From 26b208c5aef5f7801bf0538f8df549f0bf8dcb92 Mon Sep 17 00:00:00 2001 From: Nils Philippsen Date: Mon, 20 Aug 2012 15:30:33 +0200 Subject: [PATCH] patch: CVE-2012-3481 Squashed commit of the following: commit c56f3dc25cd4941f465e88bd91a0e107a4ac1b5e Author: Nils Philippsen Date: Tue Aug 14 15:27:39 2012 +0200 file-gif-load: fix type overflow (CVE-2012-3481) Cast variables properly to avoid overflowing when computing how much memory to allocate. (cherry picked from commit 43fc9dbd8e2196944c8a71321e525b89b7df9f5c) commit 11e922a8cee5c9bb532e2a996d2db3beab6da6cb Author: Jan Lieskovsky Date: Tue Aug 14 12:18:22 2012 +0200 file-gif-load: limit len and height (CVE-2012-3481) Ensure values of len and height can't overflow g_malloc() argument type. (cherry picked from commit d95c2f0bcb6775bdee2bef35b7d84f6dfd490783) --- plug-ins/common/file-gif-load.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/plug-ins/common/file-gif-load.c b/plug-ins/common/file-gif-load.c index 8460ec0..295c351 100644 --- a/plug-ins/common/file-gif-load.c +++ b/plug-ins/common/file-gif-load.c @@ -1028,10 +1028,17 @@ ReadImage (FILE *fd, cur_progress = 0; max_progress = height; + if (len > (G_MAXSIZE / height / (alpha_frame ? (promote_to_rgb ? 4 : 2) : 1))) + { + g_message ("'%s' has a larger image size than GIMP can handle.", + gimp_filename_to_utf8 (filename)); + return -1; + } + if (alpha_frame) - dest = (guchar *) g_malloc (len * height * (promote_to_rgb ? 4 : 2)); + dest = (guchar *) g_malloc ((gsize)len * (gsize)height * (promote_to_rgb ? 4 : 2)); else - dest = (guchar *) g_malloc (len * height); + dest = (guchar *) g_malloc ((gsize)len * (gsize)height); #ifdef GIFDEBUG g_print ("GIF: reading %d by %d%s GIF image, ncols=%d\n", -- 1.7.11.4