Projects
Mega:24.03:SP1:Everything
gdk-pixbuf2
_service:tar_scm:backport-CVE-2022-48622.patch
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _service:tar_scm:backport-CVE-2022-48622.patch of Package gdk-pixbuf2
From 00c071dd11f723ca608608eef45cb1aa98da89cc Mon Sep 17 00:00:00 2001 From: Benjamin Gilbert <bgilbert@backtick.net> Date: Tue, 30 Apr 2024 07:26:54 -0500 Subject: [PATCH 1/3] ANI: Reject files with multiple anih chunks An anih chunk causes us to initialize a bunch of state, which we only expect to do once per file. Fixes: #202 Fixes: CVE-2022-48622 --- gdk-pixbuf/io-ani.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/gdk-pixbuf/io-ani.c b/gdk-pixbuf/io-ani.c index c6c4642cf4..a78ea7ace4 100644 --- a/gdk-pixbuf/io-ani.c +++ b/gdk-pixbuf/io-ani.c @@ -295,6 +295,15 @@ ani_load_chunk (AniLoaderContext *context, GError **error) if (context->chunk_id == TAG_anih) { + if (context->animation) + { + g_set_error_literal (error, + GDK_PIXBUF_ERROR, + GDK_PIXBUF_ERROR_CORRUPT_IMAGE, + _("Invalid header in animation")); + return FALSE; + } + context->HeaderSize = read_int32 (context); context->NumFrames = read_int32 (context); context->NumSteps = read_int32 (context); -- GitLab From d52134373594ff76614fb415125b0d1c723ddd56 Mon Sep 17 00:00:00 2001 From: Benjamin Gilbert <bgilbert@backtick.net> Date: Tue, 30 Apr 2024 07:13:37 -0500 Subject: [PATCH 2/3] ANI: Reject files with multiple INAM or IART chunks There should be at most one chunk each. These would cause memory leaks otherwise. --- gdk-pixbuf/io-ani.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gdk-pixbuf/io-ani.c b/gdk-pixbuf/io-ani.c index a78ea7ace4..8e8414117c 100644 --- a/gdk-pixbuf/io-ani.c +++ b/gdk-pixbuf/io-ani.c @@ -445,7 +445,7 @@ ani_load_chunk (AniLoaderContext *context, GError **error) } else if (context->chunk_id == TAG_INAM) { - if (!context->animation) + if (!context->animation || context->title) { g_set_error_literal (error, GDK_PIXBUF_ERROR, @@ -472,7 +472,7 @@ ani_load_chunk (AniLoaderContext *context, GError **error) } else if (context->chunk_id == TAG_IART) { - if (!context->animation) + if (!context->animation || context->author) { g_set_error_literal (error, GDK_PIXBUF_ERROR, -- GitLab From 91b8aa5cd8a0eea28acb51f0e121827ca2e7eb78 Mon Sep 17 00:00:00 2001 From: Benjamin Gilbert <bgilbert@backtick.net> Date: Tue, 30 Apr 2024 08:17:25 -0500 Subject: [PATCH 3/3] ANI: Validate anih chunk size Before reading a chunk, we verify that enough bytes are available to match the chunk size declared by the file. However, uniquely, the anih chunk loader doesn't verify that this size matches the number of bytes it actually intends to read. Thus, if the chunk size is too small and the file ends in the middle of the chunk, we populate some context fields with stack garbage. (But we'd still fail later on because the file doesn't contain any images.) Fix this. --- gdk-pixbuf/io-ani.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/gdk-pixbuf/io-ani.c b/gdk-pixbuf/io-ani.c index 8e8414117c..cfafd7b196 100644 --- a/gdk-pixbuf/io-ani.c +++ b/gdk-pixbuf/io-ani.c @@ -295,6 +295,14 @@ ani_load_chunk (AniLoaderContext *context, GError **error) if (context->chunk_id == TAG_anih) { + if (context->chunk_size < 36) + { + g_set_error_literal (error, + GDK_PIXBUF_ERROR, + GDK_PIXBUF_ERROR_CORRUPT_IMAGE, + _("Malformed chunk in animation")); + return FALSE; + } if (context->animation) { g_set_error_literal (error, -- GitLab
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2