[gimp] file-gif-load: limit len and height (CVE-2012-3481)

From: Nils Philippsen <nphilipp src gnome org>
To: commits-list gnome org
Cc:
Subject: [gimp] file-gif-load: limit len and height (CVE-2012-3481)
Date: Mon, 20 Aug 2012 12:00:32 +0000 (UTC)

commit d95c2f0bcb6775bdee2bef35b7d84f6dfd490783
Author: Jan Lieskovsky <jlieskov redhat com>
Date:   Tue Aug 14 12:18:22 2012 +0200

    file-gif-load: limit len and height (CVE-2012-3481)
    
    Ensure values of len and height can't overflow g_malloc() argument type.

 plug-ins/common/file-gif-load.c |    7 +++++++
 1 files changed, 7 insertions(+), 0 deletions(-)
---
diff --git a/plug-ins/common/file-gif-load.c b/plug-ins/common/file-gif-load.c
index 4fdbe7a..4287b46 100644
--- a/plug-ins/common/file-gif-load.c
+++ b/plug-ins/common/file-gif-load.c
@@ -1057,6 +1057,13 @@ ReadImage (FILE        *fd,
   cur_progress = 0;
   max_progress = height;
 
+  if (len > (G_MAXSIZE / height / (alpha_frame ? (promote_to_rgb ? 4 : 2) : 1)))
+  {
+    g_message ("'%s' has a larger image size than GIMP can handle.",
+               gimp_filename_to_utf8 (filename));
+    return -1;
+  }
+
   if (alpha_frame)
     dest = (guchar *) g_malloc (len * height * (promote_to_rgb ? 4 : 2));
   else

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]