rpms / advancecomp

Clone
Source Code
GIT

Blame advancecomp-CVE-2019-8383.patch

el4 el5 el6 epel7 epel8 epel8-playground f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f30 f31 f32 f33 f7 f8 f9 fc6 main rawhide
  1.   rawhide
  2.   advancecomp-CVE-2019-8383.patch
Blob History Raw
f1cf395 
commit 78a56b21340157775be2462a19276b4d31d2bd01
f1cf395 
Author: Andrea Mazzoleni <amadvance@gmail.com>
f1cf395 
Date:   Fri Jan 4 20:49:25 2019 +0100
f1cf395
f1cf395 
    Fix a buffer overflow caused by invalid images
f1cf395
f1cf395 
diff --git a/lib/png.c b/lib/png.c
f1cf395 
index 0939a5a..cbf140b 100644
f1cf395 
--- a/lib/png.c
f1cf395 
+++ b/lib/png.c
f1cf395 
@@ -603,6 +603,7 @@ adv_error adv_png_read_ihdr(
f1cf395 
 	unsigned pixel;
f1cf395 
 	unsigned width;
f1cf395 
 	unsigned width_align;
f1cf395 
+	unsigned scanline;
f1cf395 
 	unsigned height;
f1cf395 
 	unsigned depth;
f1cf395 
 	int r;
f1cf395 
@@ -719,9 +720,23 @@ adv_error adv_png_read_ihdr(
f1cf395 
 		goto err_ptr;
f1cf395 
 	}
f1cf395
f1cf395 
-	*dat_size = height * (width_align * pixel + 1);
f1cf395 
+	/* check for overflow */
f1cf395 
+	if (pixel == 0 || width_align >= UINT_MAX / pixel) {
f1cf395 
+		error_set("Invalid image size");
f1cf395 
+		goto err_ptr;
f1cf395 
+	}
f1cf395 
+
f1cf395 
+	scanline = width_align * pixel + 1;
f1cf395 
+
f1cf395 
+	/* check for overflow */
f1cf395 
+	if (scanline == 0 || height >= UINT_MAX / scanline) {
f1cf395 
+		error_set("Invalid image size");
f1cf395 
+		goto err_ptr;
f1cf395 
+	}
f1cf395 
+
f1cf395 
+	*dat_size = height * scanline;
f1cf395 
 	*dat_ptr = malloc(*dat_size);
f1cf395 
-	*pix_scanline = width_align * pixel + 1;
f1cf395 
+	*pix_scanline = scanline;
f1cf395 
 	*pix_ptr = *dat_ptr + 1;
f1cf395
f1cf395 
 	z.zalloc = 0;
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.