diff options
Diffstat (limited to 'main/gimp/cve-2011-2896.patch')
| -rw-r--r-- | main/gimp/cve-2011-2896.patch | 61 |
1 files changed, 0 insertions, 61 deletions
diff --git a/main/gimp/cve-2011-2896.patch b/main/gimp/cve-2011-2896.patch deleted file mode 100644 index 735d77175..000000000 --- a/main/gimp/cve-2011-2896.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 376ad788c1a1c31d40f18494889c383f6909ebfc Mon Sep 17 00:00:00 2001 -From: Nils Philippsen <nils@redhat.com> -Date: Thu, 04 Aug 2011 10:51:42 +0000 -Subject: file-gif-load: fix heap corruption and buffer overflow (CVE-2011-2896) - ---- -(limited to 'plug-ins/common/file-gif-load.c') - -diff --git a/plug-ins/common/file-gif-load.c b/plug-ins/common/file-gif-load.c -index 81f3bd0..c91e7aa 100644 ---- a/plug-ins/common/file-gif-load.c -+++ b/plug-ins/common/file-gif-load.c -@@ -713,7 +713,8 @@ LZWReadByte (FILE *fd, - static gint firstcode, oldcode; - static gint clear_code, end_code; - static gint table[2][(1 << MAX_LZW_BITS)]; -- static gint stack[(1 << (MAX_LZW_BITS)) * 2], *sp; -+#define STACK_SIZE ((1 << (MAX_LZW_BITS)) * 2) -+ static gint stack[STACK_SIZE], *sp; - gint i; - - if (just_reset_LZW) -@@ -788,7 +789,7 @@ LZWReadByte (FILE *fd, - - return firstcode & 255; - } -- else if (code == end_code) -+ else if (code == end_code || code > max_code) - { - gint count; - guchar buf[260]; -@@ -807,13 +808,14 @@ LZWReadByte (FILE *fd, - - incode = code; - -- if (code >= max_code) -+ if (code == max_code) - { -- *sp++ = firstcode; -+ if (sp < &(stack[STACK_SIZE])) -+ *sp++ = firstcode; - code = oldcode; - } - -- while (code >= clear_code) -+ while (code >= clear_code && sp < &(stack[STACK_SIZE])) - { - *sp++ = table[1][code]; - if (code == table[0][code]) -@@ -824,7 +826,8 @@ LZWReadByte (FILE *fd, - code = table[0][code]; - } - -- *sp++ = firstcode = table[1][code]; -+ if (sp < &(stack[STACK_SIZE])) -+ *sp++ = firstcode = table[1][code]; - - if ((code = max_code) < (1 << MAX_LZW_BITS)) - { --- -cgit v0.9.0.2 |