[gimp/gimp-2-8] Bug 789436 - Fix out of boundary write in file-xmc.c.
- From: N/A <ell src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [gimp/gimp-2-8] Bug 789436 - Fix out of boundary write in file-xmc.c.
- Date: Tue, 24 Oct 2017 23:32:47 +0000 (UTC)
commit 679ecb80e96a9859627c4fe449fc1d011d92b9d2
Author: Tobias Stoeckmann <tobias stoeckmann org>
Date: Tue Oct 24 21:37:35 2017 +0200
Bug 789436 - Fix out of boundary write in file-xmc.c.
A malicious XMC file can contain an invalid TOC count, which could lead
to an out of boundary write on 32 bit systems due to integer overflow.
This error occurs during thumbnail creation.
Signed-off-by: Tobias Stoeckmann <tobias stoeckmann org>
(cherry picked from commit 9a073508f760fe100ea1864c07dfaadd90aaf30e)
plug-ins/common/file-xmc.c | 7 +++++++
1 files changed, 7 insertions(+), 0 deletions(-)
---
diff --git a/plug-ins/common/file-xmc.c b/plug-ins/common/file-xmc.c
index a75c8fb..f530ae5 100644
--- a/plug-ins/common/file-xmc.c
+++ b/plug-ins/common/file-xmc.c
@@ -858,6 +858,13 @@ load_thumbnail (const gchar *filename, gint32 thumb_size,
fseek (fp, 12, SEEK_SET);
/* read the number of chunks */
ntoc = READ32 (fp, error)
+ if (ntoc > (G_MAXINT32 / sizeof (guint32)))
+ {
+ g_set_error (error, 0, 0,
+ "'%s' seems to have an incorrect toc size.",
+ gimp_filename_to_utf8 (filename));
+ return -1;
+ }
positions = g_malloc (ntoc * sizeof (guint32));
/* enter list of toc(table of contents) */
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]