From 34cb48d37bdd6837f9bfdd0185bd07ae2b531681 Mon Sep 17 00:00:00 2001
From: Nils Philippsen <nils@redhat.com>
Date: Tue, 14 Jun 2011 16:33:38 +0200
Subject: [PATCH] patch: CVE-2009-3909,CVE-2012-3402
Squashed commit of the following:
commit 540d51972d0c59d8c65e63462d9852f10d5c1fc7
Author: Nils Philippsen <nils@redhat.com>
Date: Tue Jun 14 15:52:39 2011 +0200
psd: harden against integer overflow
commit 01c6aa23ffbe42b66240ef1e67bf0232df45c8c9
Author: Nils Philippsen <nils@redhat.com>
Date: Tue Jun 14 15:51:36 2011 +0200
psd: harden against zero channels
commit 2bb507353390d78efff9737781d8516224acdeb9
Author: Nils Philippsen <nils@redhat.com>
Date: Tue Jun 14 15:50:00 2011 +0200
psd: pass around filename for meaningful error messages
commit ca05e4d951af9fe5b82fc43ec452b2cc2f752df1
Author: Nils Philippsen <nils@redhat.com>
Date: Fri Mar 18 16:12:48 2011 +0100
Harden PSD plugin.
In extract_data_and_channels(), avoid overflowing gsize type in
g_malloc() call.
---
plug-ins/common/psd.c | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/plug-ins/common/psd.c b/plug-ins/common/psd.c
index ad7d9c6..02c5e52 100644
--- a/plug-ins/common/psd.c
+++ b/plug-ins/common/psd.c
@@ -396,7 +396,7 @@ static glong getglong(FILE *fd, gchar *why);
static void xfread(FILE *fd, void *buf, long len, gchar *why);
static void xfread_interlaced(FILE *fd, guchar *buf, long len, gchar *why,
gint step);
-static void read_whole_file(FILE *fd, const gchar *name);
+static void read_whole_file(FILE *fd, const gchar *filename);
static void reshuffle_cmap(guchar *map256);
static gchar* getpascalstring(FILE *fd, gchar *why);
static gchar* getstring(size_t n, FILE * fd, gchar *why);
@@ -1627,7 +1627,10 @@ void extract_data_and_channels(guchar* src, gint gimpstep, gint psstep,
"\tand %d auxiliary channels.\n", gimpstep, psstep-gimpstep);
/* gimp doesn't like 0 width/height drawables. */
- if ((width == 0) || (height == 0))
+ /* zero channels (gimpstep) also doesn't make sense. */
+ /* avoid overflowing gsize type in g_malloc() below. */
+ if ((width == 0) || (height == 0) || (gimpstep == 0) ||
+ (gimpstep > G_MAXSIZE / width / height))
{
IFDBG printf("(bad channel dimensions -- skipping)");
return;
@@ -2810,7 +2813,7 @@ xfread_interlaced(FILE* fd, guchar* buf, long len, gchar *why, gint step)
}
static void
-read_whole_file(FILE * fd, const gchar *filename)
+read_whole_file(FILE * fd, const gchar * filename)
{
guint16 w;
gint32 pos;
@@ -2831,6 +2834,12 @@ read_whole_file(FILE * fd, const gchar *filename)
gimp_filename_to_utf8 (filename));
gimp_quit ();
}
+ if (PSDheader.channels < 1)
+ {
+ g_message ("'%s' has 0 channels, GIMP can't handle that.",
+ gimp_filename_to_utf8 (filename));
+ gimp_quit ();
+ }
PSDheader.rows = getglong(fd, "rows");
PSDheader.columns = getglong(fd, "columns");
@@ -2846,7 +2855,8 @@ read_whole_file(FILE * fd, const gchar *filename)
gimp_quit ();
}
- if (PSDheader.rows && PSDheader.columns > (G_MAXUINT / PSDheader.rows))
+ if (PSDheader.rows && PSDheader.channels &&
+ PSDheader.columns > (G_MAXUINT / PSDheader.rows / PSDheader.channels))
{
g_message ("'%s' has a larger image size than GIMP can handle.",
gimp_filename_to_utf8 (filename));
--
1.7.10.4
distrib
>
Scientific%20Linux
>
5x
>
x86_64
>
by-pkgid
>
95931d60fe986cb88dac43d05c397ef3
>
files
>
4
