1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
|
From 0474376d234bc3d0901fd5e86f89d778a6473dd8 Mon Sep 17 00:00:00 2001
From: Michael Natterer <mitch@gimp.org>
Date: Wed, 06 Jun 2012 19:21:10 +0000
Subject: Bug 676804 - file handling DoS for fit file format
Apply patch from joe@reactionis.co.uk which fixes a buffer overflow on
broken/malicious fits files.
(cherry picked from commit ace45631595e8781a1420842582d67160097163c)
---
diff --git a/plug-ins/file-fits/fits-io.c b/plug-ins/file-fits/fits-io.c
index 03d9652..ed77318 100644
--- a/plug-ins/file-fits/fits-io.c
+++ b/plug-ins/file-fits/fits-io.c
@@ -1054,10 +1054,18 @@ static FITS_HDU_LIST *fits_decode_header (FITS_RECORD_LIST *hdr,
hdulist->used.simple = (strncmp (hdr->data, "SIMPLE ", 8) == 0);
hdulist->used.xtension = (strncmp (hdr->data, "XTENSION", 8) == 0);
if (hdulist->used.xtension)
- {
- fdat = fits_decode_card (fits_search_card (hdr, "XTENSION"), typ_fstring);
- strcpy (hdulist->xtension, fdat->fstring);
- }
+ {
+ fdat = fits_decode_card (fits_search_card (hdr, "XTENSION"), typ_fstring);
+ if (fdat != NULL)
+ {
+ strcpy (hdulist->xtension, fdat->fstring);
+ }
+ else
+ {
+ strcpy (errmsg, "No valid XTENSION header found.");
+ goto err_return;
+ }
+ }
FITS_DECODE_CARD (hdr, "NAXIS", fdat, typ_flong);
hdulist->naxis = fdat->flong;
--
cgit v0.9.0.2
|
