eog r4601 - in trunk: . src

From: friemann svn gnome org
To: svn-commits-list gnome org
Subject: eog r4601 - in trunk: . src
Date: Sat, 7 Jun 2008 16:00:16 +0000 (UTC)

Author: friemann
Date: Sat Jun  7 16:00:16 2008
New Revision: 4601
URL: http://svn.gnome.org/viewvc/eog?rev=4601&view=rev

Log:
2008-06-07  Felix Riemann  <friemann svn gnome org>

	* src/eog-metadata-reader-png.c: (eog_metadata_reader_png_consume):
	As an additional security measure, check if the chunk size is in the
	limits given by the PNG specs.


Modified:
   trunk/ChangeLog
   trunk/src/eog-metadata-reader-png.c

Modified: trunk/src/eog-metadata-reader-png.c
==============================================================================
--- trunk/src/eog-metadata-reader-png.c	(original)
+++ trunk/src/eog-metadata-reader-png.c	Sat Jun  7 16:00:16 2008
@@ -232,9 +232,19 @@
 			break;			
 		case EMR_READ_SIZE_LOW_LOW_BYTE:
 			/* Read the high byte of the size's low word */
-			priv->size |= (buf [i] & 0xff);			
-			priv->state = EMR_READ_CHUNK_NAME;
-			priv->sub_step = 0; /* Make sure sub_step is 0 before next step */
+			priv->size |= (buf [i] & 0xff);
+			/* The maximum chunk length is 2^31-1 */
+			if (G_LIKELY (priv->size <= (guint32) 0x7fffffff)) {
+				priv->state = EMR_READ_CHUNK_NAME;
+				/* Make sure sub_step is 0 before next step */
+				priv->sub_step = 0;
+			} else {
+				priv->state = EMR_FINISHED;
+				eog_debug_message (DEBUG_IMAGE_DATA,
+						   "chunk size larger than "
+						   "2^31-1; stopping parser");
+			}
+
 			break;
 		case EMR_READ_CHUNK_NAME:
 			/* Read the 4-byte chunk name */

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]