-
Notifications
You must be signed in to change notification settings - Fork 175
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
6 changed files
with
247 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
44 changes: 44 additions & 0 deletions
44
components/library/gdk-pixbuf/patches/12-CVE-2017-6311.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
From 758655315bc3760c2d646e1e935f7448847073af Mon Sep 17 00:00:00 2001 | ||
From: Bastien Nocera <hadess@hadess.net> | ||
Date: Thu, 27 Jul 2017 13:27:47 +0100 | ||
Subject: ico: Return an error when the ICO didn't load | ||
|
||
If we don't even read enough data to fill the header, return an | ||
error. This doesn't cover everything that could go wrong with | ||
the ICO incremental loader, but this is a good first throw. | ||
|
||
https://bugzilla.gnome.org/show_bug.cgi?id=778204 | ||
--- | ||
gdk-pixbuf/io-ico.c | 11 ++++++++++- | ||
1 file changed, 10 insertions(+), 1 deletion(-) | ||
|
||
Index: gdk-pixbuf-2.32.2/gdk-pixbuf/io-ico.c | ||
=================================================================== | ||
--- gdk-pixbuf-2.32.2.orig/gdk-pixbuf/io-ico.c | ||
+++ gdk-pixbuf-2.32.2/gdk-pixbuf/io-ico.c | ||
@@ -587,6 +587,7 @@ gdk_pixbuf__ico_image_stop_load(gpointer | ||
{ | ||
struct ico_progressive_state *context = | ||
(struct ico_progressive_state *) data; | ||
+ gboolean ret = TRUE; | ||
|
||
/* FIXME this thing needs to report errors if | ||
* we have unused image data | ||
@@ -594,8 +595,16 @@ gdk_pixbuf__ico_image_stop_load(gpointer | ||
|
||
g_return_val_if_fail(context != NULL, TRUE); | ||
|
||
+ if (context->HeaderDone < context->HeaderSize) { | ||
+ g_set_error_literal (error, | ||
+ GDK_PIXBUF_ERROR, | ||
+ GDK_PIXBUF_ERROR_CORRUPT_IMAGE, | ||
+ _("ICO image was truncated or incomplete.")); | ||
+ ret = FALSE; | ||
+ } | ||
+ | ||
context_free (context); | ||
- return TRUE; | ||
+ return ret; | ||
} | ||
|
||
static void |
50 changes: 50 additions & 0 deletions
50
components/library/gdk-pixbuf/patches/13-CVE-2017-6312.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,50 @@ | ||
Backported of: | ||
|
||
From dec9ca22d70c0f0d4492333b4e8147afb038afd2 Mon Sep 17 00:00:00 2001 | ||
From: Dhiru Kholia <dhiru.kholia@gmail.com> | ||
Date: Thu, 30 Nov 2017 02:36:26 +0100 | ||
Subject: ico: Fix potential integer overflow | ||
|
||
Which relies on undefined behaviour. Instead of checking for an | ||
overflowed integer after the fact, check whether the addition would | ||
be possible at all. | ||
|
||
Fixes: CVE-2017-6312 | ||
|
||
Index: gdk-pixbuf-2.32.2/gdk-pixbuf/io-ico.c | ||
=================================================================== | ||
--- gdk-pixbuf-2.32.2.orig/gdk-pixbuf/io-ico.c | ||
+++ gdk-pixbuf-2.32.2/gdk-pixbuf/io-ico.c | ||
@@ -25,6 +25,8 @@ | ||
#undef DUMPBIH | ||
#define DEBUG(s) | ||
|
||
+#define INFOHEADER_SIZE 40 | ||
+ | ||
/* | ||
|
||
Icons are just like BMP's, except for the header. | ||
@@ -317,10 +319,8 @@ static void DecodeHeader(guchar *Data, g | ||
