diff options
| author |   Sebastian Pipping <sping@gentoo.org> | 2012-09-14 22:42:43 +0000 |
|---|---|---|
| committer | Sebastian Pipping <sping@gentoo.org> | 2012-09-14 22:42:43 +0000 |
| commit | bfeba51ccb1afa95f681429e90a687456aaf796b (patch) | |
| tree | 074d3c89e3993befd3855a7aafa33acebcd0243c /media-gfx/gimp/files | |
| parent | Remove old (diff) | |
| download | historical-bfeba51ccb1afa95f681429e90a687456aaf796b.tar.gz historical-bfeba51ccb1afa95f681429e90a687456aaf796b.tar.bz2 historical-bfeba51ccb1afa95f681429e90a687456aaf796b.zip | |
media-gfx/gimp: 2.6.12-r3 (CVE-2012-3481, bug #434580)
Package-Manager: portage-2.1.10.65/cvs/Linux x86_64
Diffstat (limited to 'media-gfx/gimp/files')
| -rw-r--r-- | media-gfx/gimp/files/gimp-2.6.12-fix-type-overflow-CVE-2012-3481.patch | 30 | ||||
| -rw-r--r-- | media-gfx/gimp/files/gimp-2.6.12-limit-len-and-height-CVE-2012-3481.patch | 31 |
2 files changed, 61 insertions, 0 deletions
diff --git a/media-gfx/gimp/files/gimp-2.6.12-fix-type-overflow-CVE-2012-3481.patch b/media-gfx/gimp/files/gimp-2.6.12-fix-type-overflow-CVE-2012-3481.patch new file mode 100644 index 000000000000..8ac0934038d9 --- /dev/null +++ b/media-gfx/gimp/files/gimp-2.6.12-fix-type-overflow-CVE-2012-3481.patch @@ -0,0 +1,30 @@ +From 407606bdbb404c0a1bf14751a394459e1bedfc08 Mon Sep 17 00:00:00 2001 +From: Nils Philippsen <nils@redhat.com> +Date: Tue, 14 Aug 2012 15:27:39 +0200 +Subject: [PATCH 2/2] file-gif-load: fix type overflow (CVE-2012-3481) + +Cast variables properly to avoid overflowing when computing how much +memory to allocate. +--- + plug-ins/common/file-gif-load.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/plug-ins/common/file-gif-load.c b/plug-ins/common/file-gif-load.c +index 909b184..b46ba08 100644 +--- a/plug-ins/common/file-gif-load.c ++++ b/plug-ins/common/file-gif-load.c +@@ -1033,9 +1033,9 @@ ReadImage (FILE *fd, + } + + if (alpha_frame) +- dest = (guchar *) g_malloc (len * height * (promote_to_rgb ? 4 : 2)); ++ dest = (guchar *) g_malloc ((gsize)len * (gsize)height * (promote_to_rgb ? 4 : 2)); + else +- dest = (guchar *) g_malloc (len * height); ++ dest = (guchar *) g_malloc ((gsize)len * (gsize)height); + + #ifdef GIFDEBUG + g_print ("GIF: reading %d by %d%s GIF image, ncols=%d\n", +-- +1.7.11.4 + diff --git a/media-gfx/gimp/files/gimp-2.6.12-limit-len-and-height-CVE-2012-3481.patch b/media-gfx/gimp/files/gimp-2.6.12-limit-len-and-height-CVE-2012-3481.patch new file mode 100644 index 000000000000..e94224bb47e4 --- /dev/null +++ b/media-gfx/gimp/files/gimp-2.6.12-limit-len-and-height-CVE-2012-3481.patch @@ -0,0 +1,31 @@ +From 4ec417c50d4cce935a87b5beab051e85cbfcec45 Mon Sep 17 00:00:00 2001 +From: Jan Lieskovsky <jlieskov@redhat.com> +Date: Tue, 14 Aug 2012 12:18:22 +0200 +Subject: [PATCH 1/2] file-gif-load: limit len and height (CVE-2012-3481) + +Ensure values of len and height can't overflow g_malloc() argument type. +--- + plug-ins/common/file-gif-load.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/plug-ins/common/file-gif-load.c b/plug-ins/common/file-gif-load.c +index 9a0720b..909b184 100644 +--- a/plug-ins/common/file-gif-load.c ++++ b/plug-ins/common/file-gif-load.c +@@ -1025,6 +1025,13 @@ ReadImage (FILE *fd, + cur_progress = 0; + max_progress = height; + ++ if (len > (G_MAXSIZE / height / (alpha_frame ? (promote_to_rgb ? 4 : 2) : 1))) ++ { ++ g_message ("'%s' has a larger image size than GIMP can handle.", ++ gimp_filename_to_utf8 (filename)); ++ return -1; ++ } ++ + if (alpha_frame) + dest = (guchar *) g_malloc (len * height * (promote_to_rgb ? 4 : 2)); + else +-- +1.7.11.4 + |