From 3112e2d4e4eadb9bc6da4fd2db4cf76fcba06c21 Mon Sep 17 00:00:00 2001
From: Nils Philippsen <nils@redhat.com>
Date: Thu, 16 Aug 2012 15:53:28 +0200
Subject: [PATCH] patch: CVE-2012-3481
Squashed commit of the following:
commit 54dab9a06392e22e1f9949c555c0f9bc0c2e0963
Author: Nils Philippsen <nils@redhat.com>
Date: Thu Aug 16 15:49:20 2012 +0200
gifload: fix type overflow (CVE-2012-3481)
Cast variables properly to avoid overflowing when computing how much
memory to allocate.
commit f01f36ef4173542f15351520021f1b0670d66b66
Author: Jan Lieskovsky <jlieskov@redhat.com>
Date: Thu Aug 16 15:46:45 2012 +0200
gifload: limit len and height (CVE-2012-3481)
Ensure values of len and height can't overflow g_malloc() argument type.
---
plug-ins/common/gifload.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/plug-ins/common/gifload.c b/plug-ins/common/gifload.c
index 9744fbb..eb9575a 100644
--- a/plug-ins/common/gifload.c
+++ b/plug-ins/common/gifload.c
@@ -980,11 +980,19 @@ ReadImage (FILE *fd,
cur_progress = 0;
max_progress = height;
+ if (len > (G_MAXULONG / height /
+ (alpha_frame ? (promote_to_rgb ? 4 : 2) : 1)))
+ {
+ g_message ("'%s' has a larger image size than GIMP can handle.",
+ gimp_filename_to_utf8 (filename));
+ return -1;
+ }
+
if (alpha_frame)
- dest = (guchar *) g_malloc (len * height *
+ dest = (guchar *) g_malloc ((gulong)len * (gulong)height *
(promote_to_rgb ? 4 : 2));
else
- dest = (guchar *) g_malloc (len * height);
+ dest = (guchar *) g_malloc ((gulong)len * (gulong)height);
if (verbose)
g_print ("GIF: reading %d by %d%s GIF image, ncols=%d\n",
--
1.7.11.4
distrib
>
Scientific%20Linux
>
5x
>
x86_64
>
by-pkgid
>
95931d60fe986cb88dac43d05c397ef3
>
files
>
9
