Overview

File bnc#724628-0001-file-gif-load-limit-len-and-height-CVE-2012-3481.patch of Package gimp

From 4ec417c50d4cce935a87b5beab051e85cbfcec45 Mon Sep 17 00:00:00 2001
From: Jan Lieskovsky <jlieskov@redhat.com>
Date: Tue, 14 Aug 2012 12:18:22 +0200
Subject: [PATCH 1/2] file-gif-load: limit len and height (CVE-2012-3481)

Ensure values of len and height can't overflow g_malloc() argument type.
---
 plug-ins/common/file-gif-load.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/plug-ins/common/file-gif-load.c b/plug-ins/common/file-gif-load.c
index 9a0720b..909b184 100644
--- a/plug-ins/common/file-gif-load.c
+++ b/plug-ins/common/file-gif-load.c
@@ -1025,6 +1025,13 @@ ReadImage (FILE        *fd,
   cur_progress = 0;
   max_progress = height;
 
+  if (len > (G_MAXSIZE / height / (alpha_frame ? (promote_to_rgb ? 4 : 2) : 1)))
+  {
+    g_message ("'%s' has a larger image size than GIMP can handle.",
+               gimp_filename_to_utf8 (filename));
+    return -1;
+  }
+
   if (alpha_frame)
     dest = (guchar *) g_malloc (len * height * (promote_to_rgb ? 4 : 2));
   else
-- 
1.7.11.4
openSUSE Build Service is sponsored by
Places