Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/media-gfx/gimp/files/gimp-2.6.12-CVE-2012-3481.patch
diff options
context:
space:
mode:
Diffstat (limited to 'media-gfx/gimp/files/gimp-2.6.12-CVE-2012-3481.patch')
-rw-r--r--media-gfx/gimp/files/gimp-2.6.12-CVE-2012-3481.patch56
1 files changed, 56 insertions, 0 deletions
diff --git a/media-gfx/gimp/files/gimp-2.6.12-CVE-2012-3481.patch b/media-gfx/gimp/files/gimp-2.6.12-CVE-2012-3481.patch
new file mode 100644
index 000000000000..a5aee6a34473
--- /dev/null
+++ b/media-gfx/gimp/files/gimp-2.6.12-CVE-2012-3481.patch
@@ -0,0 +1,56 @@
+From 26b208c5aef5f7801bf0538f8df549f0bf8dcb92 Mon Sep 17 00:00:00 2001
+From: Nils Philippsen <nils@redhat.com>
+Date: Mon, 20 Aug 2012 15:30:33 +0200
+Subject: [PATCH] patch: CVE-2012-3481
+
+Squashed commit of the following:
+
+commit c56f3dc25cd4941f465e88bd91a0e107a4ac1b5e
+Author: Nils Philippsen <nils@redhat.com>
+Date: Tue Aug 14 15:27:39 2012 +0200
+
+ file-gif-load: fix type overflow (CVE-2012-3481)
+
+ Cast variables properly to avoid overflowing when computing how much
+ memory to allocate.
+ (cherry picked from commit 43fc9dbd8e2196944c8a71321e525b89b7df9f5c)
+
+commit 11e922a8cee5c9bb532e2a996d2db3beab6da6cb
+Author: Jan Lieskovsky <jlieskov@redhat.com>
+Date: Tue Aug 14 12:18:22 2012 +0200
+
+ file-gif-load: limit len and height (CVE-2012-3481)
+
+ Ensure values of len and height can't overflow g_malloc() argument type.
+ (cherry picked from commit d95c2f0bcb6775bdee2bef35b7d84f6dfd490783)
+---
+ plug-ins/common/file-gif-load.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/plug-ins/common/file-gif-load.c b/plug-ins/common/file-gif-load.c
+index 8460ec0..295c351 100644
+--- a/plug-ins/common/file-gif-load.c
++++ b/plug-ins/common/file-gif-load.c
+@@ -1028,10 +1028,17 @@ ReadImage (FILE *fd,
+ cur_progress = 0;
+ max_progress = height;
+
++ if (len > (G_MAXSIZE / height / (alpha_frame ? (promote_to_rgb ? 4 : 2) : 1)))
++ {
++ g_message ("'%s' has a larger image size than GIMP can handle.",
++ gimp_filename_to_utf8 (filename));
++ return -1;
++ }
++
+ if (alpha_frame)
+- dest = (guchar *) g_malloc (len * height * (promote_to_rgb ? 4 : 2));
++ dest = (guchar *) g_malloc ((gsize)len * (gsize)height * (promote_to_rgb ? 4 : 2));
+ else
+- dest = (guchar *) g_malloc (len * height);
++ dest = (guchar *) g_malloc ((gsize)len * (gsize)height);
+
+ #ifdef GIFDEBUG
+ g_print ("GIF: reading %d by %d%s GIF image, ncols=%d\n",
+--
+1.7.11.4
+