diff options
author | Bastien Nocera <hadess@hadess.net> | 2017-12-05 11:51:02 +0100 |
---|---|---|
committer | Bastien Nocera <hadess@hadess.net> | 2017-12-05 11:52:08 +0100 |
commit | 210b16399a492d05efb209615a143920b24251f4 (patch) | |
tree | 4109a4b2438193b1cf5f2702bc5bda7c7dba24af | |
parent | 1e513abdb55529f888233d3c96b27352d83aad5f (diff) | |
download | gdk-pixbuf-210b16399a492d05efb209615a143920b24251f4.tar.gz |
icns: Protect against too short blocklen (CVE-2017-6313)
The blocklen needs to be at least header sized to be valid, otherwise we
can underflow picture data or mask data lengths.
https://bugzilla.gnome.org/show_bug.cgi?id=779016
-rw-r--r-- | gdk-pixbuf/io-icns.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/gdk-pixbuf/io-icns.c b/gdk-pixbuf/io-icns.c index a432e463f..41732b153 100644 --- a/gdk-pixbuf/io-icns.c +++ b/gdk-pixbuf/io-icns.c @@ -95,7 +95,8 @@ load_resources (unsigned size, IN gpointer data, gsize datalen, blocklen = GUINT32_FROM_BE (header->size); /* Check that blocklen isn't garbage */ - if (blocklen > icnslen - (current - bytes)) + if (blocklen > icnslen - (current - bytes) || + blocklen < sizeof (IcnsBlockHeader)) return FALSE; switch (size) |