From 3112e2d4e4eadb9bc6da4fd2db4cf76fcba06c21 Mon Sep 17 00:00:00 2001 From: Nils Philippsen <nils@redhat.com> Date: Thu, 16 Aug 2012 15:53:28 +0200 Subject: [PATCH] patch: CVE-2012-3481 Squashed commit of the following: commit 54dab9a06392e22e1f9949c555c0f9bc0c2e0963 Author: Nils Philippsen <nils@redhat.com> Date: Thu Aug 16 15:49:20 2012 +0200 gifload: fix type overflow (CVE-2012-3481) Cast variables properly to avoid overflowing when computing how much memory to allocate. commit f01f36ef4173542f15351520021f1b0670d66b66 Author: Jan Lieskovsky <jlieskov@redhat.com> Date: Thu Aug 16 15:46:45 2012 +0200 gifload: limit len and height (CVE-2012-3481) Ensure values of len and height can't overflow g_malloc() argument type. --- plug-ins/common/gifload.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/plug-ins/common/gifload.c b/plug-ins/common/gifload.c index 9744fbb..eb9575a 100644 --- a/plug-ins/common/gifload.c +++ b/plug-ins/common/gifload.c @@ -980,11 +980,19 @@ ReadImage (FILE *fd, cur_progress = 0; max_progress = height; + if (len > (G_MAXULONG / height / + (alpha_frame ? (promote_to_rgb ? 4 : 2) : 1))) + { + g_message ("'%s' has a larger image size than GIMP can handle.", + gimp_filename_to_utf8 (filename)); + return -1; + } + if (alpha_frame) - dest = (guchar *) g_malloc (len * height * + dest = (guchar *) g_malloc ((gulong)len * (gulong)height * (promote_to_rgb ? 4 : 2)); else - dest = (guchar *) g_malloc (len * height); + dest = (guchar *) g_malloc ((gulong)len * (gulong)height); if (verbose) g_print ("GIF: reading %d by %d%s GIF image, ncols=%d\n", -- 1.7.11.4