0db8
 # Upstream commit 0ffb3b6753aad00512349bba31bf5113054c6a0e
 Patch2:         gimp-2.8.10-CVE-2013-1913,1978.patch
 # use external help browser directly if help browser plug-in is not built
 Patch100:       gimp-2.8.6-external-help-browser.patch
@ -295,6 +301,7 @@ EOF
 %endif
 %patch1 -p1 -b .cm-system-monitor-profile-by-default
 %patch2 -p1 -b .CVE-2013-1913,1978
 %if ! %{with helpbrowser}
 %patch100 -p1 -b .external-help-browser
@ -608,6 +615,9 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
 %endif
 %changelog
 * Wed Dec 04 2013 Nils Philippsen <nils@redhat.com> - 2:2.8.10-2
 - avoid buffer overflows in file-xwd plug-in (CVE-2013-1913, CVE-2013-1978)
 * Fri Nov 29 2013 Nils Philippsen <nils@redhat.com> - 2:2.8.10-1
 - version 2.8.10