From d0b5a9d997ee762c077790a87a48bc611d765d74 Mon Sep 17 00:00:00 2001 From: "Andreas K. Hüttel" Date: Fri, 27 Jan 2017 21:58:11 +0100 Subject: media-libs/lcms: Add patch for out-of-bounds read in Type_MLU_Read() (CVE-2016-10165), bug 591452 Package-Manager: Portage-2.3.3, Repoman-2.3.1 --- .../lcms/files/lcms-2.8-CVE-2016-10165.patch | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 media-libs/lcms/files/lcms-2.8-CVE-2016-10165.patch (limited to 'media-libs/lcms/files') diff --git a/media-libs/lcms/files/lcms-2.8-CVE-2016-10165.patch b/media-libs/lcms/files/lcms-2.8-CVE-2016-10165.patch new file mode 100644 index 000000000000..b380cf40d5a7 --- /dev/null +++ b/media-libs/lcms/files/lcms-2.8-CVE-2016-10165.patch @@ -0,0 +1,22 @@ +From 5ca71a7bc18b6897ab21d815d15e218e204581e2 Mon Sep 17 00:00:00 2001 +From: Marti +Date: Mon, 15 Aug 2016 23:31:39 +0200 +Subject: [PATCH] Added an extra check to MLU bounds + +Thanks to Ibrahim el-sayed for spotting the bug +--- + src/cmstypes.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/cmstypes.c b/src/cmstypes.c +index cb61860..c7328b9 100644 +--- a/src/cmstypes.c ++++ b/src/cmstypes.c +@@ -1460,6 +1460,7 @@ void *Type_MLU_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io, cmsU + + // Check for overflow + if (Offset < (SizeOfHeader + 8)) goto Error; ++ if ((Offset + Len) > SizeOfTag + 8) goto Error; + + // True begin of the string + BeginOfThisString = Offset - SizeOfHeader - 8; -- cgit v1.2.3-18-g5258