[gimp] fix heap corruption and buffer overflow in file-gif-load plugin
Nils Philippsen
nphilipp at fedoraproject.org
Fri Aug 12 13:12:00 UTC 2011
commit 27bebf13f8348147e145a740be73cfa36f43c0f6
Author: Nils Philippsen <nils at redhat.com>
Date: Fri Aug 12 15:10:16 2011 +0200
fix heap corruption and buffer overflow in file-gif-load plugin
(CVE-2011-2896)
gimp-2.6.11-gif-load.patch | 108 ++++++++++++++++++++++++++++++++++++++++++++
gimp.spec | 5 ++
2 files changed, 113 insertions(+), 0 deletions(-)
---
diff --git a/gimp-2.6.11-gif-load.patch b/gimp-2.6.11-gif-load.patch
new file mode 100644
index 0000000..ac9e6cd
--- /dev/null
+++ b/gimp-2.6.11-gif-load.patch
@@ -0,0 +1,108 @@
+From 631856a2021d60d29e96d07872c06246eff25a96 Mon Sep 17 00:00:00 2001
+From: Nils Philippsen <nils at redhat.com>
+Date: Fri, 12 Aug 2011 14:44:52 +0200
+Subject: [PATCH] patch: gif-load
+
+Squashed commit of the following:
+
+commit 366d6b546e8fb91909550a61abeafc11672667c4
+Author: Nils Philippsen <nils at redhat.com>
+Date: Thu Aug 4 12:51:42 2011 +0200
+
+ file-gif-load: fix heap corruption and buffer overflow (CVE-2011-2896)
+ (cherry picked from commit 376ad788c1a1c31d40f18494889c383f6909ebfc)
+
+commit 3c5864851ea5fe8f89d273ee8ac4df0c1101b315
+Author: Nils Philippsen <nils at redhat.com>
+Date: Thu Aug 4 12:47:44 2011 +0200
+
+ file-gif-load: ensure return value of LZWReadByte() is <= 255
+ (cherry picked from commit b1a3de761362db982c0ddfaff60ab4a3c4267f32)
+---
+ plug-ins/common/file-gif-load.c | 25 ++++++++++++++-----------
+ 1 files changed, 14 insertions(+), 11 deletions(-)
+
+diff --git a/plug-ins/common/file-gif-load.c b/plug-ins/common/file-gif-load.c
+index 9a0720b..8460ec0 100644
+--- a/plug-ins/common/file-gif-load.c
++++ b/plug-ins/common/file-gif-load.c
+@@ -697,7 +697,8 @@ LZWReadByte (FILE *fd,
+ static gint firstcode, oldcode;
+ static gint clear_code, end_code;
+ static gint table[2][(1 << MAX_LZW_BITS)];
+- static gint stack[(1 << (MAX_LZW_BITS)) * 2], *sp;
++#define STACK_SIZE ((1 << (MAX_LZW_BITS)) * 2)
++ static gint stack[STACK_SIZE], *sp;
+ gint i;
+
+ if (just_reset_LZW)
+@@ -743,11 +744,11 @@ LZWReadByte (FILE *fd,
+ }
+ while (firstcode == clear_code);
+
+- return firstcode;
++ return firstcode & 255;
+ }
+
+ if (sp > stack)
+- return *--sp;
++ return (*--sp) & 255;
+
+ while ((code = GetCode (fd, code_size, FALSE)) >= 0)
+ {
+@@ -770,9 +771,9 @@ LZWReadByte (FILE *fd,
+ sp = stack;
+ firstcode = oldcode = GetCode (fd, code_size, FALSE);
+
+- return firstcode;
++ return firstcode & 255;
+ }
+- else if (code == end_code)
++ else if (code == end_code || code > max_code)
+ {
+ gint count;
+ guchar buf[260];
+@@ -791,13 +792,14 @@ LZWReadByte (FILE *fd,
+
+ incode = code;
+
+- if (code >= max_code)
++ if (code == max_code)
+ {
+- *sp++ = firstcode;
++ if (sp < &(stack[STACK_SIZE]))
++ *sp++ = firstcode;
+ code = oldcode;
+ }
+
+- while (code >= clear_code)
++ while (code >= clear_code && sp < &(stack[STACK_SIZE]))
+ {
+ *sp++ = table[1][code];
+ if (code == table[0][code])
+@@ -808,7 +810,8 @@ LZWReadByte (FILE *fd,
+ code = table[0][code];
+ }
+
+- *sp++ = firstcode = table[1][code];
++ if (sp < &(stack[STACK_SIZE]))
++ *sp++ = firstcode = table[1][code];
+
+ if ((code = max_code) < (1 << MAX_LZW_BITS))
+ {
+@@ -826,10 +829,10 @@ LZWReadByte (FILE *fd,
+ oldcode = incode;
+
+ if (sp > stack)
+- return *--sp;
++ return (*--sp) & 255;
+ }
+
+- return code;
++ return code & 255;
+ }
+
+ static gint32
+--
+1.7.6
+
diff --git a/gimp.spec b/gimp.spec
index 86817f3..9f569e5 100644
--- a/gimp.spec
+++ b/gimp.spec
@@ -153,6 +153,8 @@ Patch9: gimp-2.6.11-CVE-2010-4540,4541,4542.patch
Patch10: gimp-2.6.11-shell-dnd-quit-crash.patch
# backport: fix goption warning on startup
Patch11: gimp-2.6.11-startup-warning.patch
+# CVE-2011-2896: fix heap corruption and buffer overflow, upstreamed
+Patch12: gimp-2.6.11-gif-load.patch
# files changed by autoreconf after applying the above
Patch100: gimp-2.6.11-11-autoreconf.patch.bz2
@@ -245,6 +247,7 @@ EOF
%patch9 -p1 -b .CVE-2010-4540,4541,4542
%patch10 -p1 -b .shell-dnd-quit-crash
%patch11 -p1 -b .startup-warning
+%patch12 -p1 -b .gif-load
%patch100 -p1 -b .autoreconf
@@ -514,6 +517,8 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
%changelog
* Fri Aug 12 2011 Nils Philippsen <nils at redhat.com> - 2:2.6.11-21
- actually apply startup-warning patch
+- fix heap corruption and buffer overflow in file-gif-load plugin
+ (CVE-2011-2896)
* Thu Aug 04 2011 Nils Philippsen <nils at redhat.com> - 2:2.6.11-20
- fix goption warning on startup, patch by Mikael Magnusson
More information about the scm-commits
mailing list