diff options
Diffstat (limited to 'main/gdk-pixbuf/CVE-2017-6312.patch')
| -rw-r--r-- | main/gdk-pixbuf/CVE-2017-6312.patch | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/main/gdk-pixbuf/CVE-2017-6312.patch b/main/gdk-pixbuf/CVE-2017-6312.patch new file mode 100644 index 0000000000..3cd9bbe757 --- /dev/null +++ b/main/gdk-pixbuf/CVE-2017-6312.patch @@ -0,0 +1,25 @@ +--- a/gdk-pixbuf/io-ico.c ++++ a/gdk-pixbuf/io-ico.c +@@ -330,10 +330,8 @@ static void DecodeHeader(guchar *Data, gint Bytes, + return; + } + +- /* We know how many bytes are in the "header" part. */ +- State->HeaderSize = entry->DIBoffset + INFOHEADER_SIZE; +- +- if (State->HeaderSize < 0) { ++ /* Avoid invoking undefined behavior in the State->HeaderSize calculation below */ ++ if (entry->DIBoffset > G_MAXINT - INFOHEADER_SIZE) { + g_set_error (error, + GDK_PIXBUF_ERROR, + GDK_PIXBUF_ERROR_CORRUPT_IMAGE, +@@ -341,6 +339,9 @@ static void DecodeHeader(guchar *Data, gint Bytes, + return; + } + ++ /* We know how many bytes are in the "header" part. */ ++ State->HeaderSize = entry->DIBoffset + INFOHEADER_SIZE; ++ + if (State->HeaderSize>State->BytesInHeaderBuf) { + guchar *tmp=g_try_realloc(State->HeaderBuf,State->HeaderSize); + if (!tmp) { |