[gimp/f16] fix overflow in GIF loader (CVE-2012-3481)
Nils Philippsen
nphilipp at fedoraproject.org
Mon Aug 20 13:35:50 UTC 2012
commit 48a48ec76d527cabaf20eefefac905915085039c
Author: Nils Philippsen <nils at redhat.com>
Date: Mon Aug 20 15:34:47 2012 +0200
fix overflow in GIF loader (CVE-2012-3481)
gimp-2.6.12-CVE-2012-3481.patch | 56 +++++++++++++++++++++++++++++++++++++++
gimp.spec | 3 ++
2 files changed, 59 insertions(+), 0 deletions(-)
---
diff --git a/gimp-2.6.12-CVE-2012-3481.patch b/gimp-2.6.12-CVE-2012-3481.patch
new file mode 100644
index 0000000..a5aee6a
--- /dev/null
+++ b/gimp-2.6.12-CVE-2012-3481.patch
@@ -0,0 +1,56 @@
+From 26b208c5aef5f7801bf0538f8df549f0bf8dcb92 Mon Sep 17 00:00:00 2001
+From: Nils Philippsen <nils at redhat.com>
+Date: Mon, 20 Aug 2012 15:30:33 +0200
+Subject: [PATCH] patch: CVE-2012-3481
+
+Squashed commit of the following:
+
+commit c56f3dc25cd4941f465e88bd91a0e107a4ac1b5e
+Author: Nils Philippsen <nils at redhat.com>
+Date: Tue Aug 14 15:27:39 2012 +0200
+
+ file-gif-load: fix type overflow (CVE-2012-3481)
+
+ Cast variables properly to avoid overflowing when computing how much
+ memory to allocate.
+ (cherry picked from commit 43fc9dbd8e2196944c8a71321e525b89b7df9f5c)
+
+commit 11e922a8cee5c9bb532e2a996d2db3beab6da6cb
+Author: Jan Lieskovsky <jlieskov at redhat.com>
+Date: Tue Aug 14 12:18:22 2012 +0200
+
+ file-gif-load: limit len and height (CVE-2012-3481)
+
+ Ensure values of len and height can't overflow g_malloc() argument type.
+ (cherry picked from commit d95c2f0bcb6775bdee2bef35b7d84f6dfd490783)
+---
+ plug-ins/common/file-gif-load.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/plug-ins/common/file-gif-load.c b/plug-ins/common/file-gif-load.c
+index 8460ec0..295c351 100644
+--- a/plug-ins/common/file-gif-load.c
++++ b/plug-ins/common/file-gif-load.c
+@@ -1028,10 +1028,17 @@ ReadImage (FILE *fd,
+ cur_progress = 0;
+ max_progress = height;
+
++ if (len > (G_MAXSIZE / height / (alpha_frame ? (promote_to_rgb ? 4 : 2) : 1)))
++ {
++ g_message ("'%s' has a larger image size than GIMP can handle.",
++ gimp_filename_to_utf8 (filename));
++ return -1;
++ }
++
+ if (alpha_frame)
+- dest = (guchar *) g_malloc (len * height * (promote_to_rgb ? 4 : 2));
++ dest = (guchar *) g_malloc ((gsize)len * (gsize)height * (promote_to_rgb ? 4 : 2));
+ else
+- dest = (guchar *) g_malloc (len * height);
++ dest = (guchar *) g_malloc ((gsize)len * (gsize)height);
+
+ #ifdef GIFDEBUG
+ g_print ("GIF: reading %d by %d%s GIF image, ncols=%d\n",
+--
+1.7.11.4
+
diff --git a/gimp.spec b/gimp.spec
index bc68323..bdd6166 100644
--- a/gimp.spec
+++ b/gimp.spec
@@ -130,6 +130,7 @@ Patch2: gimp-2.6.6-minimize-dialogs.patch
Patch3: gimp-2.6.12-fits.patch
Patch4: gimp-2.6.12-CVE-2012-3403.patch
+Patch5: gimp-2.6.12-CVE-2012-3481.patch
%description
GIMP (GNU Image Manipulation Program) is a powerful image composition and
@@ -213,6 +214,7 @@ EOF
%patch2 -p1 -b .minimize-dialogs
%patch3 -p1 -b .fits
%patch4 -p1 -b .CVE-2012-3403
+%patch5 -p1 -b .CVE-2012-3481
%build
# Use PIC/PIE because gimp is likely to deal with files coming from untrusted
@@ -481,6 +483,7 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
* Mon Aug 20 2012 Nils Philippsen <nils at redhat.com> - 2:2.6.12-2
- fix crash in fits loader (#834627)
- fix overflow in CEL plug-in (CVE-2012-3403)
+- fix overflow in GIF loader (CVE-2012-3481)
* Tue Jan 31 2012 Nils Philippsen <nils at redhat.com> - 2:2.6.12-1
- version 2.6.12
More information about the scm-commits
mailing list