Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP2:GA
gdk-pixbuf.1775
gdk-pixbuf-bgo752297.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File gdk-pixbuf-bgo752297.patch of Package gdk-pixbuf.1775
From ffec86ed5010c5a2be14f47b33bcf4ed3169a199 Mon Sep 17 00:00:00 2001 From: Matthias Clasen <mclasen@redhat.com> Date: Mon, 13 Jul 2015 00:33:40 -0400 Subject: [PATCH] pixops: Be more careful about integer overflow Our loader code is supposed to handle out-of-memory and overflow situations gracefully, reporting errors instead of aborting. But if you load an image at a specific size, we also execute our scaling code, which was not careful enough about overflow in some places. This commit makes the scaling code silently return if it fails to allocate filter tables. This is the best we can do, since gdk_pixbuf_scale() is not taking a GError. https://bugzilla.gnome.org/show_bug.cgi?id=752297 --- gdk-pixbuf/pixops/pixops.c | 22 +++++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/gdk-pixbuf/pixops/pixops.c b/gdk-pixbuf/pixops/pixops.c index 29a1c14..ce51745 100644 --- a/gdk-pixbuf/pixops/pixops.c +++ b/gdk-pixbuf/pixops/pixops.c @@ -1272,7 +1272,16 @@ make_filter_table (PixopsFilter *filter) int i_offset, j_offset; int n_x = filter->x.n; int n_y = filter->y.n; - int *weights = g_new (int, SUBSAMPLE * SUBSAMPLE * n_x * n_y); + gsize n_weights; + int *weights; + + n_weights = SUBSAMPLE * SUBSAMPLE * n_x * n_y; + if (n_weights / (SUBSAMPLE * SUBSAMPLE * n_x) != n_y) + return NULL; /* overflow, bail */ + + weights = g_try_new (int, n_weights); + if (!weights) + return NULL; /* overflow, bail */ for (i_offset=0; i_offset < SUBSAMPLE; i_offset++) for (j_offset=0; j_offset < SUBSAMPLE; j_offset++) @@ -1347,8 +1356,11 @@ pixops_process (guchar *dest_buf, if (x_step == 0 || y_step == 0) return; /* overflow, bail out */ - line_bufs = g_new (guchar *, filter->y.n); filter_weights = make_filter_table (filter); + if (!filter_weights) + return; /* overflow, bail out */ + + line_bufs = g_new (guchar *, filter->y.n); check_shift = check_size ? get_check_shift (check_size) : 0; @@ -1468,7 +1480,7 @@ tile_make_weights (PixopsFilterDimension *dim, double scale) { int n = ceil (1 / scale + 1); - double *pixel_weights = g_new (double, SUBSAMPLE * n); + double *pixel_weights = g_malloc_n (sizeof (double) * SUBSAMPLE, n); int offset; int i; @@ -1526,7 +1538,7 @@ bilinear_magnify_make_weights (PixopsFilterDimension *dim, } dim->n = n; - dim->weights = g_new (double, SUBSAMPLE * n); + dim->weights = g_malloc_n (sizeof (double) * SUBSAMPLE, n); pixel_weights = dim->weights; @@ -1617,7 +1629,7 @@ bilinear_box_make_weights (PixopsFilterDimension *dim, double scale) { int n = ceil (1/scale + 3.0); - double *pixel_weights = g_new (double, SUBSAMPLE * n); + double *pixel_weights = g_malloc_n (sizeof (double) * SUBSAMPLE, n); double w; int offset, i; -- 2.1.4 From 8dba67cb4f38d62a47757741ad41e3f245b4a32a Mon Sep 17 00:00:00 2001 From: Benjamin Otte <otte@redhat.com> Date: Mon, 17 Aug 2015 18:52:47 +0200 Subject: [PATCH] pixops: Fix oversight for CVE-2015-4491 The n_x variable could be made large enough to overflow, too. Also included are various testcases for this vulnerability: - The original exploit (adapted for the testsuite) - Causing overflow by making both X and Y variables large - Causing overflow using only the X variable - Causing overflow using only the Y variable https://bugzilla.gnome.org/show_bug.cgi?id=752297 --- gdk-pixbuf/pixops/pixops.c | 6 ++- tests/Makefile.am | 7 ++++ tests/cve-2015-4491.bmp | Bin 0 -> 82 bytes tests/cve-2015-4491.c | 87 ++++++++++++++++++++++++++++++++++++++++++ tests/resources.gresource.xml | 1 + 5 files changed, 100 insertions(+), 1 deletion(-) create mode 100644 tests/cve-2015-4491.bmp create mode 100644 tests/cve-2015-4491.c diff --git a/gdk-pixbuf/pixops/pixops.c b/gdk-pixbuf/pixops/pixops.c index ce51745..7f2cbff 100644 --- a/gdk-pixbuf/pixops/pixops.c +++ b/gdk-pixbuf/pixops/pixops.c @@ -1275,7 +1275,11 @@ make_filter_table (PixopsFilter *filter) gsize n_weights; int *weights; - n_weights = SUBSAMPLE * SUBSAMPLE * n_x * n_y; + n_weights = SUBSAMPLE * SUBSAMPLE * n_x; + if (n_weights / (SUBSAMPLE * SUBSAMPLE) != n_x) + return NULL; /* overflow, bail */ + + n_weights *= n_y; if (n_weights / (SUBSAMPLE * SUBSAMPLE * n_x) != n_y) return NULL; /* overflow, bail */
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor