[gimp] Bug 789436 - Fix out of boundary write in file-xmc.c.

From: N/A <ell src gnome org>
To: commits-list gnome org
Cc:
Subject: [gimp] Bug 789436 - Fix out of boundary write in file-xmc.c.
Date: Tue, 24 Oct 2017 23:32:29 +0000 (UTC)

commit 9a073508f760fe100ea1864c07dfaadd90aaf30e
Author: Tobias Stoeckmann <tobias stoeckmann org>
Date:   Tue Oct 24 21:37:35 2017 +0200

    Bug 789436 - Fix out of boundary write in file-xmc.c.
    
    A malicious XMC file can contain an invalid TOC count, which could lead
    to an out of boundary write on 32 bit systems due to integer overflow.
    
    This error occurs during thumbnail creation.
    
    Signed-off-by: Tobias Stoeckmann <tobias stoeckmann org>

 plug-ins/common/file-xmc.c |    7 +++++++
 1 files changed, 7 insertions(+), 0 deletions(-)
---
diff --git a/plug-ins/common/file-xmc.c b/plug-ins/common/file-xmc.c
index cae84be..2903ccf 100644
--- a/plug-ins/common/file-xmc.c
+++ b/plug-ins/common/file-xmc.c
@@ -857,6 +857,13 @@ load_thumbnail (const gchar *filename,
   fseek (fp, 12, SEEK_SET);
   /* read the number of chunks */
   ntoc = READ32 (fp, error)
+  if (ntoc > (G_MAXINT32 / sizeof (guint32)))
+    {
+      g_set_error (error, 0, 0,
+                   "'%s' seems to have an incorrect toc size.",
+                   gimp_filename_to_utf8 (filename));
+      return -1;
+    }
   positions = g_malloc (ntoc * sizeof (guint32));
 
   /* enter list of toc(table of contents) */

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]