From 48a48ec76d527cabaf20eefefac905915085039c Mon Sep 17 00:00:00 2001 From: Nils Philippsen Date: Aug 20 2012 13:34:47 +0000 Subject: fix overflow in GIF loader (CVE-2012-3481) --- diff --git a/gimp-2.6.12-CVE-2012-3481.patch b/gimp-2.6.12-CVE-2012-3481.patch new file mode 100644 index 0000000..a5aee6a --- /dev/null +++ b/gimp-2.6.12-CVE-2012-3481.patch @@ -0,0 +1,56 @@ +From 26b208c5aef5f7801bf0538f8df549f0bf8dcb92 Mon Sep 17 00:00:00 2001 +From: Nils Philippsen +Date: Mon, 20 Aug 2012 15:30:33 +0200 +Subject: [PATCH] patch: CVE-2012-3481 + +Squashed commit of the following: + +commit c56f3dc25cd4941f465e88bd91a0e107a4ac1b5e +Author: Nils Philippsen +Date: Tue Aug 14 15:27:39 2012 +0200 + + file-gif-load: fix type overflow (CVE-2012-3481) + + Cast variables properly to avoid overflowing when computing how much + memory to allocate. + (cherry picked from commit 43fc9dbd8e2196944c8a71321e525b89b7df9f5c) + +commit 11e922a8cee5c9bb532e2a996d2db3beab6da6cb +Author: Jan Lieskovsky +Date: Tue Aug 14 12:18:22 2012 +0200 + + file-gif-load: limit len and height (CVE-2012-3481) + + Ensure values of len and height can't overflow g_malloc() argument type. + (cherry picked from commit d95c2f0bcb6775bdee2bef35b7d84f6dfd490783) +--- + plug-ins/common/file-gif-load.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/plug-ins/common/file-gif-load.c b/plug-ins/common/file-gif-load.c +index 8460ec0..295c351 100644 +--- a/plug-ins/common/file-gif-load.c ++++ b/plug-ins/common/file-gif-load.c +@@ -1028,10 +1028,17 @@ ReadImage (FILE *fd, + cur_progress = 0; + max_progress = height; + ++ if (len > (G_MAXSIZE / height / (alpha_frame ? (promote_to_rgb ? 4 : 2) : 1))) ++ { ++ g_message ("'%s' has a larger image size than GIMP can handle.", ++ gimp_filename_to_utf8 (filename)); ++ return -1; ++ } ++ + if (alpha_frame) +- dest = (guchar *) g_malloc (len * height * (promote_to_rgb ? 4 : 2)); ++ dest = (guchar *) g_malloc ((gsize)len * (gsize)height * (promote_to_rgb ? 4 : 2)); + else +- dest = (guchar *) g_malloc (len * height); ++ dest = (guchar *) g_malloc ((gsize)len * (gsize)height); + + #ifdef GIFDEBUG + g_print ("GIF: reading %d by %d%s GIF image, ncols=%d\n", +-- +1.7.11.4 + diff --git a/gimp.spec b/gimp.spec index bc68323..bdd6166 100644 --- a/gimp.spec +++ b/gimp.spec @@ -130,6 +130,7 @@ Patch2: gimp-2.6.6-minimize-dialogs.patch Patch3: gimp-2.6.12-fits.patch Patch4: gimp-2.6.12-CVE-2012-3403.patch +Patch5: gimp-2.6.12-CVE-2012-3481.patch %description GIMP (GNU Image Manipulation Program) is a powerful image composition and @@ -213,6 +214,7 @@ EOF %patch2 -p1 -b .minimize-dialogs %patch3 -p1 -b .fits %patch4 -p1 -b .CVE-2012-3403 +%patch5 -p1 -b .CVE-2012-3481 %build # Use PIC/PIE because gimp is likely to deal with files coming from untrusted @@ -481,6 +483,7 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || : * Mon Aug 20 2012 Nils Philippsen - 2:2.6.12-2 - fix crash in fits loader (#834627) - fix overflow in CEL plug-in (CVE-2012-3403) +- fix overflow in GIF loader (CVE-2012-3481) * Tue Jan 31 2012 Nils Philippsen - 2:2.6.12-1 - version 2.6.12