From cae01488c74e4902325592d7b81bf8746afd6198 Mon Sep 17 00:00:00 2001 From: Nils Philippsen Date: Mon, 20 Aug 2012 14:28:14 +0200 Subject: [PATCH] fix overflow in GIF loader (CVE-2012-3481) --- gimp-2.8.0-CVE-2012-3481.patch | 56 ++++++++++++++++++++++++++++++++++ gimp.spec | 3 ++ 2 files changed, 59 insertions(+) create mode 100644 gimp-2.8.0-CVE-2012-3481.patch diff --git a/gimp-2.8.0-CVE-2012-3481.patch b/gimp-2.8.0-CVE-2012-3481.patch new file mode 100644 index 0000000..51bd699 --- /dev/null +++ b/gimp-2.8.0-CVE-2012-3481.patch @@ -0,0 +1,56 @@ +From b39f4582b80984f86701ab56f355c911cd448e15 Mon Sep 17 00:00:00 2001 +From: Nils Philippsen +Date: Mon, 20 Aug 2012 14:18:49 +0200 +Subject: [PATCH] patch: CVE-2012-3481 + +Squashed commit of the following: + +commit 52cce706d3d490d96e81d9cebff8c9796f33ff67 +Author: Nils Philippsen +Date: Tue Aug 14 15:27:39 2012 +0200 + + file-gif-load: fix type overflow (CVE-2012-3481) + + Cast variables properly to avoid overflowing when computing how much + memory to allocate. + (cherry picked from commit 43fc9dbd8e2196944c8a71321e525b89b7df9f5c) + +commit 562eefae83d6da5b70aaaccddd54c1f17c42f1b3 +Author: Jan Lieskovsky +Date: Tue Aug 14 12:18:22 2012 +0200 + + file-gif-load: limit len and height (CVE-2012-3481) + + Ensure values of len and height can't overflow g_malloc() argument type. + (cherry picked from commit d95c2f0bcb6775bdee2bef35b7d84f6dfd490783) +--- + plug-ins/common/file-gif-load.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/plug-ins/common/file-gif-load.c b/plug-ins/common/file-gif-load.c +index 4fdbe7a..0bb9bc4 100644 +--- a/plug-ins/common/file-gif-load.c ++++ b/plug-ins/common/file-gif-load.c +@@ -1057,10 +1057,17 @@ ReadImage (FILE *fd, + cur_progress = 0; + max_progress = height; + ++ if (len > (G_MAXSIZE / height / (alpha_frame ? (promote_to_rgb ? 4 : 2) : 1))) ++ { ++ g_message ("'%s' has a larger image size than GIMP can handle.", ++ gimp_filename_to_utf8 (filename)); ++ return -1; ++ } ++ + if (alpha_frame) +- dest = (guchar *) g_malloc (len * height * (promote_to_rgb ? 4 : 2)); ++ dest = (guchar *) g_malloc ((gsize)len * (gsize)height * (promote_to_rgb ? 4 : 2)); + else +- dest = (guchar *) g_malloc (len * height); ++ dest = (guchar *) g_malloc ((gsize)len * (gsize)height); + + #ifdef GIFDEBUG + g_print ("GIF: reading %d by %d%s GIF image, ncols=%d\n", +-- +1.7.11.4 + diff --git a/gimp.spec b/gimp.spec index 6e3068a..b888cce 100644 --- a/gimp.spec +++ b/gimp.spec @@ -188,6 +188,7 @@ Patch0: gimp-%{version}%{dashprerel}-git%{gitrev}.patch.bz2 Patch1: gimp-2.8.0-fits.patch Patch2: gimp-2.8.0-CVE-2012-3403.patch +Patch3: gimp-2.8.0-CVE-2012-3481.patch %description GIMP (GNU Image Manipulation Program) is a powerful image composition and @@ -272,6 +273,7 @@ EOF %patch1 -p1 -b .fits %patch2 -p1 -b .CVE-2012-3403 +%patch3 -p1 -b .CVE-2012-3481 %build %if %{with hardening} @@ -547,6 +549,7 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || : * Mon Aug 20 2012 Nils Philippsen - 2:2.8.0-3 - fix crash in fits loader (#834627) - fix overflow in CEL plug-in (CVE-2012-3403) +- fix overflow in GIF loader (CVE-2012-3481) * Thu Jul 19 2012 Fedora Release Engineering - 2:2.8.0-2.1 - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild