Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/media-gfx/gimp/files
diff options
context:
space:
mode:
authorSebastian Pipping <sping@gentoo.org>2012-09-15 01:35:53 +0000
committerSebastian Pipping <sping@gentoo.org>2012-09-15 01:35:53 +0000
commited9a9331eb4c7a2fece10e14cac6a2fc96c3df31 (patch)
tree39f467bf454241c032f5affa1e427b07a69dee1d /media-gfx/gimp/files
parentvanilla-3.5.3 + genpatches-3.5-4 + grsecurity-2.9.1-3.5.3-201209131726 (diff)
downloadgentoo-2-ed9a9331eb4c7a2fece10e14cac6a2fc96c3df31.tar.gz
gentoo-2-ed9a9331eb4c7a2fece10e14cac6a2fc96c3df31.tar.bz2
gentoo-2-ed9a9331eb4c7a2fece10e14cac6a2fc96c3df31.zip
media-gfx/gimp: 2.6.12-r4 (CVE-2012-3403, bug #434580)
(Portage version: 2.1.10.65/cvs/Linux x86_64)
Diffstat (limited to 'media-gfx/gimp/files')
-rw-r--r--media-gfx/gimp/files/gimp-2.6.12-CVE-2012-3403.patch511
-rw-r--r--media-gfx/gimp/files/gimp-2.6.12-CVE-2012-3481.patch56
-rw-r--r--media-gfx/gimp/files/gimp-2.6.12-fix-type-overflow-CVE-2012-3481.patch30
-rw-r--r--media-gfx/gimp/files/gimp-2.6.12-limit-len-and-height-CVE-2012-3481.patch31
4 files changed, 567 insertions, 61 deletions
diff --git a/media-gfx/gimp/files/gimp-2.6.12-CVE-2012-3403.patch b/media-gfx/gimp/files/gimp-2.6.12-CVE-2012-3403.patch
new file mode 100644
index 000000000000..f7d0b3766a60
--- /dev/null
+++ b/media-gfx/gimp/files/gimp-2.6.12-CVE-2012-3403.patch
@@ -0,0 +1,511 @@
+From 65ac6cda675fafd57bc182175f685e5d8c1a9cc9 Mon Sep 17 00:00:00 2001
+From: Nils Philippsen <nils@redhat.com>
+Date: Mon, 20 Aug 2012 15:28:44 +0200
+Subject: [PATCH] patch: CVE-2012-3403
+
+Squashed commit of the following:
+
+commit d002e513039a9667a06d3e2ba180f9c18785cc5f
+Author: Nils Philippsen <nils@redhat.com>
+Date: Fri Jul 13 15:47:16 2012 +0200
+
+ file-cel: close file on error
+
+commit ec3f1fe7586527ea7e2735b5c8548b925f622d5b
+Author: Nils Philippsen <nils@redhat.com>
+Date: Fri Jul 13 15:33:27 2012 +0200
+
+ file-cel: use g_set_error() for errors instead of g_message()
+ (cherry picked from commit 86f4cd39bd493c88a7a19b56d1827d8b911e07f6)
+
+ Conflicts:
+ plug-ins/common/file-cel.c
+
+commit 79bd89bc39195974d5cae2c2b06c829dd90c36ee
+Author: Nils Philippsen <nils@redhat.com>
+Date: Fri Jul 13 15:30:44 2012 +0200
+
+ file-cel: use statically allocated palette buffer
+ (cherry picked from commit 69b98191cf315bcf0f7b8878896c01600e67c124)
+
+commit 52d85468980b5947cfd3e84f9a256769158210cc
+Author: Nils Philippsen <nils@redhat.com>
+Date: Fri Jul 13 15:20:06 2012 +0200
+
+ file-cel: validate header data (CVE-2012-3403)
+ (cherry picked from commit b772d1b84c9272bb46ab9a21db4390e6263c9892)
+
+commit 62da97876070839097671e83eb8f5d408515396f
+Author: Nils Philippsen <nils@redhat.com>
+Date: Thu Jul 12 15:50:02 2012 +0200
+
+ file-cel: check fread()/g_fopen() return values and pass on errors
+ (cherry picked from commit 797db58b94c64f418c35d38b7a608d933c8cebef)
+---
+ plug-ins/common/file-cel.c | 283 +++++++++++++++++++++++++++++++++++++--------
+ 1 file changed, 234 insertions(+), 49 deletions(-)
+
+diff --git a/plug-ins/common/file-cel.c b/plug-ins/common/file-cel.c
+index a94671c..3357561 100644
+--- a/plug-ins/common/file-cel.c
++++ b/plug-ins/common/file-cel.c
+@@ -44,8 +44,10 @@ static void run (const gchar *name,
+ gint *nreturn_vals,
+ GimpParam **return_vals);
+
+-static gint load_palette (FILE *fp,
+- guchar palette[]);
++static gint load_palette (const gchar *file,
++ FILE *fp,
++ guchar palette[],
++ GError **error);
+ static gint32 load_image (const gchar *file,
+ const gchar *brief,
+ GError **error);
+@@ -55,7 +57,8 @@ static gboolean save_image (const gchar *file,
+ gint32 layer,
+ GError **error);
+ static void palette_dialog (const gchar *title);
+-static gboolean need_palette (const gchar *file);
++static gboolean need_palette (const gchar *file,
++ GError **error);
+
+
+ /* Globals... */
+@@ -150,6 +153,7 @@ run (const gchar *name,
+ gint32 image;
+ GimpExportReturn export = GIMP_EXPORT_CANCEL;
+ GError *error = NULL;
++ gint needs_palette = 0;
+
+ run_mode = param[0].data.d_int32;
+
+@@ -187,20 +191,32 @@ run (const gchar *name,
+ else if (run_mode == GIMP_RUN_INTERACTIVE)
+ {
+ /* Let user choose KCF palette (cancel ignores) */
+- if (need_palette (param[1].data.d_string))
+- palette_dialog (_("Load KISS Palette"));
++ needs_palette = need_palette (param[1].data.d_string, &error);
+
+- gimp_set_data (SAVE_PROC, palette_file, data_length);
+- }
++ if (! error)
++ {
++ if (needs_palette)
++ palette_dialog (_("Load KISS Palette"));
+
+- image = load_image (param[1].data.d_string, param[2].data.d_string,
+- &error);
++ gimp_set_data (SAVE_PROC, palette_file, data_length);
++ }
++ }
+
+- if (image != -1)
++ if (! error)
+ {
+- *nreturn_vals = 2;
+- values[1].type = GIMP_PDB_IMAGE;
+- values[1].data.d_image = image;
++ image = load_image (param[1].data.d_string, param[2].data.d_string,
++ &error);
++
++ if (image != -1)
++ {
++ *nreturn_vals = 2;
++ values[1].type = GIMP_PDB_IMAGE;
++ values[1].data.d_image = image;
++ }
++ else
++ {
++ status = GIMP_PDB_EXECUTION_ERROR;
++ }
+ }
+ else
+ {
+@@ -263,18 +279,33 @@ run (const gchar *name,
+
+ /* Peek into the file to determine whether we need a palette */
+ static gboolean
+-need_palette (const gchar *file)
++need_palette (const gchar *file,
++ GError **error)
+ {
+ FILE *fp;
+ guchar header[32];
++ size_t n_read;
+
+ fp = g_fopen (file, "rb");
+- if (!fp)
+- return FALSE;
++ if (fp == NULL)
++ {
++ g_set_error (error, G_FILE_ERROR, g_file_error_from_errno (errno),
++ _("Could not open '%s' for reading: %s"),
++ gimp_filename_to_utf8 (file), g_strerror (errno));
++ return FALSE;
++ }
++
++ n_read = fread (header, 32, 1, fp);
+
+- fread (header, 32, 1, fp);
+ fclose (fp);
+
++ if (n_read < 1)
++ {
++ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
++ _("EOF or error while reading image header"));
++ return FALSE;
++ }
++
+ return (header[5] < 32);
+ }
+
+@@ -286,11 +317,12 @@ load_image (const gchar *file,
+ GError **error)
+ {
+ FILE *fp; /* Read file pointer */
+- guchar header[32]; /* File header */
++ guchar header[32], /* File header */
++ file_mark, /* KiSS file type */
++ bpp; /* Bits per pixel */
+ gint height, width, /* Dimensions of image */
+ offx, offy, /* Layer offets */
+- colours, /* Number of colours */
+- bpp; /* Bits per pixel */
++ colours; /* Number of colours */
+
+ gint32 image, /* Image */
+ layer; /* Layer */
+@@ -301,6 +333,7 @@ load_image (const gchar *file,
+ GimpPixelRgn pixel_rgn; /* Pixel region for layer */
+
+ gint i, j, k; /* Counters */
++ size_t n_read; /* Number of items read from file */
