From 210b16399a492d05efb209615a143920b24251f4 Mon Sep 17 00:00:00 2001
From: Bastien Nocera <hadess@hadess.net>
Date: Tue, 5 Dec 2017 11:51:02 +0100
Subject: icns: Protect against too short blocklen (CVE-2017-6313)

The blocklen needs to be at least header sized to be valid, otherwise we
can underflow picture data or mask data lengths.

https://bugzilla.gnome.org/show_bug.cgi?id=779016
---
 gdk-pixbuf/io-icns.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/gdk-pixbuf/io-icns.c b/gdk-pixbuf/io-icns.c
index a432e463f..41732b153 100644
--- a/gdk-pixbuf/io-icns.c
+++ b/gdk-pixbuf/io-icns.c
@@ -95,7 +95,8 @@ load_resources (unsigned size, IN gpointer data, gsize datalen,
       blocklen = GUINT32_FROM_BE (header->size);
 
       /* Check that blocklen isn't garbage */
-      if (blocklen > icnslen - (current - bytes))
+      if (blocklen > icnslen - (current - bytes) ||
+	  blocklen < sizeof (IcnsBlockHeader))
         return FALSE;
 
       switch (size)
-- 
cgit v1.2.1