[gdk-pixbuf] icns: Protect against too short blocklen (CVE-2017-6313)

From: Bastien Nocera <hadess src gnome org>
To: commits-list gnome org
Cc:
Subject: [gdk-pixbuf] icns: Protect against too short blocklen (CVE-2017-6313)
Date: Tue, 5 Dec 2017 11:02:04 +0000 (UTC)

commit 210b16399a492d05efb209615a143920b24251f4
Author: Bastien Nocera <hadess hadess net>
Date:   Tue Dec 5 11:51:02 2017 +0100

    icns: Protect against too short blocklen (CVE-2017-6313)
    
    The blocklen needs to be at least header sized to be valid, otherwise we
    can underflow picture data or mask data lengths.
    
    https://bugzilla.gnome.org/show_bug.cgi?id=779016

 gdk-pixbuf/io-icns.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)
---
diff --git a/gdk-pixbuf/io-icns.c b/gdk-pixbuf/io-icns.c
index a432e46..41732b1 100644
--- a/gdk-pixbuf/io-icns.c
+++ b/gdk-pixbuf/io-icns.c
@@ -95,7 +95,8 @@ load_resources (unsigned size, IN gpointer data, gsize datalen,
       blocklen = GUINT32_FROM_BE (header->size);
 
       /* Check that blocklen isn't garbage */
-      if (blocklen > icnslen - (current - bytes))
+      if (blocklen > icnslen - (current - bytes) ||
+         blocklen < sizeof (IcnsBlockHeader))
         return FALSE;
 
       switch (size)

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]