From f8569bb13e2aa1584dde61ca545144750f7a7c98 Mon Sep 17 00:00:00 2001 From: Matthias Clasen <mclasen@redhat.com> Date: Fri, 24 Jun 2011 05:09:35 +0000 Subject: GIF: Don't return a partially initialized pixbuf structure It was found that gdk-pixbuf GIF image loader gdk_pixbuf__gif_image_load() routine did not properly handle certain return values from their subroutines. A remote attacker could provide a specially-crafted GIF image, which once opened in an application, linked against gdk-pixbuf would lead to gdk-pixbuf to return partially initialized pixbuf structure, possibly having huge width and height, leading to that particular application termination due excessive memory use. The CVE identifier of CVE-2011-2485 has been assigned to this issue. --- (limited to 'gdk-pixbuf/io-gif.c') diff --git a/gdk-pixbuf/io-gif.c b/gdk-pixbuf/io-gif.c index 0b370ee..8a1fa3e 100644 --- a/gdk-pixbuf/io-gif.c +++ b/gdk-pixbuf/io-gif.c @@ -1455,6 +1455,7 @@ gdk_pixbuf__gif_image_load (FILE *file, GError **error) { GifContext *context; GdkPixbuf *pixbuf; + gint retval; g_return_val_if_fail (file != NULL, NULL); @@ -1472,19 +1473,25 @@ gdk_pixbuf__gif_image_load (FILE *file, GError **error) context->error = error; context->stop_after_first_frame = TRUE; - if (gif_main_loop (context) == -1 || context->animation->frames == NULL) { + retval = gif_main_loop (context); + if (retval == -1 || context->animation->frames == NULL) { if (context->error && *(context->error) == NULL) g_set_error_literal (context->error, GDK_PIXBUF_ERROR, GDK_PIXBUF_ERROR_CORRUPT_IMAGE, _("GIF file was missing some data (perhaps it was truncated somehow?)")); } + else if (retval == -2) { + pixbuf = NULL; + goto out; + } pixbuf = gdk_pixbuf_animation_get_static_image (GDK_PIXBUF_ANIMATION (context->animation)); if (pixbuf) g_object_ref (pixbuf); +out: g_object_unref (context->animation); g_free (context->buf); -- cgit v0.9.0.2