[gimp] avoid buffer overflows in file-xwd plug-in
Nils Philippsen
nphilipp at fedoraproject.org
Wed Dec 4 10:32:38 UTC 2013
commit 317c5fc75aea10acd13285ebaf69abde22d936e3
Author: Nils Philippsen <nils at redhat.com>
Date: Wed Dec 4 11:31:57 2013 +0100
avoid buffer overflows in file-xwd plug-in
Resolves: CVE-2013-1913, CVE-2013-1978
gimp-2.8.10-CVE-2013-1913,1978.patch | 177 ++++++++++++++++++++++++++++++++++
gimp.spec | 12 ++-
2 files changed, 188 insertions(+), 1 deletions(-)
---
diff --git a/gimp-2.8.10-CVE-2013-1913,1978.patch b/gimp-2.8.10-CVE-2013-1913,1978.patch
new file mode 100644
index 0000000..07ea61b
--- /dev/null
+++ b/gimp-2.8.10-CVE-2013-1913,1978.patch
@@ -0,0 +1,177 @@
+From e3a100aa5872a19c10aadcf27a569465970347fe Mon Sep 17 00:00:00 2001
+From: Nils Philippsen <nils at redhat.com>
+Date: Wed, 4 Dec 2013 11:17:11 +0100
+Subject: [PATCH] patch: CVE-2013-1913,1978
+
+Squashed commit of the following:
+
+commit 6a0912e7fe8b61e32c647d9ed3bc110b4a7f15cf
+Author: Nils Philippsen <nils at redhat.com>
+Date: Tue Nov 26 10:49:42 2013 +0100
+
+ file-xwd: sanity check # of colors and map entries (CVE-2013-1978)
+
+ The number of colors in an image shouldn't be higher than the number of
+ colormap entries. Additionally, consolidate post error cleanup in
+ load_image().
+
+ (cherry picked from commit 23f685931e5f000dd033a45c60c1e60d7f78caf4)
+
+commit 0e95c2790d753d898f2d7ad560b48e5f487cf460
+Author: Nils Philippsen <nils at redhat.com>
+Date: Thu Nov 14 14:29:01 2013 +0100
+
+ file-xwd: sanity check colormap size (CVE-2013-1913)
+
+ (cherry picked from commit 32ae0f83e5748299641cceaabe3f80f1b3afd03e)
+---
+ plug-ins/common/file-xwd.c | 62 +++++++++++++++++++++++++++-------------------
+ 1 file changed, 37 insertions(+), 25 deletions(-)
+
+diff --git a/plug-ins/common/file-xwd.c b/plug-ins/common/file-xwd.c
+index 3240f7e..ba07afd 100644
+--- a/plug-ins/common/file-xwd.c
++++ b/plug-ins/common/file-xwd.c
+@@ -424,9 +424,9 @@ static gint32
+ load_image (const gchar *filename,
+ GError **error)
+ {
+- FILE *ifp;
++ FILE *ifp = NULL;
+ gint depth, bpp;
+- gint32 image_ID;
++ gint32 image_ID = -1;
+ L_XWDFILEHEADER xwdhdr;
+ L_XWDCOLOR *xwdcolmap = NULL;
+
+@@ -436,7 +436,7 @@ load_image (const gchar *filename,
+ g_set_error (error, G_FILE_ERROR, g_file_error_from_errno (errno),
+ _("Could not open '%s' for reading: %s"),
+ gimp_filename_to_utf8 (filename), g_strerror (errno));
+- return -1;
++ goto out;
+ }
+
+ read_xwd_header (ifp, &xwdhdr);
+@@ -445,8 +445,7 @@ load_image (const gchar *filename,
+ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
+ _("Could not read XWD header from '%s'"),
+ gimp_filename_to_utf8 (filename));
+- fclose (ifp);
+- return -1;
++ goto out;
+ }
+
+ #ifdef XWD_COL_WAIT_DEBUG
+@@ -461,8 +460,25 @@ load_image (const gchar *filename,
+ /* Position to start of XWDColor structures */
+ fseek (ifp, (long)xwdhdr.l_header_size, SEEK_SET);
+
++ /* Guard against insanely huge color maps -- gimp_image_set_colormap() only
++ * accepts colormaps with 0..256 colors anyway. */
++ if (xwdhdr.l_colormap_entries > 256)
++ {
++ g_message (_("'%s':\nIllegal number of colormap entries: %ld"),
++ gimp_filename_to_utf8 (filename),
++ (long)xwdhdr.l_colormap_entries);
++ goto out;
++ }
++
+ if (xwdhdr.l_colormap_entries > 0)
+ {
++ if (xwdhdr.l_colormap_entries < xwdhdr.l_ncolors)
++ {
++ g_message (_("'%s':\nNumber of colormap entries < number of colors"),
++ gimp_filename_to_utf8 (filename));
