diff options
author | Dhiru Kholia <dhiru.kholia@gmail.com> | 2017-11-30 02:36:26 +0100 |
---|---|---|
committer | Bastien Nocera <hadess@hadess.net> | 2017-11-30 02:38:28 +0100 |
commit | dec9ca22d70c0f0d4492333b4e8147afb038afd2 (patch) | |
tree | 0a7ab23e7d33362d0438bf0bdd2b86c87a551a03 /gdk-pixbuf/io-ico.c | |
parent | ce52cefbbc7c6910cd6fd99c7321292b91202009 (diff) | |
download | gdk-pixbuf-dec9ca22d70c0f0d4492333b4e8147afb038afd2.tar.gz |
ico: Fix potential integer overflow
Which relies on undefined behaviour. Instead of checking for an
overflowed integer after the fact, check whether the addition would
be possible at all.
Fixes: CVE-2017-6312
https://bugzilla.gnome.org/show_bug.cgi?id=779012
Diffstat (limited to 'gdk-pixbuf/io-ico.c')
-rw-r--r-- | gdk-pixbuf/io-ico.c | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/gdk-pixbuf/io-ico.c b/gdk-pixbuf/io-ico.c index 8729a0fb9..a86725751 100644 --- a/gdk-pixbuf/io-ico.c +++ b/gdk-pixbuf/io-ico.c @@ -333,10 +333,8 @@ static void DecodeHeader(guchar *Data, gint Bytes, for (l = State->entries; l != NULL; l = g_list_next (l)) { entry = l->data; - /* We know how many bytes are in the "header" part. */ - State->HeaderSize = entry->DIBoffset + INFOHEADER_SIZE; - - if (State->HeaderSize < 0) { + /* Avoid invoking undefined behavior in the State->HeaderSize calculation below */ + if (entry->DIBoffset > G_MAXINT - INFOHEADER_SIZE) { g_set_error (error, GDK_PIXBUF_ERROR, GDK_PIXBUF_ERROR_CORRUPT_IMAGE, @@ -344,6 +342,9 @@ static void DecodeHeader(guchar *Data, gint Bytes, return; } + /* We know how many bytes are in the "header" part. */ + State->HeaderSize = entry->DIBoffset + INFOHEADER_SIZE; + if (State->HeaderSize>State->BytesInHeaderBuf) { guchar *tmp=g_try_realloc(State->HeaderBuf,State->HeaderSize); if (!tmp) { |