[gimp/gimp-2-8] Revert "Bug 790784 - (CVE-2017-17784) heap overread in gbr parser / load_image."
- From: Jehan Pagès <jehanp src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [gimp/gimp-2-8] Revert "Bug 790784 - (CVE-2017-17784) heap overread in gbr parser / load_image."
- Date: Fri, 5 Jan 2018 20:26:59 +0000 (UTC)
commit 3eaeff31f03dd478587ec4d5a30a7b896336063d
Author: Jehan <jehan girinstud io>
Date: Fri Jan 5 21:22:59 2018 +0100
Revert "Bug 790784 - (CVE-2017-17784) heap overread in gbr parser / load_image."
This reverts commit c57f9dcf1934a9ab0cd67650f2dea18cb0902270.
The CVE is still fixed but now in a different way. Commit 4fa0cd4dcf
passes instead the accurate string length when using the string, hence
making it work even when not NUL-terminated. This has the advantage of
having the GBR file loaded in the end, despite such file format error. I
am personally not persuaded this is the best path since a file with such
an error may either be corrupted, or worse may have been constructed on
purpose to be harmful, so rejecting it directly may be the safe choice.
Nevertheless I may also be too doubtful and maybe trying to save a
slightly corrupted file may be the nicest choice indeed.
plug-ins/common/file-gbr.c | 3 +--
1 files changed, 1 insertions(+), 2 deletions(-)
---
diff --git a/plug-ins/common/file-gbr.c b/plug-ins/common/file-gbr.c
index 8a6558d..ae00a4a 100644
--- a/plug-ins/common/file-gbr.c
+++ b/plug-ins/common/file-gbr.c
@@ -450,8 +450,7 @@ load_image (const gchar *filename,
{
gchar *temp = g_new (gchar, bn_size);
- if ((read (fd, temp, bn_size)) < bn_size ||
- temp[bn_size - 1] != '\0')
+ if ((read (fd, temp, bn_size)) < bn_size)
{
g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
_("Error in GIMP brush file '%s'"),
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]