++ goto out;
++ }
++
+ xwdcolmap = g_new (L_XWDCOLOR, xwdhdr.l_colormap_entries);
+
+ read_xwd_cols (ifp, &xwdhdr, xwdcolmap);
+@@ -482,9 +498,7 @@ load_image (const gchar *filename,
+ if (xwdhdr.l_file_version != 7)
+ {
+ g_message (_("Can't read color entries"));
+- g_free (xwdcolmap);
+- fclose (ifp);
+- return (-1);
++ goto out;
+ }
+ }
+
+@@ -492,9 +506,7 @@ load_image (const gchar *filename,
+ {
+ g_message (_("'%s':\nNo image width specified"),
+ gimp_filename_to_utf8 (filename));
+- g_free (xwdcolmap);
+- fclose (ifp);
+- return (-1);
++ goto out;
+ }
+
+ if (xwdhdr.l_pixmap_width > GIMP_MAX_IMAGE_SIZE
+@@ -502,27 +514,21 @@ load_image (const gchar *filename,
+ {
+ g_message (_("'%s':\nImage width is larger than GIMP can handle"),
+ gimp_filename_to_utf8 (filename));
+- g_free (xwdcolmap);
+- fclose (ifp);
+- return (-1);
++ goto out;
+ }
+
+ if (xwdhdr.l_pixmap_height <= 0)
+ {
+ g_message (_("'%s':\nNo image height specified"),
+ gimp_filename_to_utf8 (filename));
+- g_free (xwdcolmap);
+- fclose (ifp);
+- return (-1);
++ goto out;
+ }
+
+ if (xwdhdr.l_pixmap_height > GIMP_MAX_IMAGE_SIZE)
+ {
+ g_message (_("'%s':\nImage height is larger than GIMP can handle"),
+ gimp_filename_to_utf8 (filename));
+- g_free (xwdcolmap);
+- fclose (ifp);
+- return (-1);
++ goto out;
+ }
+
+ gimp_progress_init_printf (_("Opening '%s'"),
+@@ -571,11 +577,6 @@ load_image (const gchar *filename,
+ }
+ gimp_progress_update (1.0);
+
+- fclose (ifp);
+-
+- if (xwdcolmap)
+- g_free (xwdcolmap);
+-
+ if (image_ID == -1 && ! (error && *error))
+ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
+ _("XWD-file %s has format %d, depth %d and bits per pixel %d. "
+@@ -583,6 +584,17 @@ load_image (const gchar *filename,
+ gimp_filename_to_utf8 (filename),
+ (gint) xwdhdr.l_pixmap_format, depth, bpp);
+
++out:
++ if (ifp)
++ {
++ fclose (ifp);
++ }
++
++ if (xwdcolmap)
++ {
++ g_free (xwdcolmap);
++ }
++
+ return image_ID;
+ }
+
+--
+1.8.4.2
+
diff --git a/gimp.spec b/gimp.spec
index aa49602..ce53d28 100644
--- a/gimp.spec
+++ b/gimp.spec
@@ -82,7 +82,7 @@ Summary: GNU Image Manipulation Program
Name: gimp
Epoch: 2
Version: 2.8.10
-Release: %{?prerelprefix}1%{dotprerel}%{dotgitrev}%{?dist}
+Release: %{?prerelprefix}2%{dotprerel}%{dotgitrev}%{?dist}
# Compute some version related macros
# Ugly hack, you need to get your quoting backslashes/percent signs straight
@@ -206,6 +206,12 @@ Patch0: gimp-%{version}%{dashprerel}-git%{gitrev}.patch.bz2
# Fedora specific.
Patch1: gimp-2.8.2-cm-system-monitor-profile-by-default.patch
+# Avoid buffer overflows in the XWD loader
+# CVE-2013-1913, CVE-2013-1978
+# Upstream commit 7f2322e4ced8ba393abc5a0aa15a607f340f0db8
+# Upstream commit 0ffb3b6753aad00512349bba31bf5113054c6a0e
+Patch2: gimp-2.8.10-CVE-2013-1913,1978.patch
+
# use external help browser directly if help browser plug-in is not built
Patch100: gimp-2.8.6-external-help-browser.patch
@@ -295,6 +301,7 @@ EOF
%endif
%patch1 -p1 -b .cm-system-monitor-profile-by-default
+%patch2 -p1 -b .CVE-2013-1913,1978
%if ! %{with helpbrowser}
%patch100 -p1 -b .external-help-browser
@@ -608,6 +615,9 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
%endif
%changelog
+* Wed Dec 04 2013 Nils Philippsen <nils at redhat.com> - 2:2.8.10-2
+- avoid buffer overflows in file-xwd plug-in (CVE-2013-1913, CVE-2013-1978)
+
* Fri Nov 29 2013 Nils Philippsen <nils at redhat.com> - 2:2.8.10-1
- version 2.8.10
More information about the scm-commits
mailing list