From f8569bb13e2aa1584dde61ca545144750f7a7c98 Mon Sep 17 00:00:00 2001
From: Matthias Clasen <mclasen@redhat.com>
Date: Fri, 24 Jun 2011 05:09:35 +0000
Subject: GIF: Don't return a partially initialized pixbuf structure
It was found that gdk-pixbuf GIF image loader gdk_pixbuf__gif_image_load()
routine did not properly handle certain return values from their subroutines.
A remote attacker could provide a specially-crafted GIF image, which once
opened in an application, linked against gdk-pixbuf would lead to gdk-pixbuf
to return partially initialized pixbuf structure, possibly having huge
width and height, leading to that particular application termination due
excessive memory use.
The CVE identifier of CVE-2011-2485 has been assigned to this issue.
---
(limited to 'gdk-pixbuf/io-gif.c')
diff --git a/gdk-pixbuf/io-gif.c b/gdk-pixbuf/io-gif.c
index 0b370ee..8a1fa3e 100644
--- a/gdk-pixbuf/io-gif.c
+++ b/gdk-pixbuf/io-gif.c
@@ -1455,6 +1455,7 @@ gdk_pixbuf__gif_image_load (FILE *file, GError **error)
{
GifContext *context;
GdkPixbuf *pixbuf;
+ gint retval;
g_return_val_if_fail (file != NULL, NULL);
@@ -1472,19 +1473,25 @@ gdk_pixbuf__gif_image_load (FILE *file, GError **error)
context->error = error;
context->stop_after_first_frame = TRUE;
- if (gif_main_loop (context) == -1 || context->animation->frames == NULL) {
+ retval = gif_main_loop (context);
+ if (retval == -1 || context->animation->frames == NULL) {
if (context->error && *(context->error) == NULL)
g_set_error_literal (context->error,
GDK_PIXBUF_ERROR,
GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
_("GIF file was missing some data (perhaps it was truncated somehow?)"));
}
+ else if (retval == -2) {
+ pixbuf = NULL;
+ goto out;
+ }
pixbuf = gdk_pixbuf_animation_get_static_image (GDK_PIXBUF_ANIMATION (context->animation));
if (pixbuf)
g_object_ref (pixbuf);
+out:
g_object_unref (context->animation);
g_free (context->buf);
--
cgit v0.9.0.2
distrib
>
Mageia
>
1
>
i586
>
media
>
core-updates-src
>
by-pkgid
>
05e9ad732827608b991e1f2783df6ccf
>
files
>
1
