aboutsummaryrefslogtreecommitdiff
path: root/gnu/packages/patches/gimp-CVE-2017-17784.patch
blob: c791772fb572572a1c806ec62c2c125a57a3f316 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
Fix CVE-2017-17784:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17784
https://bugzilla.gnome.org/show_bug.cgi?id=790784

Patch copied from upstream source repository:

https://git.gnome.org/browse/gimp/commit/?id=c57f9dcf1934a9ab0cd67650f2dea18cb0902270

From c57f9dcf1934a9ab0cd67650f2dea18cb0902270 Mon Sep 17 00:00:00 2001
From: Jehan <jehan@girinstud.io>
Date: Thu, 21 Dec 2017 12:25:32 +0100
Subject: [PATCH] Bug 790784 - (CVE-2017-17784) heap overread in gbr parser /
 load_image.

We were assuming the input name was well formed, hence was
nul-terminated. As any data coming from external input, this has to be
thorougly checked.
Similar to commit 06d24a79af94837d615d0024916bb95a01bf3c59 but adapted
to older gimp-2-8 code.
---
 plug-ins/common/file-gbr.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/plug-ins/common/file-gbr.c b/plug-ins/common/file-gbr.c
index b028100bef..d3f01d9c56 100644
--- a/plug-ins/common/file-gbr.c
+++ b/plug-ins/common/file-gbr.c
@@ -443,7 +443,8 @@ load_image (const gchar  *filename,
     {
       gchar *temp = g_new (gchar, bn_size);
 
-      if ((read (fd, temp, bn_size)) < bn_size)
+      if ((read (fd, temp, bn_size)) < bn_size ||
+          temp[bn_size - 1] != '\0')
         {
           g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
                        _("Error in GIMP brush file '%s'"),
-- 
2.15.1