return; | ||
} | ||
|
||
- /* We know how many bytes are in the "header" part. */ | ||
- State->HeaderSize = entry->DIBoffset + 40; /* 40 = sizeof(InfoHeader) */ | ||
- | ||
- if (State->HeaderSize < 0) { | ||
+ /* Avoid invoking undefined behavior in the State->HeaderSize calculation below */ | ||
+ if (entry->DIBoffset > G_MAXINT - INFOHEADER_SIZE) { | ||
g_set_error (error, | ||
GDK_PIXBUF_ERROR, | ||
GDK_PIXBUF_ERROR_CORRUPT_IMAGE, | ||
@@ -328,6 +328,10 @@ static void DecodeHeader(guchar *Data, g | ||
return; | ||
} | ||
|
||
+ /* We know how many bytes are in the "header" part. */ | ||
+ State->HeaderSize = entry->DIBoffset + INFOHEADER_SIZE; | ||
+ | ||
+ | ||
if (State->HeaderSize>State->BytesInHeaderBuf) { | ||
guchar *tmp=g_try_realloc(State->HeaderBuf,State->HeaderSize); | ||
if (!tmp) { |
30 changes: 30 additions & 0 deletions
30
components/library/gdk-pixbuf/patches/14-CVE-2017-6313.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
From 210b16399a492d05efb209615a143920b24251f4 Mon Sep 17 00:00:00 2001 | ||
From: Bastien Nocera <hadess@hadess.net> | ||
Date: Tue, 5 Dec 2017 11:51:02 +0100 | ||
Subject: icns: Protect against too short blocklen (CVE-2017-6313) | ||
|
||
The blocklen needs to be at least header sized to be valid, otherwise we | ||
can underflow picture data or mask data lengths. | ||
|
||
https://bugzilla.gnome.org/show_bug.cgi?id=779016 | ||
--- | ||
gdk-pixbuf/io-icns.c | 3 ++- | ||
1 file changed, 2 insertions(+), 1 deletion(-) | ||
|
||
diff --git a/gdk-pixbuf/io-icns.c b/gdk-pixbuf/io-icns.c | ||
index a432e46..41732b1 100644 | ||
--- a/gdk-pixbuf/io-icns.c | ||
+++ b/gdk-pixbuf/io-icns.c | ||
@@ -95,7 +95,8 @@ load_resources (unsigned size, IN gpointer data, gsize datalen, | ||
blocklen = GUINT32_FROM_BE (header->size); | ||
|
||
/* Check that blocklen isn't garbage */ | ||
- if (blocklen > icnslen - (current - bytes)) | ||
+ if (blocklen > icnslen - (current - bytes) || | ||
+ blocklen < sizeof (IcnsBlockHeader)) | ||
return FALSE; | ||
|
||
switch (size) | ||
-- | ||
cgit v0.12 | ||
|
44 changes: 44 additions & 0 deletions
44
components/library/gdk-pixbuf/patches/15-CVE-2017-6314.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
From 1e513abdb55529f888233d3c96b27352d83aad5f Mon Sep 17 00:00:00 2001 | ||
From: Bastien Nocera <hadess@hadess.net> | ||
Date: Tue, 5 Dec 2017 10:26:49 +0100 | ||
Subject: [PATCH] tiff: Avoid overflowing buffer size computation | ||
|
||
Use g_uint_checked_mul() to avoid overflowing the guint used for buffer | ||
size calculation. | ||
|
||
https://bugzilla.gnome.org/show_bug.cgi?id=779020 | ||
--- | ||
gdk-pixbuf/io-tiff.c | 11 +++++++++-- | ||
1 file changed, 9 insertions(+), 2 deletions(-) | ||
|
||
--- gdk-pixbuf-2.31.6/gdk-pixbuf/io-tiff.c.~2~ 2018-01-16 22:19:50.927208007 +0000 | ||
+++ gdk-pixbuf-2.31.6/gdk-pixbuf/io-tiff.c 2018-01-16 22:20:49.864524813 +0000 | ||
@@ -497,6 +497,10 @@ | ||
return retval; | ||
} | ||
|
||
