[gimp] fix heap corruption and buffer overflow in file-gif-load plugin

Nils Philippsen nphilipp at fedoraproject.org
Fri Aug 12 13:12:00 UTC 2011 

commit 27bebf13f8348147e145a740be73cfa36f43c0f6
Author: Nils Philippsen <nils at redhat.com>
Date:   Fri Aug 12 15:10:16 2011 +0200

    fix heap corruption and buffer overflow in file-gif-load plugin
    
    (CVE-2011-2896)

 gimp-2.6.11-gif-load.patch |  108 ++++++++++++++++++++++++++++++++++++++++++++
 gimp.spec                  |    5 ++
 2 files changed, 113 insertions(+), 0 deletions(-)
---
diff --git a/gimp-2.6.11-gif-load.patch b/gimp-2.6.11-gif-load.patch
new file mode 100644
index 0000000..ac9e6cd
--- /dev/null
+++ b/gimp-2.6.11-gif-load.patch
@@ -0,0 +1,108 @@
+From 631856a2021d60d29e96d07872c06246eff25a96 Mon Sep 17 00:00:00 2001
+From: Nils Philippsen <nils at redhat.com>
+Date: Fri, 12 Aug 2011 14:44:52 +0200
+Subject: [PATCH] patch: gif-load
+
+Squashed commit of the following:
+
+commit 366d6b546e8fb91909550a61abeafc11672667c4
+Author: Nils Philippsen <nils at redhat.com>
+Date:   Thu Aug 4 12:51:42 2011 +0200
+
+    file-gif-load: fix heap corruption and buffer overflow (CVE-2011-2896)
+    (cherry picked from commit 376ad788c1a1c31d40f18494889c383f6909ebfc)
+
+commit 3c5864851ea5fe8f89d273ee8ac4df0c1101b315
+Author: Nils Philippsen <nils at redhat.com>
+Date:   Thu Aug 4 12:47:44 2011 +0200
+
+    file-gif-load: ensure return value of LZWReadByte() is <= 255
+    (cherry picked from commit b1a3de761362db982c0ddfaff60ab4a3c4267f32)
+---
+ plug-ins/common/file-gif-load.c |   25 ++++++++++++++-----------
+ 1 files changed, 14 insertions(+), 11 deletions(-)
+
+diff --git a/plug-ins/common/file-gif-load.c b/plug-ins/common/file-gif-load.c
+index 9a0720b..8460ec0 100644
+--- a/plug-ins/common/file-gif-load.c
++++ b/plug-ins/common/file-gif-load.c
+@@ -697,7 +697,8 @@ LZWReadByte (FILE *fd,
+   static gint firstcode, oldcode;
+   static gint clear_code, end_code;
+   static gint table[2][(1 << MAX_LZW_BITS)];
+-  static gint stack[(1 << (MAX_LZW_BITS)) * 2], *sp;
++#define STACK_SIZE ((1 << (MAX_LZW_BITS)) * 2)
++  static gint stack[STACK_SIZE], *sp;
+   gint        i;
+ 
+   if (just_reset_LZW)
+@@ -743,11 +744,11 @@ LZWReadByte (FILE *fd,
+         }
+       while (firstcode == clear_code);
+ 
+-      return firstcode;
++      return firstcode & 255;
+     }
+ 
+   if (sp > stack)
+-    return *--sp;
++    return (*--sp) & 255;
+ 
+   while ((code = GetCode (fd, code_size, FALSE)) >= 0)
+     {
+@@ -770,9 +771,9 @@ LZWReadByte (FILE *fd,
+           sp            = stack;
+           firstcode     = oldcode = GetCode (fd, code_size, FALSE);
+ 
+-          return firstcode;
++          return firstcode & 255;
+         }
+-      else if (code == end_code)
++      else if (code == end_code || code > max_code)
+         {
+           gint   count;
+           guchar buf[260];
+@@ -791,13 +792,14 @@ LZWReadByte (FILE *fd,
+ 
+       incode = code;
+ 
+-      if (code >= max_code)
++      if (code == max_code)
+         {
+-          *sp++ = firstcode;
++          if (sp < &(stack[STACK_SIZE]))
++            *sp++ = firstcode;
+           code = oldcode;
+         }
+ 
+-      while (code >= clear_code)
++      while (code >= clear_code && sp < &(stack[STACK_SIZE]))
+         {
+           *sp++ = table[1][code];
+           if (code == table[0][code])
+@@ -808,7 +810,8 @@ LZWReadByte (FILE *fd,
+           code = table[0][code];
+         }
+ 
+-      *sp++ = firstcode = table[1][code];
++      if (sp < &(stack[STACK_SIZE]))
++        *sp++ = firstcode = table[1][code];
+ 
+       if ((code = max_code) < (1 << MAX_LZW_BITS))
+         {
+@@ -826,10 +829,10 @@ LZWReadByte (FILE *fd,
+       oldcode = incode;
+ 
+       if (sp > stack)
+-        return *--sp;
++        return (*--sp) & 255;
+     }
+ 
+-  return code;
++  return code & 255;
+ }
+ 
+ static gint32
+-- 
+1.7.6
+
diff --git a/gimp.spec b/gimp.spec
index 86817f3..9f569e5 100644
--- a/gimp.spec
+++ b/gimp.spec
@@ -153,6 +153,8 @@ Patch9:         gimp-2.6.11-CVE-2010-4540,4541,4542.patch
 Patch10:        gimp-2.6.11-shell-dnd-quit-crash.patch
 # backport: fix goption warning on startup
 Patch11:        gimp-2.6.11-startup-warning.patch
+# CVE-2011-2896: fix heap corruption and buffer overflow, upstreamed
+Patch12:        gimp-2.6.11-gif-load.patch
 # files changed by autoreconf after applying the above
 Patch100:       gimp-2.6.11-11-autoreconf.patch.bz2
 
@@ -245,6 +247,7 @@ EOF
 %patch9 -p1 -b .CVE-2010-4540,4541,4542
 %patch10 -p1 -b .shell-dnd-quit-crash
 %patch11 -p1 -b .startup-warning
+%patch12 -p1 -b .gif-load
 
 %patch100 -p1 -b .autoreconf
 
@@ -514,6 +517,8 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
 %changelog
 * Fri Aug 12 2011 Nils Philippsen <nils at redhat.com> - 2:2.6.11-21
 - actually apply startup-warning patch
+- fix heap corruption and buffer overflow in file-gif-load plugin
+  (CVE-2011-2896)
 
 * Thu Aug 04 2011 Nils Philippsen <nils at redhat.com> - 2:2.6.11-20
 - fix goption warning on startup, patch by Mikael Magnusson

More information about the scm-commits mailing list