[gdk-pixbuf] GIF: Don't return a partially initialized pixbuf structure

From: Matthias Clasen <matthiasc src gnome org>
To: commits-list gnome org
Cc:
Subject: [gdk-pixbuf] GIF: Don't return a partially initialized pixbuf structure
Date: Fri, 24 Jun 2011 05:12:07 +0000 (UTC)

commit f8569bb13e2aa1584dde61ca545144750f7a7c98
Author: Matthias Clasen <mclasen redhat com>
Date:   Fri Jun 24 01:09:35 2011 -0400

    GIF: Don't return a partially initialized pixbuf structure
    
    It was found that gdk-pixbuf GIF image loader gdk_pixbuf__gif_image_load()
    routine did not properly handle certain return values from their subroutines.
    A remote attacker could provide a specially-crafted GIF image, which once
    opened in an application, linked against gdk-pixbuf would lead to gdk-pixbuf
    to return partially initialized pixbuf structure, possibly having huge
    width and height, leading to that particular application termination due
    excessive memory use.
    
    The CVE identifier of CVE-2011-2485 has been assigned to this issue.

 gdk-pixbuf/io-gif.c |    9 ++++++++-
 1 files changed, 8 insertions(+), 1 deletions(-)
---
diff --git a/gdk-pixbuf/io-gif.c b/gdk-pixbuf/io-gif.c
index 0b370ee..8a1fa3e 100644
--- a/gdk-pixbuf/io-gif.c
+++ b/gdk-pixbuf/io-gif.c
@@ -1455,6 +1455,7 @@ gdk_pixbuf__gif_image_load (FILE *file, GError **error)
 {
 	GifContext *context;
 	GdkPixbuf *pixbuf;
+        gint retval;
 
 	g_return_val_if_fail (file != NULL, NULL);
 
@@ -1472,19 +1473,25 @@ gdk_pixbuf__gif_image_load (FILE *file, GError **error)
         context->error = error;
         context->stop_after_first_frame = TRUE;
 
-	if (gif_main_loop (context) == -1 || context->animation->frames == NULL) {
+        retval = gif_main_loop (context);
+	if (retval == -1 || context->animation->frames == NULL) {
                 if (context->error && *(context->error) == NULL)
                         g_set_error_literal (context->error,
                                              GDK_PIXBUF_ERROR,
                                              GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
                                              _("GIF file was missing some data (perhaps it was truncated somehow?)"));
         }
+        else if (retval == -2) {
+                pixbuf = NULL;
+                goto out;
+        }
         
         pixbuf = gdk_pixbuf_animation_get_static_image (GDK_PIXBUF_ANIMATION (context->animation));
 
         if (pixbuf)
                 g_object_ref (pixbuf);
 
+out:
         g_object_unref (context->animation);
         
         g_free (context->buf);

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]