main/gdk-pixbuf: security fixes (CVE-2017-6311, CVE-2017-6312, CVE-2017-6314)

CVE-2017-6313: fix N/A, https://bugzilla.gnome.org/show_bug.cgi?id=779016

1 files changed, 25 insertions, 0 deletions

diff --git a/main/gdk-pixbuf/CVE-2017-6312.patch b/main/gdk-pixbuf/CVE-2017-6312.patch
new file mode 100644
index 0000000000..3cd9bbe757
--- /dev/null
+++ b/main/gdk-pixbuf/CVE-2017-6312.patch
@@ -0,0 +1,25 @@
+--- a/gdk-pixbuf/io-ico.c	
++++ a/gdk-pixbuf/io-ico.c	
+@@ -330,10 +330,8 @@ static void DecodeHeader(guchar *Data, gint Bytes,
+ 			return;
+ 		}
+ 
+-		/* We know how many bytes are in the "header" part. */
+-		State->HeaderSize = entry->DIBoffset + INFOHEADER_SIZE;
+-
+-		if (State->HeaderSize < 0) {
++		/* Avoid invoking undefined behavior in the State->HeaderSize calculation below */
++		if (entry->DIBoffset > G_MAXINT - INFOHEADER_SIZE) {
+ 			g_set_error (error,
+ 			             GDK_PIXBUF_ERROR,
+ 			             GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+@@ -341,6 +339,9 @@ static void DecodeHeader(guchar *Data, gint Bytes,
+ 			return;
+ 		}
+ 
++		/* We know how many bytes are in the "header" part. */
++		State->HeaderSize = entry->DIBoffset + INFOHEADER_SIZE;
++
+ 		if (State->HeaderSize>State->BytesInHeaderBuf) {
+ 			guchar *tmp=g_try_realloc(State->HeaderBuf,State->HeaderSize);
+ 			if (!tmp) {