Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 603059 Details for
Bug 838941
CVE-2012-3402 gimp (PSD plug-in): Heap-buffer overflow by decoding certain PSD headers
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
Patch to fix CVEs 2009-3909 and 2012-3402
gimp-2.2.13-CVE-2009-3909,CVE-2012-3402.patch (text/plain), 3.42 KB, created by
Nils Philippsen
on 2012-08-08 15:35:00 UTC
(
hide
)
Description:
Patch to fix CVEs 2009-3909 and 2012-3402
Filename:
MIME Type:
Creator:
Nils Philippsen
Created:
2012-08-08 15:35:00 UTC
Size:
3.42 KB
patch
obsolete
>From 34cb48d37bdd6837f9bfdd0185bd07ae2b531681 Mon Sep 17 00:00:00 2001 >From: Nils Philippsen <nils@redhat.com> >Date: Tue, 14 Jun 2011 16:33:38 +0200 >Subject: [PATCH] patch: CVE-2009-3909,CVE-2012-3402 > >Squashed commit of the following: > >commit 540d51972d0c59d8c65e63462d9852f10d5c1fc7 >Author: Nils Philippsen <nils@redhat.com> >Date: Tue Jun 14 15:52:39 2011 +0200 > > psd: harden against integer overflow > >commit 01c6aa23ffbe42b66240ef1e67bf0232df45c8c9 >Author: Nils Philippsen <nils@redhat.com> >Date: Tue Jun 14 15:51:36 2011 +0200 > > psd: harden against zero channels > >commit 2bb507353390d78efff9737781d8516224acdeb9 >Author: Nils Philippsen <nils@redhat.com> >Date: Tue Jun 14 15:50:00 2011 +0200 > > psd: pass around filename for meaningful error messages > >commit ca05e4d951af9fe5b82fc43ec452b2cc2f752df1 >Author: Nils Philippsen <nils@redhat.com> >Date: Fri Mar 18 16:12:48 2011 +0100 > > Harden PSD plugin. > > In extract_data_and_channels(), avoid overflowing gsize type in > g_malloc() call. >--- > plug-ins/common/psd.c | 18 ++++++++++++++---- > 1 file changed, 14 insertions(+), 4 deletions(-) > >diff --git a/plug-ins/common/psd.c b/plug-ins/common/psd.c >index ad7d9c6..02c5e52 100644 >--- a/plug-ins/common/psd.c >+++ b/plug-ins/common/psd.c >@@ -396,7 +396,7 @@ static glong getglong(FILE *fd, gchar *why); > static void xfread(FILE *fd, void *buf, long len, gchar *why); > static void xfread_interlaced(FILE *fd, guchar *buf, long len, gchar *why, > gint step); >-static void read_whole_file(FILE *fd, const gchar *name); >+static void read_whole_file(FILE *fd, const gchar *filename); > static void reshuffle_cmap(guchar *map256); > static gchar* getpascalstring(FILE *fd, gchar *why); > static gchar* getstring(size_t n, FILE * fd, gchar *why); >@@ -1627,7 +1627,10 @@ void extract_data_and_channels(guchar* src, gint gimpstep, gint psstep, > "\tand %d auxiliary channels.\n", gimpstep, psstep-gimpstep); > > /* gimp doesn't like 0 width/height drawables. */ >- if ((width == 0) || (height == 0)) >+ /* zero channels (gimpstep) also doesn't make sense. */ >+ /* avoid overflowing gsize type in g_malloc() below. */ >+ if ((width == 0) || (height == 0) || (gimpstep == 0) || >+ (gimpstep > G_MAXSIZE / width / height)) > { > IFDBG printf("(bad channel dimensions -- skipping)"); > return; >@@ -2810,7 +2813,7 @@ xfread_interlaced(FILE* fd, guchar* buf, long len, gchar *why, gint step) > } > > static void >-read_whole_file(FILE * fd, const gchar *filename) >+read_whole_file(FILE * fd, const gchar * filename) > { > guint16 w; > gint32 pos; >@@ -2831,6 +2834,12 @@ read_whole_file(FILE * fd, const gchar *filename) > gimp_filename_to_utf8 (filename)); > gimp_quit (); > } >+ if (PSDheader.channels < 1) >+ { >+ g_message ("'%s' has 0 channels, GIMP can't handle that.", >+ gimp_filename_to_utf8 (filename)); >+ gimp_quit (); >+ } > > PSDheader.rows = getglong(fd, "rows"); > PSDheader.columns = getglong(fd, "columns"); >@@ -2846,7 +2855,8 @@ read_whole_file(FILE * fd, const gchar *filename) > gimp_quit (); > } > >- if (PSDheader.rows && PSDheader.columns > (G_MAXUINT / PSDheader.rows)) >+ if (PSDheader.rows && PSDheader.channels && >+ PSDheader.columns > (G_MAXUINT / PSDheader.rows / PSDheader.channels)) > { > g_message ("'%s' has a larger image size than GIMP can handle.", > gimp_filename_to_utf8 (filename)); >-- >1.7.10.4 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 838941
: 603059