kwo pushed a commit to branch master. http://git.enlightenment.org/legacy/imlib2.git/commit/?id=fe7ae790844662d338ab7c9c0d431fb539ee8fd7
commit fe7ae790844662d338ab7c9c0d431fb539ee8fd7 Author: Tobias Stoeckmann <[email protected]> Date: Thu Mar 23 14:14:04 2017 +0100 Prevent OOB read with large file support on 32 bit If imlib2 is compiled with large file support on 32 bit systems, which is not the default, the TGA loader is vulnerable to an out of boundary read due to insufficient off_t/size_t validations. If large file support is enabled, off_t is 64 bit, while size_t is the regular 32 bit on 32 bit architectures. Casting directly leads to issues with files which are larger than 4 GB. As it's unlikely to encounter such files, they will be simply ignored on such systems. 64 bit systems are not affected. Signed-off-by: Tobias Stoeckmann <[email protected]> --- src/modules/loaders/loader_tga.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/modules/loaders/loader_tga.c b/src/modules/loaders/loader_tga.c index c115741..988b6ce 100644 --- a/src/modules/loaders/loader_tga.c +++ b/src/modules/loaders/loader_tga.c @@ -11,6 +11,7 @@ */ #include "loader_common.h" #include <fcntl.h> +#include <stdint.h> #include <sys/stat.h> #include <sys/mman.h> #include "blend.h" @@ -213,7 +214,8 @@ load(ImlibImage * im, ImlibProgressFunction progress, return 0; } - if (ss.st_size < (long)(sizeof(tga_header) + sizeof(tga_footer))) + if (ss.st_size < (long)(sizeof(tga_header) + sizeof(tga_footer)) || + (uintmax_t) ss.st_size > SIZE_MAX) { close(fd); return 0; --
