|
0 |
From f8569bb13e2aa1584dde61ca545144750f7a7c98 Mon Sep 17 00:00:00 2001
|
|
1 |
From: Matthias Clasen <mclasen@redhat.com>
|
|
2 |
Date: Fri, 24 Jun 2011 05:09:35 +0000
|
|
3 |
Subject: GIF: Don't return a partially initialized pixbuf structure
|
|
4 |
|
|
5 |
It was found that gdk-pixbuf GIF image loader gdk_pixbuf__gif_image_load()
|
|
6 |
routine did not properly handle certain return values from their subroutines.
|
|
7 |
A remote attacker could provide a specially-crafted GIF image, which once
|
|
8 |
opened in an application, linked against gdk-pixbuf would lead to gdk-pixbuf
|
|
9 |
to return partially initialized pixbuf structure, possibly having huge
|
|
10 |
width and height, leading to that particular application termination due
|
|
11 |
excessive memory use.
|
|
12 |
|
|
13 |
The CVE identifier of CVE-2011-2485 has been assigned to this issue.
|
|
14 |
---
|
|
15 |
diff --git a/gdk-pixbuf/io-gif.c b/gdk-pixbuf/io-gif.c
|
|
16 |
index 0b370ee..8a1fa3e 100644
|
|
17 |
--- a/gdk-pixbuf/io-gif.c
|
|
18 |
+++ b/gdk-pixbuf/io-gif.c
|
|
19 |
@@ -1455,6 +1455,7 @@ gdk_pixbuf__gif_image_load (FILE *file, GError **error)
|
|
20 |
{
|
|
21 |
GifContext *context;
|
|
22 |
GdkPixbuf *pixbuf;
|
|
23 |
+ gint retval;
|
|
24 |
|
|
25 |
g_return_val_if_fail (file != NULL, NULL);
|
|
26 |
|
|
27 |
@@ -1472,19 +1473,25 @@ gdk_pixbuf__gif_image_load (FILE *file, GError **error)
|
|
28 |
context->error = error;
|
|
29 |
context->stop_after_first_frame = TRUE;
|
|
30 |
|
|
31 |
- if (gif_main_loop (context) == -1 || context->animation->frames == NULL) {
|
|
32 |
+ retval = gif_main_loop (context);
|
|
33 |
+ if (retval == -1 || context->animation->frames == NULL) {
|
|
34 |
if (context->error && *(context->error) == NULL)
|
|
35 |
g_set_error_literal (context->error,
|
|
36 |
GDK_PIXBUF_ERROR,
|
|
37 |
GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
|
|
38 |
_("GIF file was missing some data (perhaps it was truncated somehow?)"));
|
|
39 |
}
|
|
40 |
+ else if (retval == -2) {
|
|
41 |
+ pixbuf = NULL;
|
|
42 |
+ goto out;
|
|
43 |
+ }
|
|
44 |
|
|
45 |
pixbuf = gdk_pixbuf_animation_get_static_image (GDK_PIXBUF_ANIMATION (context->animation));
|
|
46 |
|
|
47 |
if (pixbuf)
|
|
48 |
g_object_ref (pixbuf);
|
|
49 |
|
|
50 |
+out:
|
|
51 |
g_object_unref (context->animation);
|
|
52 |
|
|
53 |
g_free (context->buf);
|
|
54 |
--
|
|
55 |
cgit v0.9
|