[gimp] fix overflow in GIF loader (CVE-2012-3481)
Nils Philippsen
nphilipp at fedoraproject.org
Mon Aug 20 12:30:51 UTC 2012
commit cae01488c74e4902325592d7b81bf8746afd6198
Author: Nils Philippsen <nils at redhat.com>
Date: Mon Aug 20 14:28:14 2012 +0200
fix overflow in GIF loader (CVE-2012-3481)
gimp-2.8.0-CVE-2012-3481.patch | 56 ++++++++++++++++++++++++++++++++++++++++
gimp.spec | 3 ++
2 files changed, 59 insertions(+), 0 deletions(-)
---
diff --git a/gimp-2.8.0-CVE-2012-3481.patch b/gimp-2.8.0-CVE-2012-3481.patch
new file mode 100644
index 0000000..51bd699
--- /dev/null
+++ b/gimp-2.8.0-CVE-2012-3481.patch
@@ -0,0 +1,56 @@
+From b39f4582b80984f86701ab56f355c911cd448e15 Mon Sep 17 00:00:00 2001
+From: Nils Philippsen <nils at redhat.com>
+Date: Mon, 20 Aug 2012 14:18:49 +0200
+Subject: [PATCH] patch: CVE-2012-3481
+
+Squashed commit of the following:
+
+commit 52cce706d3d490d96e81d9cebff8c9796f33ff67
+Author: Nils Philippsen <nils at redhat.com>
+Date: Tue Aug 14 15:27:39 2012 +0200
+
+ file-gif-load: fix type overflow (CVE-2012-3481)
+
+ Cast variables properly to avoid overflowing when computing how much
+ memory to allocate.
+ (cherry picked from commit 43fc9dbd8e2196944c8a71321e525b89b7df9f5c)
+
+commit 562eefae83d6da5b70aaaccddd54c1f17c42f1b3
+Author: Jan Lieskovsky <jlieskov at redhat.com>
+Date: Tue Aug 14 12:18:22 2012 +0200
+
+ file-gif-load: limit len and height (CVE-2012-3481)
+
+ Ensure values of len and height can't overflow g_malloc() argument type.
+ (cherry picked from commit d95c2f0bcb6775bdee2bef35b7d84f6dfd490783)
+---
+ plug-ins/common/file-gif-load.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/plug-ins/common/file-gif-load.c b/plug-ins/common/file-gif-load.c
+index 4fdbe7a..0bb9bc4 100644
+--- a/plug-ins/common/file-gif-load.c
++++ b/plug-ins/common/file-gif-load.c
+@@ -1057,10 +1057,17 @@ ReadImage (FILE *fd,
+ cur_progress = 0;
+ max_progress = height;
+
++ if (len > (G_MAXSIZE / height / (alpha_frame ? (promote_to_rgb ? 4 : 2) : 1)))
++ {
++ g_message ("'%s' has a larger image size than GIMP can handle.",
++ gimp_filename_to_utf8 (filename));
++ return -1;
++ }
++
+ if (alpha_frame)
+- dest = (guchar *) g_malloc (len * height * (promote_to_rgb ? 4 : 2));
++ dest = (guchar *) g_malloc ((gsize)len * (gsize)height * (promote_to_rgb ? 4 : 2));
+ else
+- dest = (guchar *) g_malloc (len * height);
++ dest = (guchar *) g_malloc ((gsize)len * (gsize)height);
+
+ #ifdef GIFDEBUG
+ g_print ("GIF: reading %d by %d%s GIF image, ncols=%d\n",
+--
+1.7.11.4
+
diff --git a/gimp.spec b/gimp.spec
index 6e3068a..b888cce 100644
--- a/gimp.spec
+++ b/gimp.spec
@@ -188,6 +188,7 @@ Patch0: gimp-%{version}%{dashprerel}-git%{gitrev}.patch.bz2
Patch1: gimp-2.8.0-fits.patch
Patch2: gimp-2.8.0-CVE-2012-3403.patch
+Patch3: gimp-2.8.0-CVE-2012-3481.patch
%description
GIMP (GNU Image Manipulation Program) is a powerful image composition and
@@ -272,6 +273,7 @@ EOF
%patch1 -p1 -b .fits
%patch2 -p1 -b .CVE-2012-3403
+%patch3 -p1 -b .CVE-2012-3481
%build
%if %{with hardening}
@@ -547,6 +549,7 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
* Mon Aug 20 2012 Nils Philippsen <nils at redhat.com> - 2:2.8.0-3
- fix crash in fits loader (#834627)
- fix overflow in CEL plug-in (CVE-2012-3403)
+- fix overflow in GIF loader (CVE-2012-3481)
* Thu Jul 19 2012 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 2:2.8.0-2.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
More information about the scm-commits
mailing list