fix overflow in GIF loader (CVE-2012-3481)
This commit is contained in:
parent
1e29590776
commit
cae01488c7
56
gimp-2.8.0-CVE-2012-3481.patch
Normal file
56
gimp-2.8.0-CVE-2012-3481.patch
Normal file
@ -0,0 +1,56 @@
|
||||
From b39f4582b80984f86701ab56f355c911cd448e15 Mon Sep 17 00:00:00 2001
|
||||
From: Nils Philippsen <nils@redhat.com>
|
||||
Date: Mon, 20 Aug 2012 14:18:49 +0200
|
||||
Subject: [PATCH] patch: CVE-2012-3481
|
||||
|
||||
Squashed commit of the following:
|
||||
|
||||
commit 52cce706d3d490d96e81d9cebff8c9796f33ff67
|
||||
Author: Nils Philippsen <nils@redhat.com>
|
||||
Date: Tue Aug 14 15:27:39 2012 +0200
|
||||
|
||||
file-gif-load: fix type overflow (CVE-2012-3481)
|
||||
|
||||
Cast variables properly to avoid overflowing when computing how much
|
||||
memory to allocate.
|
||||
(cherry picked from commit 43fc9dbd8e2196944c8a71321e525b89b7df9f5c)
|
||||
|
||||
commit 562eefae83d6da5b70aaaccddd54c1f17c42f1b3
|
||||
Author: Jan Lieskovsky <jlieskov@redhat.com>
|
||||
Date: Tue Aug 14 12:18:22 2012 +0200
|
||||
|
||||
file-gif-load: limit len and height (CVE-2012-3481)
|
||||
|
||||
Ensure values of len and height can't overflow g_malloc() argument type.
|
||||
(cherry picked from commit d95c2f0bcb6775bdee2bef35b7d84f6dfd490783)
|
||||
---
|
||||
plug-ins/common/file-gif-load.c | 11 +++++++++--
|
||||
1 file changed, 9 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/plug-ins/common/file-gif-load.c b/plug-ins/common/file-gif-load.c
|
||||
index 4fdbe7a..0bb9bc4 100644
|
||||
--- a/plug-ins/common/file-gif-load.c
|
||||
+++ b/plug-ins/common/file-gif-load.c
|
||||
@@ -1057,10 +1057,17 @@ ReadImage (FILE *fd,
|
||||
cur_progress = 0;
|
||||
max_progress = height;
|
||||
|
||||
+ if (len > (G_MAXSIZE / height / (alpha_frame ? (promote_to_rgb ? 4 : 2) : 1)))
|
||||
+ {
|
||||
+ g_message ("'%s' has a larger image size than GIMP can handle.",
|
||||
+ gimp_filename_to_utf8 (filename));
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
if (alpha_frame)
|
||||
- dest = (guchar *) g_malloc (len * height * (promote_to_rgb ? 4 : 2));
|
||||
+ dest = (guchar *) g_malloc ((gsize)len * (gsize)height * (promote_to_rgb ? 4 : 2));
|
||||
else
|
||||
- dest = (guchar *) g_malloc (len * height);
|
||||
+ dest = (guchar *) g_malloc ((gsize)len * (gsize)height);
|
||||
|
||||
#ifdef GIFDEBUG
|
||||
g_print ("GIF: reading %d by %d%s GIF image, ncols=%d\n",
|
||||
--
|
||||
1.7.11.4
|
||||
|
||||
@ -188,6 +188,7 @@ Patch0: gimp-%{version}%{dashprerel}-git%{gitrev}.patch.bz2
|
||||
|
||||
Patch1: gimp-2.8.0-fits.patch
|
||||
Patch2: gimp-2.8.0-CVE-2012-3403.patch
|
||||
Patch3: gimp-2.8.0-CVE-2012-3481.patch
|
||||
|
||||
%description
|
||||
GIMP (GNU Image Manipulation Program) is a powerful image composition and
|
||||
@ -272,6 +273,7 @@ EOF
|
||||
|
||||
%patch1 -p1 -b .fits
|
||||
%patch2 -p1 -b .CVE-2012-3403
|
||||
%patch3 -p1 -b .CVE-2012-3481
|
||||
|
||||
%build
|
||||
%if %{with hardening}
|
||||
@ -547,6 +549,7 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
|
||||
* Mon Aug 20 2012 Nils Philippsen <nils@redhat.com> - 2:2.8.0-3
|
||||
- fix crash in fits loader (#834627)
|
||||
- fix overflow in CEL plug-in (CVE-2012-3403)
|
||||
- fix overflow in GIF loader (CVE-2012-3481)
|
||||
|
||||
* Thu Jul 19 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2:2.8.0-2.1
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
|
||||
|
||||
Loading…
Reference in New Issue
Block a user