icns: Protect against too short blocklen (CVE-2017-6313)

The blocklen needs to be at least header sized to be valid, otherwise we can underflow picture data or mask data lengths. https://bugzilla.gnome.org/show_bug.cgi?id=779016
author: Bastien Nocera <hadess@hadess.net> 2017-12-05 11:51:02 +0100
committer: Bastien Nocera <hadess@hadess.net> 2017-12-05 11:52:08 +0100
commit: 210b16399a492d05efb209615a143920b24251f4 (patch)
tree: 4109a4b2438193b1cf5f2702bc5bda7c7dba24af
parent: 1e513abdb55529f888233d3c96b27352d83aad5f (diff)
download: gdk-pixbuf-210b16399a492d05efb209615a143920b24251f4.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/gdk-pixbuf/io-icns.c b/gdk-pixbuf/io-icns.c
index a432e463f..41732b153 100644
--- a/gdk-pixbuf/io-icns.c
+++ b/gdk-pixbuf/io-icns.c
@@ -95,7 +95,8 @@ load_resources (unsigned size, IN gpointer data, gsize datalen,
       blocklen = GUINT32_FROM_BE (header->size);
 
       /* Check that blocklen isn't garbage */
-      if (blocklen > icnslen - (current - bytes))
+      if (blocklen > icnslen - (current - bytes) ||
+	  blocklen < sizeof (IcnsBlockHeader))
         return FALSE;
 
       switch (size)
author	Bastien Nocera <hadess@hadess.net>	2017-12-05 11:51:02 +0100
committer	Bastien Nocera <hadess@hadess.net>	2017-12-05 11:52:08 +0100
commit	210b16399a492d05efb209615a143920b24251f4 (patch)
tree	4109a4b2438193b1cf5f2702bc5bda7c7dba24af
parent	1e513abdb55529f888233d3c96b27352d83aad5f (diff)
download	gdk-pixbuf-210b16399a492d05efb209615a143920b24251f4.tar.gz