+
+
+ /* Open the file for reading */
+@@ -319,7 +352,14 @@ load_image (const gchar *file,
+
+ /* Get the image dimensions and create the image... */
+
+- fread (header, 4, 1, fp);
++ n_read = fread (header, 4, 1, fp);
++
++ if (n_read < 1)
++ {
++ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
++ _("EOF or error while reading image header"));
++ return -1;
++ }
+
+ if (strncmp ((const gchar *) header, "KiSS", 4))
+ {
+@@ -332,18 +372,53 @@ load_image (const gchar *file,
+ }
+ else
+ { /* New-style image file, read full header */
+- fread (header, 28, 1, fp);
++ n_read = fread (header, 28, 1, fp);
++
++ if (n_read < 1)
++ {
++ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
++ _("EOF or error while reading image header"));
++ return -1;
++ }
++
++ file_mark = header[0];
++ if (file_mark != 0x20 && file_mark != 0x21)
++ {
++ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
++ _("is not a CEL image file"));
++ return -1;
++ }
++
+ bpp = header[1];
+- if (bpp == 24)
+- colours = -1;
+- else
+- colours = (1 << header[1]);
++ switch (bpp)
++ {
++ case 4:
++ case 8:
++ case 32:
++ colours = (1 << bpp);
++ break;
++ default:
++ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
++ _("illegal bpp value in image: %hhu"), bpp);
++ return -1;
++ }
++
+ width = header[4] + (256 * header[5]);
+ height = header[6] + (256 * header[7]);
+ offx = header[8] + (256 * header[9]);
+ offy = header[10] + (256 * header[11]);
+ }
+
++ if ((width == 0) || (height == 0) || (width + offx > GIMP_MAX_IMAGE_SIZE) ||
++ (height + offy > GIMP_MAX_IMAGE_SIZE))
++ {
++ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
++ _("illegal image dimensions: width: %d, horizontal offset: "
++ "%d, height: %d, vertical offset: %d"),
++ width, offx, height, offy);
++ return -1;
++ }
++
+ if (bpp == 32)
+ image = gimp_image_new (width + offx, height + offy, GIMP_RGB);
+ else
+@@ -351,7 +426,8 @@ load_image (const gchar *file,
+
+ if (image == -1)
+ {
+- g_message (_("Can't create a new image"));
++ g_set_error (error, 0, 0, _("Can't create a new image"));
++ fclose (fp);
+ return -1;
+ }
+
+@@ -383,7 +459,15 @@ load_image (const gchar *file,
+ switch (bpp)
+ {
+ case 4:
+- fread (buffer, (width+1)/2, 1, fp);
++ n_read = fread (buffer, (width+1)/2, 1, fp);
++
++ if (n_read < 1)
++ {
++ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
++ _("EOF or error while reading image data"));
++ return -1;
++ }
++
+ for (j = 0, k = 0; j < width*2; j+= 4, ++k)
+ {
+ if (buffer[k] / 16 == 0)
+@@ -410,7 +494,15 @@ load_image (const gchar *file,
+ break;
+
+ case 8:
+- fread (buffer, width, 1, fp);
++ n_read = fread (buffer, width, 1, fp);
++
++ if (n_read < 1)
++ {
++ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
++ _("EOF or error while reading image data"));
++ return -1;
++ }
++
+ for (j = 0, k = 0; j < width*2; j+= 2, ++k)
+ {
+ if (buffer[k] == 0)
+@@ -427,7 +519,15 @@ load_image (const gchar *file,
+ break;
+
+ case 32:
+- fread (line, width*4, 1, fp);
++ n_read = fread (line, width*4, 1, fp);
++
++ if (n_read < 1)
++ {
++ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
++ _("EOF or error while reading image data"));
++ return -1;
++ }
++
+ /* The CEL file order is BGR so we need to swap B and R
+ * to get the Gimp RGB order.
