| 1 |
pacho 11/07/04 11:39:50 |
| 2 |
|
| 3 |
Added: gdk-pixbuf-2.22.1-CVE-2011-2485.patch |
| 4 |
Log: |
| 5 |
GIF: Don't return a partially initialized pixbuf structure, fix security bug #373999 by Tim Sammut. |
| 6 |
|
| 7 |
(Portage version: 2.1.10.3/cvs/Linux x86_64) |
| 8 |
|
| 9 |
Revision Changes Path |
| 10 |
1.1 x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.22.1-CVE-2011-2485.patch |
| 11 |
|
| 12 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.22.1-CVE-2011-2485.patch?rev=1.1&view=markup |
| 13 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.22.1-CVE-2011-2485.patch?rev=1.1&content-type=text/plain |
| 14 |
|
| 15 |
Index: gdk-pixbuf-2.22.1-CVE-2011-2485.patch |
| 16 |
=================================================================== |
| 17 |
From f8569bb13e2aa1584dde61ca545144750f7a7c98 Mon Sep 17 00:00:00 2001 |
| 18 |
From: Matthias Clasen <mclasen@××××××.com> |
| 19 |
Date: Fri, 24 Jun 2011 05:09:35 +0000 |
| 20 |
Subject: GIF: Don't return a partially initialized pixbuf structure |
| 21 |
|
| 22 |
It was found that gdk-pixbuf GIF image loader gdk_pixbuf__gif_image_load() |
| 23 |
routine did not properly handle certain return values from their subroutines. |
| 24 |
A remote attacker could provide a specially-crafted GIF image, which once |
| 25 |
opened in an application, linked against gdk-pixbuf would lead to gdk-pixbuf |
| 26 |
to return partially initialized pixbuf structure, possibly having huge |
| 27 |
width and height, leading to that particular application termination due |
| 28 |
excessive memory use. |
| 29 |
|
| 30 |
The CVE identifier of CVE-2011-2485 has been assigned to this issue. |
| 31 |
--- |
| 32 |
diff --git a/gdk-pixbuf/io-gif.c b/gdk-pixbuf/io-gif.c |
| 33 |
index 0b370ee..8a1fa3e 100644 |
| 34 |
--- a/gdk-pixbuf/io-gif.c |
| 35 |
+++ b/gdk-pixbuf/io-gif.c |
| 36 |
@@ -1455,6 +1455,7 @@ gdk_pixbuf__gif_image_load (FILE *file, GError **error) |
| 37 |
{ |
| 38 |
GifContext *context; |
| 39 |
GdkPixbuf *pixbuf; |
| 40 |
+ gint retval; |
| 41 |
|
| 42 |
g_return_val_if_fail (file != NULL, NULL); |
| 43 |
|
| 44 |
@@ -1472,19 +1473,25 @@ gdk_pixbuf__gif_image_load (FILE *file, GError **error) |
| 45 |
context->error = error; |
| 46 |
context->stop_after_first_frame = TRUE; |
| 47 |
|
| 48 |
- if (gif_main_loop (context) == -1 || context->animation->frames == NULL) { |
| 49 |
+ retval = gif_main_loop (context); |
| 50 |
+ if (retval == -1 || context->animation->frames == NULL) { |
| 51 |
if (context->error && *(context->error) == NULL) |
| 52 |
g_set_error_literal (context->error, |
| 53 |
GDK_PIXBUF_ERROR, |
| 54 |
GDK_PIXBUF_ERROR_CORRUPT_IMAGE, |
| 55 |
_("GIF file was missing some data (perhaps it was truncated somehow?)")); |
| 56 |
} |
| 57 |
+ else if (retval == -2) { |
| 58 |
+ pixbuf = NULL; |
| 59 |
+ goto out; |
| 60 |
+ } |
| 61 |
|
| 62 |
pixbuf = gdk_pixbuf_animation_get_static_image (GDK_PIXBUF_ANIMATION (context->animation)); |
| 63 |
|
| 64 |
if (pixbuf) |
| 65 |
g_object_ref (pixbuf); |
| 66 |
|
| 67 |
+out: |
| 68 |
g_object_unref (context->animation); |
| 69 |
|
| 70 |
g_free (context->buf); |
| 71 |
-- |
| 72 |
cgit v0.9 |
Archives