[gdk-pixbuf] qtif: Avoid buffer overrun on short reads

From: Bastien Nocera <hadess src gnome org>
To: commits-list gnome org
Cc:
Subject: [gdk-pixbuf] qtif: Avoid buffer overrun on short reads
Date: Tue, 13 Dec 2016 18:22:28 +0000 (UTC)

commit 92ac5e82a01a378189e149094a7cf80795203d96
Author: Bastien Nocera <hadess hadess net>
Date:   Tue Dec 13 19:16:19 2016 +0100

    qtif: Avoid buffer overrun on short reads
    
    When filling the QTIF buffer, stop looping when we've copied 'size'
    bytes, not when the buffer is filled. This fixes out-of-bounds accesses
    when size is shorter than the expected header.
    
    https://bugzilla.gnome.org/show_bug.cgi?id=775648

 gdk-pixbuf/io-qtif.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)
---
diff --git a/gdk-pixbuf/io-qtif.c b/gdk-pixbuf/io-qtif.c
index 0bd3d5f..c814c9d 100644
--- a/gdk-pixbuf/io-qtif.c
+++ b/gdk-pixbuf/io-qtif.c
@@ -432,7 +432,7 @@ static gboolean gdk_pixbuf__qtif_image_load_increment (gpointer data,
             context->atom_count--;
 
             /* Copy to header buffer in context, in case supplied data is not enough. */
-            while(context->run_length < sizeof(QtHeader))
+            while (context->run_length < sizeof(QtHeader) && size > 0u)
             {
                 context->header_buffer[context->run_length] = *buf;
                 context->run_length++;

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]