+ */
+@@ -440,7 +540,8 @@ load_image (const gchar *file,
+ break;
+
+ default:
+- g_message (_("Unsupported bit depth (%d)!"), bpp);
++ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
++ _("Unsupported bit depth (%d)!"), bpp);
+ return -1;
+ }
+
+@@ -457,7 +558,7 @@ load_image (const gchar *file,
+ if (bpp != 32)
+ {
+ /* Use palette from file or otherwise default grey palette */
+- palette = g_new (guchar, colours*3);
++ guchar palette[256*3];
+
+ /* Open the file for reading if user picked one */
+ if (palette_file == NULL)
+@@ -467,12 +568,23 @@ load_image (const gchar *file,
+ else
+ {
+ fp = g_fopen (palette_file, "r");
++
++ if (fp == NULL)
++ {
++ g_set_error (error, G_FILE_ERROR, g_file_error_from_errno (errno),
++ _("Could not open '%s' for reading: %s"),
++ gimp_filename_to_utf8 (palette_file),
++ g_strerror (errno));
++ return -1;
++ }
+ }
+
+ if (fp != NULL)
+ {
+- colours = load_palette (fp, palette);
++ colours = load_palette (palette_file, fp, palette, error);
+ fclose (fp);
++ if (colours < 0 || *error)
++ return -1;
+ }
+ else
+ {
+@@ -483,10 +595,6 @@ load_image (const gchar *file,
+ }
+
+ gimp_image_set_colormap (image, palette + 3, colours - 1);
+-
+- /* Close palette file, give back allocated memory */
+-
+- g_free (palette);
+ }
+
+ /* Now get everything redrawn and hand back the finished image */
+@@ -498,32 +606,100 @@ load_image (const gchar *file,
+ }
+
+ static gint
+-load_palette (FILE *fp,
+- guchar palette[])
++load_palette (const gchar *file,
++ FILE *fp,
++ guchar palette[],
++ GError **error)
+ {
+ guchar header[32]; /* File header */
+ guchar buffer[2];
+- int i, bpp, colours= 0;
++ guchar file_mark, bpp;
++ gint i, colours = 0;
++ size_t n_read;
++
++ n_read = fread (header, 4, 1, fp);
++
++ if (n_read < 1)
++ {
++ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
++ _("'%s': EOF or error while reading palette header"),
++ gimp_filename_to_utf8 (file));
++ return -1;
++ }
+
+- fread (header, 4, 1, fp);
+ if (!strncmp ((const gchar *) header, "KiSS", 4))
+ {
+- fread (header+4, 28, 1, fp);
++ n_read = fread (header+4, 28, 1, fp);
++
++ if (n_read < 1)
++ {
++ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
++ _("'%s': EOF or error while reading palette header"),
++ gimp_filename_to_utf8 (file));
++ return -1;
++ }
++
++ file_mark = header[4];
++ if (file_mark != 0x10)
++ {
++ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
++ _("'%s': is not a KCF palette file"),
++ gimp_filename_to_utf8 (file));
++ return -1;
++ }
++
+ bpp = header[5];
++ if (bpp != 12 && bpp != 24)
++ {
++ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
++ _("'%s': illegal bpp value in palette: %hhu"),
++ gimp_filename_to_utf8 (file), bpp);
++ return -1;