+/* Available in glib since 2.48 */ | ||
+static inline gboolean _g_uint_checked_mul (guint32 *dest, guint32 a, guint32 b) { | ||
+ *dest = a * b; return !a || *dest / a == b; } | ||
+ | ||
static gboolean | ||
make_available_at_least (TiffContext *context, guint needed) | ||
{ | ||
@@ -506,8 +510,15 @@ | ||
need_alloc = context->used + needed; | ||
if (need_alloc > context->allocated) { | ||
guint new_size = 1; | ||
- while (new_size < need_alloc) | ||
- new_size *= 2; | ||
+ while (new_size < need_alloc) { | ||
+ if (!_g_uint_checked_mul (&new_size, new_size, 2)) { | ||
+ new_size = 0; | ||
+ break; | ||
+ } | ||
+ } | ||
+ | ||
+ if (new_size == 0) | ||
+ return FALSE; | ||
|
||
new_buffer = g_try_realloc (context->buffer, new_size); | ||
if (new_buffer) { |
75 changes: 75 additions & 0 deletions
75
components/library/gdk-pixbuf/patches/16-CVE-2017-1000422.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,75 @@ | ||
--- a/gdk-pixbuf/io-gif.c | ||
+++ b/gdk-pixbuf/io-gif.c | ||
@@ -817,6 +817,35 @@ | ||
context->user_data); | ||
} | ||
|
||
+/* Available in glib since 2.48 */ | ||
+static inline gboolean _g_uint64_checked_mul (guint64 *dest, guint64 a, guint64 b) { | ||
+ *dest = a * b; return !a || *dest / a == b; } | ||
+ | ||
+/* Available in gdk-pixbuf 2.36.8 */ | ||
+static gint | ||
+_gdk_pixbuf_calculate_rowstride (GdkColorspace colorspace, | ||
+ gboolean has_alpha, | ||
+ int bits_per_sample, | ||
+ int width, | ||
+ int height) | ||
+{ | ||
+ unsigned int channels; | ||
+ | ||
+ g_return_val_if_fail (colorspace == GDK_COLORSPACE_RGB, -1); | ||
+ g_return_val_if_fail (bits_per_sample == 8, -1); | ||
+ g_return_val_if_fail (width > 0, -1); | ||
+ g_return_val_if_fail (height > 0, -1); | ||
+ | ||
+ channels = has_alpha ? 4 : 3; | ||
+ | ||
+ /* Overflow? */ | ||
+ if (width > (G_MAXINT - 3) / channels) | ||
+ return -1; | ||
+ | ||
+ /* Always align rows to 32-bit boundaries */ | ||
+ return (width * channels + 3) & ~3; | ||
+} | ||
+ | ||
static int | ||
gif_get_lzw (GifContext *context) | ||
{ | ||
@@ -850,13 +879,29 @@ | ||
pixels[2] = 0; | ||
pixels[3] = 0; | ||
} | ||
- } else | ||
- context->frame->pixbuf = | ||
- gdk_pixbuf_new (GDK_COLORSPACE_RGB, | ||
- TRUE, | ||
- 8, | ||
- context->frame_len, | ||
- context->frame_height); | ||
+ } else { | ||
+ int rowstride; | ||
+ guint64 len; | ||
+ | ||
+ rowstride = _gdk_pixbuf_calculate_rowstride (GDK_COLORSPACE_RGB, | ||
+ TRUE, | ||
+ 8, | ||
+ context->frame_len, | ||
+ context->frame_height); | ||
+ if (rowstride > 0 && | ||
+ _g_uint64_checked_mul (&len, rowstride, context->frame_height) && | ||
+ len <= G_MAXINT) { | ||
+ context->frame->pixbuf = | ||
+ gdk_pixbuf_new (GDK_COLORSPACE_RGB, | ||
+ TRUE, | ||
+ 8, | ||
+ context->frame_len, | ||
+ context->frame_height); | ||
+ } else { | ||
+ context->frame->pixbuf = NULL; | ||
+ } | ||
+ } | ||
+ | ||
if (!context->frame->pixbuf) { | ||
g_free (context->frame); | ||
g_set_error_literal (context->error, |