x11-libs/gdk-pixbuf/files/gdk-pixbuf-2.22.1-CVE-2011-2485.patch - mirrors/cros/chromiumos/overlays/portage-stable - Git at Google

 From f8569bb13e2aa1584dde61ca545144750f7a7c98 Mon Sep 17 00:00:00 2001
 From: Matthias Clasen <mclasen@redhat.com>
 Date: Fri, 24 Jun 2011 05:09:35 +0000
 Subject: GIF: Don't return a partially initialized pixbuf structure

 It was found that gdk-pixbuf GIF image loader gdk_pixbuf__gif_image_load()
 routine did not properly handle certain return values from their subroutines.
 A remote attacker could provide a specially-crafted GIF image, which once
 opened in an application, linked against gdk-pixbuf would lead to gdk-pixbuf
 to return partially initialized pixbuf structure, possibly having huge
 width and height, leading to that particular application termination due
 excessive memory use.

 The CVE identifier of CVE-2011-2485 has been assigned to this issue.
 ---
 diff --git a/gdk-pixbuf/io-gif.c b/gdk-pixbuf/io-gif.c
 index 0b370ee..8a1fa3e 100644
 --- a/gdk-pixbuf/io-gif.c
 +++ b/gdk-pixbuf/io-gif.c
 @@ -1455,6 +1455,7 @@ gdk_pixbuf__gif_image_load (FILE *file, GError **error)
  {
  	GifContext *context;
  	GdkPixbuf *pixbuf;
 +        gint retval;

  	g_return_val_if_fail (file != NULL, NULL);

 @@ -1472,19 +1473,25 @@ gdk_pixbuf__gif_image_load (FILE *file, GError **error)
          context->error = error;
          context->stop_after_first_frame = TRUE;

 -	if (gif_main_loop (context) == -1 || context->animation->frames == NULL) {
 +        retval = gif_main_loop (context);
 +	if (retval == -1 || context->animation->frames == NULL) {
                  if (context->error && *(context->error) == NULL)
                          g_set_error_literal (context->error,
                                               GDK_PIXBUF_ERROR,
                                               GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
                                               _("GIF file was missing some data (perhaps it was truncated somehow?)"));
          }
 +        else if (retval == -2) {
 +                pixbuf = NULL;
 +                goto out;
 +        }

          pixbuf = gdk_pixbuf_animation_get_static_image (GDK_PIXBUF_ANIMATION (context->animation));

          if (pixbuf)
                  g_object_ref (pixbuf);

 +out:
          g_object_unref (context->animation);

          g_free (context->buf);
 --
 cgit v0.9
	From f8569bb13e2aa1584dde61ca545144750f7a7c98 Mon Sep 17 00:00:00 2001
	From: Matthias Clasen <mclasen@redhat.com>
	Date: Fri, 24 Jun 2011 05:09:35 +0000
	Subject: GIF: Don't return a partially initialized pixbuf structure

	It was found that gdk-pixbuf GIF image loader gdk_pixbuf__gif_image_load()
	routine did not properly handle certain return values from their subroutines.
	A remote attacker could provide a specially-crafted GIF image, which once
	opened in an application, linked against gdk-pixbuf would lead to gdk-pixbuf
	to return partially initialized pixbuf structure, possibly having huge
	width and height, leading to that particular application termination due
	excessive memory use.

	The CVE identifier of CVE-2011-2485 has been assigned to this issue.
	---
	diff --git a/gdk-pixbuf/io-gif.c b/gdk-pixbuf/io-gif.c
	index 0b370ee..8a1fa3e 100644
	--- a/gdk-pixbuf/io-gif.c
	+++ b/gdk-pixbuf/io-gif.c
	@@ -1455,6 +1455,7 @@ gdk_pixbuf__gif_image_load (FILE file, GError *error)
	{
	GifContext *context;
	GdkPixbuf *pixbuf;
	+ gint retval;

	g_return_val_if_fail (file != NULL, NULL);

	@@ -1472,19 +1473,25 @@ gdk_pixbuf__gif_image_load (FILE file, GError *error)
	context->error = error;
	context->stop_after_first_frame = TRUE;

	- if (gif_main_loop (context) == -1 \|\| context->animation->frames == NULL) {
	+ retval = gif_main_loop (context);
	+ if (retval == -1 \|\| context->animation->frames == NULL) {
	if (context->error && *(context->error) == NULL)
	g_set_error_literal (context->error,
	GDK_PIXBUF_ERROR,
	GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
	_("GIF file was missing some data (perhaps it was truncated somehow?)"));
	}
	+ else if (retval == -2) {
	+ pixbuf = NULL;
	+ goto out;
	+ }

	pixbuf = gdk_pixbuf_animation_get_static_image (GDK_PIXBUF_ANIMATION (context->animation));

	if (pixbuf)
	g_object_ref (pixbuf);

	+out:
	g_object_unref (context->animation);

	g_free (context->buf);
	--
	cgit v0.9