[OE-core] [ROCKO][PATCH 07/34] gdk-pixbuf: CVE-2017-1000422
Jagadeesh Krishnanjanappa
jkrishnanjanappa at mvista.com
Wed Aug 22 11:17:45 UTC 2018
io-gif: Fail quickly when image dimensions are too big
Fail quickly when the dimensions would create an image that's bigger
than MAXINT bytes long.
See https://bugzilla.gnome.org/show_bug.cgi?id=765094
https://bugzilla.gnome.org/show_bug.cgi?id=785973
Affects gdk-pixbuf <= 2.36.8
Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa at mvista.com>
---
.../gdk-pixbuf/gdk-pixbuf/CVE-2017-1000422.patch | 65 ++++++++++++++++++++++
meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.36.8.bb | 1 +
2 files changed, 66 insertions(+)
create mode 100644 meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2017-1000422.patch
diff --git a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2017-1000422.patch b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2017-1000422.patch
new file mode 100644
index 0000000..0638c99
--- /dev/null
+++ b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2017-1000422.patch
@@ -0,0 +1,65 @@
+From 0012e066ba37439d402ce46afbc1311530a4ec61 Mon Sep 17 00:00:00 2001
+From: Bastien Nocera <hadess at hadess.net>
+Date: Wed, 23 Aug 2017 18:02:41 +0200
+Subject: [PATCH] io-gif: Fail quickly when image dimensions are too big
+
+Fail quickly when the dimensions would create an image that's bigger
+than MAXINT bytes long.
+
+See https://bugzilla.gnome.org/show_bug.cgi?id=765094
+
+https://bugzilla.gnome.org/show_bug.cgi?id=785973
+
+CVE: CVE-2017-1000422
+Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gdk-pixbuf/commit/0012e06]
+
+Signed-off-by: Bastien Nocera <hadess at hadess.net>
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa at mvista.com>
+---
+ gdk-pixbuf/io-gif.c | 30 +++++++++++++++++++++++-------
+ 1 file changed, 23 insertions(+), 7 deletions(-)
+
+diff --git a/gdk-pixbuf/io-gif.c b/gdk-pixbuf/io-gif.c
+index 057960c..ef10017 100644
+--- a/gdk-pixbuf/io-gif.c
++++ b/gdk-pixbuf/io-gif.c
+@@ -851,13 +851,29 @@ gif_get_lzw (GifContext *context)
+ pixels[2] = 0;
+ pixels[3] = 0;
+ }
+- } else
+- context->frame->pixbuf =
+- gdk_pixbuf_new (GDK_COLORSPACE_RGB,
+- TRUE,
+- 8,
+- context->frame_len,
+- context->frame_height);
++ } else {
++ int rowstride;
++ guint64 len;
++
++ rowstride = gdk_pixbuf_calculate_rowstride (GDK_COLORSPACE_RGB,
++ TRUE,
++ 8,
++ context->frame_len,
++ context->frame_height);
++ if (rowstride > 0 &&
++ g_uint64_checked_mul (&len, rowstride, context->frame_height) &&
++ len <= G_MAXINT) {
++ context->frame->pixbuf =
++ gdk_pixbuf_new (GDK_COLORSPACE_RGB,
++ TRUE,
++ 8,
++ context->frame_len,
++ context->frame_height);
++ } else {
++ context->frame->pixbuf = NULL;
++ }
++ }
++
+ if (!context->frame->pixbuf) {
+ g_free (context->frame);
+ g_set_error_literal (context->error,
+--
+2.7.4
+
diff --git a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.36.8.bb b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.36.8.bb
index 8c35904..cf06a85 100644
--- a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.36.8.bb
+++ b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.36.8.bb
@@ -19,6 +19,7 @@ SRC_URI = "${GNOME_MIRROR}/${BPN}/${MAJ_VER}/${BPN}-${PV}.tar.xz \
file://fatal-loader.patch \
file://0001-Work-around-thumbnailer-cross-compile-failure.patch \
file://0001-queryloaders-Make-output-more-reproducible.patch \
+ file://CVE-2017-1000422.patch \
"
SRC_URI[md5sum] = "e0aaa0061eb12667b32b27472230b962"
--
2.7.4
More information about the Openembedded-core
mailing list