| From f8569bb13e2aa1584dde61ca545144750f7a7c98 Mon Sep 17 00:00:00 2001 |
| From: Matthias Clasen <mclasen@redhat.com> |
| Date: Fri, 24 Jun 2011 05:09:35 +0000 |
| Subject: GIF: Don't return a partially initialized pixbuf structure |
| |
| It was found that gdk-pixbuf GIF image loader gdk_pixbuf__gif_image_load() |
| routine did not properly handle certain return values from their subroutines. |
| A remote attacker could provide a specially-crafted GIF image, which once |
| opened in an application, linked against gdk-pixbuf would lead to gdk-pixbuf |
| to return partially initialized pixbuf structure, possibly having huge |
| width and height, leading to that particular application termination due |
| excessive memory use. |
| |
| The CVE identifier of CVE-2011-2485 has been assigned to this issue. |
| --- |
| diff --git a/gdk-pixbuf/io-gif.c b/gdk-pixbuf/io-gif.c |
| index 0b370ee..8a1fa3e 100644 |
| --- a/gdk-pixbuf/io-gif.c |
| +++ b/gdk-pixbuf/io-gif.c |
| @@ -1455,6 +1455,7 @@ gdk_pixbuf__gif_image_load (FILE *file, GError **error) |
| { |
| GifContext *context; |
| GdkPixbuf *pixbuf; |
| + gint retval; |
| |
| g_return_val_if_fail (file != NULL, NULL); |
| |
| @@ -1472,19 +1473,25 @@ gdk_pixbuf__gif_image_load (FILE *file, GError **error) |
| context->error = error; |
| context->stop_after_first_frame = TRUE; |
| |
| - if (gif_main_loop (context) == -1 || context->animation->frames == NULL) { |
| + retval = gif_main_loop (context); |
| + if (retval == -1 || context->animation->frames == NULL) { |
| if (context->error && *(context->error) == NULL) |
| g_set_error_literal (context->error, |
| GDK_PIXBUF_ERROR, |
| GDK_PIXBUF_ERROR_CORRUPT_IMAGE, |
| _("GIF file was missing some data (perhaps it was truncated somehow?)")); |
| } |
| + else if (retval == -2) { |
| + pixbuf = NULL; |
| + goto out; |
| + } |
| |
| pixbuf = gdk_pixbuf_animation_get_static_image (GDK_PIXBUF_ANIMATION (context->animation)); |
| |
| if (pixbuf) |
| g_object_ref (pixbuf); |
| |
| +out: |
| g_object_unref (context->animation); |
| |
| g_free (context->buf); |
| -- |
| cgit v0.9 |