Bugzilla – Attachment 23191 Details for
Bug 59100
VUL-0: CVE-2004-0788: gtk+ XPM decoder issue
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
IDP Log In
|
Forgot Password
[patch]
gdk-pixbuf patch (also applies to earlier gdk-pixbuf versions)
gdk-pixbuf-0.22.0-rh-alt-bound.patch (text/plain), 2.06 KB, created by
Marcus Meissner
on 2004-09-06 23:40:51 UTC
(
hide
)
Description:
gdk-pixbuf patch (also applies to earlier gdk-pixbuf versions)
Filename:
MIME Type:
Creator:
Marcus Meissner
Created:
2004-09-06 23:40:51 UTC
Size:
2.06 KB
patch
obsolete
>diff -uprk.orig gdk-pixbuf-0.22.0.orig/gdk-pixbuf/io-ico.c gdk-pixbuf-0.22.0/gdk-pixbuf/io-ico.c >--- gdk-pixbuf-0.22.0.orig/gdk-pixbuf/io-ico.c 2004-09-03 18:22:50 +0400 >+++ gdk-pixbuf-0.22.0/gdk-pixbuf/io-ico.c 2004-09-03 18:25:45 +0400 >@@ -330,6 +330,9 @@ DecodeHeader (guchar *Data, gint Bytes, > > State->HeaderSize+=I; > >+ if (State->HeaderSize < 0) >+ return FALSE; >+ > if (State->HeaderSize>State->BytesInHeaderBuf) { > guchar *tmp=realloc(State->HeaderBuf,State->HeaderSize); > if (!tmp) >diff -uprk.orig gdk-pixbuf-0.22.0.orig/gdk-pixbuf/io-xpm.c gdk-pixbuf-0.22.0/gdk-pixbuf/io-xpm.c >--- gdk-pixbuf-0.22.0.orig/gdk-pixbuf/io-xpm.c 2001-03-01 23:16:28 +0300 >+++ gdk-pixbuf-0.22.0/gdk-pixbuf/io-xpm.c 2004-09-03 18:36:20 +0400 >@@ -243,8 +243,8 @@ xpm_extract_color (const gchar *buffer) > break; > else { > if (numnames > 0) { >- space -= 1; >- strcat (color, " "); >+ strncat (color, " ", space); >+ space -= MIN (space, 1); > } > > strncat (color, temp, space); >@@ -352,16 +352,31 @@ pixbuf_create_from_xpm (const gchar * (* > return NULL; > } > sscanf (buffer, "%d %d %d %d", &w, &h, &n_col, &cpp); >- if (cpp >= 32) { >- g_warning ("XPM has more than 31 chars per pixel."); >+ if (cpp <= 0 || cpp >= 32) { >+ g_warning ("XPM has invalid number of chars per pixel"); >+ return NULL; >+ } >+ if (n_col <= 0 || n_col >= G_MAXINT / (cpp + 1)) { >+ g_warning ("XPM file has invalid number of colors"); > return NULL; > } > > /* The hash is used for fast lookups of color from chars */ > color_hash = g_hash_table_new (g_str_hash, g_str_equal); > >- name_buf = g_new (gchar, n_col * (cpp + 1)); >- colors = g_new (_XPMColor, n_col); >+ name_buf = g_try_malloc (n_col * (cpp + 1)); >+ if (!name_buf) { >+ g_warning ("Cannot allocate memory for loading XPM image"); >+ g_hash_table_destroy (color_hash); >+ return NULL; >+ } >+ colors = malloc (sizeof (_XPMColor) * n_col); >+ if (!colors) { >+ g_warning ("Cannot allocate memory for loading XPM image"); >+ g_hash_table_destroy (color_hash); >+ g_free (name_buf); >+ return NULL; >+ } > > for (cnt = 0; cnt < n_col; cnt++) { > gchar *color_name;
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=23191">View the attachment on a separate page</a>.</b>
Actions:
View
|
Diff
Attachments on
bug 59100
:
22861
|
22897
|
22999
|
23166
| 23191