Home Verkennen Help
Inloggen
erkanisik
/
main
spiegel van https://github.com/pisilinux/main.git
Volgen 1
Ster 0
Vork 0
Bestanden Kwesties 0 Wiki
Boom: f2e63aaaca
Aftakkingen Labels
main
/
multimedia
/
graphics
/
gegl02
/
files
/
gegl-0.2.0-cve-2012-4433-1e92e523.patch

gegl-0.2.0-cve-2012-4433-1e92e523.patch 2.3 KB
Geschiedenis Ruwe

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869 
  1. From 1e92e5235ded0415d555aa86066b8e4041ee5a53 Mon Sep 17 00:00:00 2001
    2. 

  2. From: Nils Philippsen <nils@redhat.com>
    3. 

  3. Date: Tue, 16 Oct 2012 14:58:27 +0000
    4. 

  4. Subject: ppm-load: CVE-2012-4433: don't overflow memory allocation
    5. 

  5. 

  6. Carefully selected width/height values could cause the size of a later
    7. 

  7. allocation to overflow, resulting in a buffer much too small to store
    8. 

  8. the data which would then written beyond its end.
    9. 

  9. ---
    10. 

  10. diff --git a/operations/external/ppm-load.c b/operations/external/ppm-load.c
    11. 

  11. index efe6d56..3d6bce7 100644
    12. 

  12. --- a/operations/external/ppm-load.c
    13. 

  13. +++ b/operations/external/ppm-load.c
    14. 

  14. @@ -84,7 +84,6 @@ ppm_load_read_header(FILE       *fp,
    15. 

  15.      /* Get Width and Height */
    16. 

  16.      img->width  = strtol (header,&ptr,0);
    17. 

  17.      img->height = atoi (ptr);
    18. 

  18. -    img->numsamples = img->width * img->height * CHANNEL_COUNT;
    19. 

  19.  
    20. 

  20.      fgets (header,MAX_CHARS_IN_ROW,fp);
    21. 

  21.      maxval = strtol (header,&ptr,0);
    22. 

  22. @@ -109,6 +108,16 @@ ppm_load_read_header(FILE       *fp,
    23. 

  23.        g_warning ("%s: Programmer stupidity error", G_STRLOC);
    24. 

  24.      }
    25. 

  25.  
    26. 

  26. +    /* Later on, img->numsamples is multiplied with img->bpc to allocate
    27. 

  27. +     * memory. Ensure it doesn't overflow. */
    28. 

  28. +    if (!img->width || !img->height ||
    29. 

  29. +        G_MAXSIZE / img->width / img->height / CHANNEL_COUNT < img->bpc)
    30. 

  30. +      {
    31. 

  31. +        g_warning ("Illegal width/height: %ld/%ld", img->width, img->height);
    32. 

  32. +        return FALSE;
    33. 

  33. +      }
    34. 

  34. +    img->numsamples = img->width * img->height * CHANNEL_COUNT;
    35. 

  35. +
    36. 

  36.      return TRUE;
    37. 

  37.  }
    38. 

  38.  
    39. 

  39. @@ -229,12 +238,24 @@ process (GeglOperation       *operation,
    40. 

  40.    if (!ppm_load_read_header (fp, &img))
    41. 

  41.      goto out;
    42. 

  42.  
    43. 

  43. -  rect.height = img.height;
    44. 

  44. -  rect.width = img.width;
    45. 

  45. -
    46. 

  46.    /* Allocating Array Size */
    47. 

  47. +
    48. 

  48. +  /* Should use g_try_malloc(), but this causes crashes elsewhere because the
    49. 

  49. +   * error signalled by returning FALSE isn't properly acted upon. Therefore
    50. 

  50. +   * g_malloc() is used here which aborts if the requested memory size can't be
    51. 

  51. +   * allocated causing a controlled crash. */
    52. 

  52.    img.data = (guchar*) g_malloc (img.numsamples * img.bpc);
    53. 

  53.  
    54. 

  54. +  /* No-op without g_try_malloc(), see above. */
    55. 

  55. +  if (! img.data)
    56. 

  56. +    {
    57. 

  57. +      g_warning ("Couldn't allocate %" G_GSIZE_FORMAT " bytes, giving up.", ((gsize)img.numsamples * img.bpc));
    58. 

  58. +      goto out;
    59. 

  59. +    }
    60. 

  60. +
    61. 

  61. +  rect.height = img.height;
    62. 

  62. +  rect.width = img.width;
    63. 

  63. +
    64. 

  64.    switch (img.bpc)
    65. 

  65.      {
    66. 

  66.      case 1:
    67. 

  67. --
    68. 

  68. cgit v0.9.0.2
    69. 

  69.