io-gif: Fail quickly when image dimensions are too big Fail quickly when the dimensions would create an image that's bigger than MAXINT bytes long.
See https://bugzilla.gnome.org/show_bug.cgi?id=765094 https://bugzilla.gnome.org/show_bug.cgi?id=785973 Affects gdk-pixbuf <= 2.36.8 Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjana...@mvista.com> --- .../gdk-pixbuf/gdk-pixbuf/CVE-2017-1000422.patch | 65 ++++++++++++++++++++++ meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.36.8.bb | 1 + 2 files changed, 66 insertions(+) create mode 100644 meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2017-1000422.patch diff --git a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2017-1000422.patch b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2017-1000422.patch new file mode 100644 index 0000000..0638c99 --- /dev/null +++ b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2017-1000422.patch @@ -0,0 +1,65 @@ +From 0012e066ba37439d402ce46afbc1311530a4ec61 Mon Sep 17 00:00:00 2001 +From: Bastien Nocera <had...@hadess.net> +Date: Wed, 23 Aug 2017 18:02:41 +0200 +Subject: [PATCH] io-gif: Fail quickly when image dimensions are too big + +Fail quickly when the dimensions would create an image that's bigger +than MAXINT bytes long. + +See https://bugzilla.gnome.org/show_bug.cgi?id=765094 + +https://bugzilla.gnome.org/show_bug.cgi?id=785973 + +CVE: CVE-2017-1000422 +Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gdk-pixbuf/commit/0012e06] + +Signed-off-by: Bastien Nocera <had...@hadess.net> +Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjana...@mvista.com> +--- + gdk-pixbuf/io-gif.c | 30 +++++++++++++++++++++++------- + 1 file changed, 23 insertions(+), 7 deletions(-) + +diff --git a/gdk-pixbuf/io-gif.c b/gdk-pixbuf/io-gif.c +index 057960c..ef10017 100644 +--- a/gdk-pixbuf/io-gif.c ++++ b/gdk-pixbuf/io-gif.c +@@ -851,13 +851,29 @@ gif_get_lzw (GifContext *context) + pixels[2] = 0; + pixels[3] = 0; + } +- } else +- context->frame->pixbuf = +- gdk_pixbuf_new (GDK_COLORSPACE_RGB, +- TRUE, +- 8, +- context->frame_len, +- context->frame_height); ++ } else { ++ int rowstride; ++ guint64 len; ++ ++ rowstride = gdk_pixbuf_calculate_rowstride (GDK_COLORSPACE_RGB, ++ TRUE, ++ 8, ++ context->frame_len, ++ context->frame_height); ++ if (rowstride > 0 && ++ g_uint64_checked_mul (&len, rowstride, context->frame_height) && ++ len <= G_MAXINT) { ++ context->frame->pixbuf = ++ gdk_pixbuf_new (GDK_COLORSPACE_RGB, ++ TRUE, ++ 8, ++ context->frame_len, ++ context->frame_height); ++ } else { ++ context->frame->pixbuf = NULL; ++ } ++ } ++ + if (!context->frame->pixbuf) { + g_free (context->frame); + g_set_error_literal (context->error, +-- +2.7.4 + diff --git a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.36.8.bb b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.36.8.bb index 8c35904..cf06a85 100644 --- a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.36.8.bb +++ b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.36.8.bb @@ -19,6 +19,7 @@ SRC_URI = "${GNOME_MIRROR}/${BPN}/${MAJ_VER}/${BPN}-${PV}.tar.xz \ file://fatal-loader.patch \ file://0001-Work-around-thumbnailer-cross-compile-failure.patch \ file://0001-queryloaders-Make-output-more-reproducible.patch \ + file://CVE-2017-1000422.patch \ " SRC_URI[md5sum] = "e0aaa0061eb12667b32b27472230b962" -- 2.7.4 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core