++ }
++
+ colours = header[8] + header[9] * 256;
+- if (bpp == 12)
++ if (colours != 16 && colours != 256)
++ {
++ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
++ _("'%s': illegal number of colors: %u"),
++ gimp_filename_to_utf8 (file), colours);
++ return -1;
++ }
++
++ switch (bpp)
+ {
++ case 12:
+ for (i = 0; i < colours; ++i)
+ {
+- fread (buffer, 1, 2, fp);
++ n_read = fread (buffer, 1, 2, fp);
++
++ if (n_read < 2)
++ {
++ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
++ _("'%s': EOF or error while reading "
++ "palette data"),
++ gimp_filename_to_utf8 (file));
++ return -1;
++ }
++
+ palette[i*3]= buffer[0] & 0xf0;
+ palette[i*3+1]= (buffer[1] & 0x0f) * 16;
+ palette[i*3+2]= (buffer[0] & 0x0f) * 16;
+ }
+- }
+- else
+- {
+- fread (palette, colours, 3, fp);
++ break;
++ case 24:
++ n_read = fread (palette, colours, 3, fp);
++
++ if (n_read < 3)
++ {
++ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
++ _("'%s': EOF or error while reading palette data"),
++ gimp_filename_to_utf8 (file));
++ return -1;
++ }
++ break;
++ default:
++ g_assert_not_reached ();
+ }
+ }
+ else
+@@ -532,7 +708,16 @@ load_palette (FILE *fp,
+ fseek (fp, 0, SEEK_SET);
+ for (i= 0; i < colours; ++i)
+ {
+- fread (buffer, 1, 2, fp);
++ n_read = fread (buffer, 1, 2, fp);
++
++ if (n_read < 2)
++ {
++ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
++ _("'%s': EOF or error while reading palette data"),
++ gimp_filename_to_utf8 (file));
++ return -1;
++ }
++
+ palette[i*3] = buffer[0] & 0xf0;
+ palette[i*3+1] = (buffer[1] & 0x0f) * 16;
+ palette[i*3+2] = (buffer[0] & 0x0f) * 16;
+--
+1.7.11.4
+
diff --git a/media-gfx/gimp/files/gimp-2.6.12-CVE-2012-3481.patch b/media-gfx/gimp/files/gimp-2.6.12-CVE-2012-3481.patch
new file mode 100644
index 000000000000..a5aee6a34473
--- /dev/null
+++ b/media-gfx/gimp/files/gimp-2.6.12-CVE-2012-3481.patch
@@ -0,0 +1,56 @@
+From 26b208c5aef5f7801bf0538f8df549f0bf8dcb92 Mon Sep 17 00:00:00 2001
+From: Nils Philippsen <nils@redhat.com>
+Date: Mon, 20 Aug 2012 15:30:33 +0200
+Subject: [PATCH] patch: CVE-2012-3481
+
+Squashed commit of the following:
+
+commit c56f3dc25cd4941f465e88bd91a0e107a4ac1b5e
+Author: Nils Philippsen <nils@redhat.com>
+Date: Tue Aug 14 15:27:39 2012 +0200
+
+ file-gif-load: fix type overflow (CVE-2012-3481)
+
+ Cast variables properly to avoid overflowing when computing how much
+ memory to allocate.
+ (cherry picked from commit 43fc9dbd8e2196944c8a71321e525b89b7df9f5c)
+
+commit 11e922a8cee5c9bb532e2a996d2db3beab6da6cb
+Author: Jan Lieskovsky <jlieskov@redhat.com>
+Date: Tue Aug 14 12:18:22 2012 +0200
+
+ file-gif-load: limit len and height (CVE-2012-3481)
+
+ Ensure values of len and height can't overflow g_malloc() argument type.
