1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
|
From 06d24a79af94837d615d0024916bb95a01bf3c59 Mon Sep 17 00:00:00 2001
From: Jehan <jehan@girinstud.io>
Date: Thu, 21 Dec 2017 12:15:34 +0100
Subject: Bug 790784 - (CVE-2017-17784) heap overread in gbr parser /
load_image.
We were assuming the input name was well formed, hence was
nul-terminated. As any data coming from external input, this has to be
thorougly checked.
---
plug-ins/common/file-gbr.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/plug-ins/common/file-gbr.c b/plug-ins/common/file-gbr.c
index b8933e7..585e74a 100644
--- a/plug-ins/common/file-gbr.c
+++ b/plug-ins/common/file-gbr.c
@@ -456,7 +456,8 @@ load_image (GFile *file,
if (! g_input_stream_read_all (input, temp, size,
&bytes_read, NULL, error) ||
- bytes_read != size)
+ bytes_read != size ||
+ temp[size - 1] != '\0')
{
g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
_("Error in GIMP brush file '%s'"),
--
cgit v0.12
|
GitWeb
