Attachment 603059 Details for Bug 838941 – Patch to fix CVEs 2009-3909 and 2012-3402

[patch] Patch to fix CVEs 2009-3909 and 2012-3402

gimp-2.2.13-CVE-2009-3909,CVE-2012-3402.patch (text/plain), 3.42 KB, created by Nils Philippsen on 2012-08-08 15:35:00 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Nils Philippsen

Created: 2012-08-08 15:35:00 UTC

Size: 3.42 KB

patch

obsolete

>From 34cb48d37bdd6837f9bfdd0185bd07ae2b531681 Mon Sep 17 00:00:00 2001
>From: Nils Philippsen <nils@redhat.com>
>Date: Tue, 14 Jun 2011 16:33:38 +0200
>Subject: [PATCH] patch: CVE-2009-3909,CVE-2012-3402
>
>Squashed commit of the following:
>
>commit 540d51972d0c59d8c65e63462d9852f10d5c1fc7
>Author: Nils Philippsen <nils@redhat.com>
>Date:   Tue Jun 14 15:52:39 2011 +0200
>
>    psd: harden against integer overflow
>
>commit 01c6aa23ffbe42b66240ef1e67bf0232df45c8c9
>Author: Nils Philippsen <nils@redhat.com>
>Date:   Tue Jun 14 15:51:36 2011 +0200
>
>    psd: harden against zero channels
>
>commit 2bb507353390d78efff9737781d8516224acdeb9
>Author: Nils Philippsen <nils@redhat.com>
>Date:   Tue Jun 14 15:50:00 2011 +0200
>
>    psd: pass around filename for meaningful error messages
>
>commit ca05e4d951af9fe5b82fc43ec452b2cc2f752df1
>Author: Nils Philippsen <nils@redhat.com>
>Date:   Fri Mar 18 16:12:48 2011 +0100
>
>    Harden PSD plugin.
>
>    In extract_data_and_channels(), avoid overflowing gsize type in
>    g_malloc() call.
>---
> plug-ins/common/psd.c |   18 ++++++++++++++----
> 1 file changed, 14 insertions(+), 4 deletions(-)
>
>diff --git a/plug-ins/common/psd.c b/plug-ins/common/psd.c
>index ad7d9c6..02c5e52 100644
>--- a/plug-ins/common/psd.c
>+++ b/plug-ins/common/psd.c
>@@ -396,7 +396,7 @@ static glong getglong(FILE *fd, gchar *why);
> static void xfread(FILE *fd, void *buf, long len, gchar *why);
> static void xfread_interlaced(FILE *fd, guchar *buf, long len, gchar *why,
> 			      gint step);
>-static void read_whole_file(FILE *fd, const gchar *name);
>+static void read_whole_file(FILE *fd, const gchar *filename);
> static void reshuffle_cmap(guchar *map256);
> static gchar* getpascalstring(FILE *fd, gchar *why);
> static gchar* getstring(size_t n, FILE * fd, gchar *why);
>@@ -1627,7 +1627,10 @@ void extract_data_and_channels(guchar* src, gint gimpstep, gint psstep,
> 	 "\tand %d auxiliary channels.\n", gimpstep, psstep-gimpstep);
> 
>   /* gimp doesn't like 0 width/height drawables. */
>-  if ((width == 0) || (height == 0))
>+  /* zero channels (gimpstep) also doesn't make sense. */
>+  /* avoid overflowing gsize type in g_malloc() below. */
>+  if ((width == 0) || (height == 0) || (gimpstep == 0) ||
>+      (gimpstep > G_MAXSIZE / width / height))
>     {
>       IFDBG printf("(bad channel dimensions -- skipping)");
>       return;
>@@ -2810,7 +2813,7 @@ xfread_interlaced(FILE* fd, guchar* buf, long len, gchar *why, gint step)
> }
> 
> static void
>-read_whole_file(FILE * fd, const gchar *filename)
>+read_whole_file(FILE * fd, const gchar * filename)
> {
>     guint16 w;
>     gint32 pos;
>@@ -2831,6 +2834,12 @@ read_whole_file(FILE * fd, const gchar *filename)
>                    gimp_filename_to_utf8 (filename));
>         gimp_quit ();
>       }
>+    if (PSDheader.channels < 1)
>+      {
>+        g_message ("'%s' has 0 channels, GIMP can't handle that.",
>+                   gimp_filename_to_utf8 (filename));
>+        gimp_quit ();
>+      }
> 
>     PSDheader.rows = getglong(fd, "rows");
>     PSDheader.columns = getglong(fd, "columns");
>@@ -2846,7 +2855,8 @@ read_whole_file(FILE * fd, const gchar *filename)
>         gimp_quit ();
>       }
> 
>-    if (PSDheader.rows && PSDheader.columns > (G_MAXUINT / PSDheader.rows))
>+    if (PSDheader.rows && PSDheader.channels &&
>+        PSDheader.columns > (G_MAXUINT / PSDheader.rows / PSDheader.channels))
>       {
>         g_message ("'%s' has a larger image size than GIMP can handle.",
>                    gimp_filename_to_utf8 (filename));
>-- 
>1.7.10.4
>

Actions: View | Diff

Attachments on bug 838941: 603059