+ (cherry picked from commit d95c2f0bcb6775bdee2bef35b7d84f6dfd490783)
+---
+ plug-ins/common/file-gif-load.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/plug-ins/common/file-gif-load.c b/plug-ins/common/file-gif-load.c
+index 8460ec0..295c351 100644
+--- a/plug-ins/common/file-gif-load.c
++++ b/plug-ins/common/file-gif-load.c
+@@ -1028,10 +1028,17 @@ ReadImage (FILE *fd,
+ cur_progress = 0;
+ max_progress = height;
+
++ if (len > (G_MAXSIZE / height / (alpha_frame ? (promote_to_rgb ? 4 : 2) : 1)))
++ {
++ g_message ("'%s' has a larger image size than GIMP can handle.",
++ gimp_filename_to_utf8 (filename));
++ return -1;
++ }
++
+ if (alpha_frame)
+- dest = (guchar *) g_malloc (len * height * (promote_to_rgb ? 4 : 2));
++ dest = (guchar *) g_malloc ((gsize)len * (gsize)height * (promote_to_rgb ? 4 : 2));
+ else
+- dest = (guchar *) g_malloc (len * height);
++ dest = (guchar *) g_malloc ((gsize)len * (gsize)height);
+
+ #ifdef GIFDEBUG
+ g_print ("GIF: reading %d by %d%s GIF image, ncols=%d\n",
+--
+1.7.11.4
+
diff --git a/media-gfx/gimp/files/gimp-2.6.12-fix-type-overflow-CVE-2012-3481.patch b/media-gfx/gimp/files/gimp-2.6.12-fix-type-overflow-CVE-2012-3481.patch
deleted file mode 100644
index 8ac0934038d9..000000000000
--- a/media-gfx/gimp/files/gimp-2.6.12-fix-type-overflow-CVE-2012-3481.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From 407606bdbb404c0a1bf14751a394459e1bedfc08 Mon Sep 17 00:00:00 2001
-From: Nils Philippsen <nils@redhat.com>
-Date: Tue, 14 Aug 2012 15:27:39 +0200
-Subject: [PATCH 2/2] file-gif-load: fix type overflow (CVE-2012-3481)
-
-Cast variables properly to avoid overflowing when computing how much
-memory to allocate.
----
- plug-ins/common/file-gif-load.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/plug-ins/common/file-gif-load.c b/plug-ins/common/file-gif-load.c
-index 909b184..b46ba08 100644
---- a/plug-ins/common/file-gif-load.c
-+++ b/plug-ins/common/file-gif-load.c
-@@ -1033,9 +1033,9 @@ ReadImage (FILE *fd,
- }
-
- if (alpha_frame)
-- dest = (guchar *) g_malloc (len * height * (promote_to_rgb ? 4 : 2));
-+ dest = (guchar *) g_malloc ((gsize)len * (gsize)height * (promote_to_rgb ? 4 : 2));
- else
-- dest = (guchar *) g_malloc (len * height);
-+ dest = (guchar *) g_malloc ((gsize)len * (gsize)height);
-
- #ifdef GIFDEBUG
- g_print ("GIF: reading %d by %d%s GIF image, ncols=%d\n",
---
-1.7.11.4
-
diff --git a/media-gfx/gimp/files/gimp-2.6.12-limit-len-and-height-CVE-2012-3481.patch b/media-gfx/gimp/files/gimp-2.6.12-limit-len-and-height-CVE-2012-3481.patch
deleted file mode 100644
index e94224bb47e4..000000000000
--- a/media-gfx/gimp/files/gimp-2.6.12-limit-len-and-height-CVE-2012-3481.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From 4ec417c50d4cce935a87b5beab051e85cbfcec45 Mon Sep 17 00:00:00 2001
-From: Jan Lieskovsky <jlieskov@redhat.com>
-Date: Tue, 14 Aug 2012 12:18:22 +0200
-Subject: [PATCH 1/2] file-gif-load: limit len and height (CVE-2012-3481)
-
-Ensure values of len and height can't overflow g_malloc() argument type.
----
- plug-ins/common/file-gif-load.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/plug-ins/common/file-gif-load.c b/plug-ins/common/file-gif-load.c
-index 9a0720b..909b184 100644
---- a/plug-ins/common/file-gif-load.c
-+++ b/plug-ins/common/file-gif-load.c
-@@ -1025,6 +1025,13 @@ ReadImage (FILE *fd,
- cur_progress = 0;
- max_progress = height;
-
-+ if (len > (G_MAXSIZE / height / (alpha_frame ? (promote_to_rgb ? 4 : 2) : 1)))
-+ {
-+ g_message ("'%s' has a larger image size than GIMP can handle.",
-+ gimp_filename_to_utf8 (filename));
-+ return -1;
-+ }
-+
- if (alpha_frame)
- dest = (guchar *) g_malloc (len * height * (promote_to_rgb ? 4 : 2));
- else
---
-1.7.11.4
-