]>
Commit | Line | Data |
---|---|---|
99666750 JR |
1 | From ffa77a246652c7e706d690682fe659f50fbe5656 Mon Sep 17 00:00:00 2001 |
2 | From: Nils Philippsen <nils@redhat.com> | |
3 | Date: Mon, 1 Jul 2013 12:03:51 +0200 | |
4 | Subject: [PATCH] patch: CVE-2012-4433 | |
5 | ||
6 | Squashed commit of the following: | |
7 | ||
8 | commit 2a9071e2dc4cfe1aaa7a726805985281936f9874 | |
9 | Author: Nils Philippsen <nils@redhat.com> | |
10 | Date: Tue Oct 16 16:57:37 2012 +0200 | |
11 | ||
12 | ppm-load: bring comment in line with reality | |
13 | ||
14 | (cherry picked from commit 6975a9cfeaf0698b42ac81b1c2f00d13c8755453) | |
15 | ||
16 | commit 8bb88ebf78e54837322d3be74688f98800e9f33a | |
17 | Author: Nils Philippsen <nils@redhat.com> | |
18 | Date: Tue Oct 16 16:56:40 2012 +0200 | |
19 | ||
20 | ppm-load: CVE-2012-4433: add plausibility checks for header fields | |
21 | ||
22 | Refuse values that are non-decimal, negative or overflow the target | |
23 | type. | |
24 | ||
25 | (cherry picked from commit 4757cdf73d3675478d645a3ec8250ba02168a230) | |
26 | ||
27 | commit 2b099886969bf055a8635d06a4d89f20fed1ee42 | |
28 | Author: Nils Philippsen <nils@redhat.com> | |
29 | Date: Tue Oct 16 16:58:27 2012 +0200 | |
30 | ||
31 | ppm-load: CVE-2012-4433: don't overflow memory allocation | |
32 | ||
33 | Carefully selected width/height values could cause the size of a later | |
34 | allocation to overflow, resulting in a buffer much too small to store | |
35 | the data which would then written beyond its end. | |
36 | ||
37 | (cherry picked from commit 1e92e5235ded0415d555aa86066b8e4041ee5a53) | |
38 | --- | |
39 | operations/external/ppm-load.c | 64 +++++++++++++++++++++++++++++++++++------- | |
40 | 1 file changed, 54 insertions(+), 10 deletions(-) | |
41 | ||
42 | diff --git a/operations/external/ppm-load.c b/operations/external/ppm-load.c | |
43 | index efe6d56..e22521c 100644 | |
44 | --- a/operations/external/ppm-load.c | |
45 | +++ b/operations/external/ppm-load.c | |
46 | @@ -36,6 +36,7 @@ gegl_chant_file_path (path, _("File"), "", _("Path of file to load.")) | |
47 | #include "gegl-chant.h" | |
48 | #include <stdio.h> | |
49 | #include <stdlib.h> | |
50 | +#include <errno.h> | |
51 | ||
52 | typedef enum { | |
53 | PIXMAP_ASCII = 51, | |
54 | @@ -44,8 +45,8 @@ typedef enum { | |
55 | ||
56 | typedef struct { | |
57 | map_type type; | |
58 | - gint width; | |
59 | - gint height; | |
60 | + glong width; | |
61 | + glong height; | |
62 | gsize numsamples; /* width * height * channels */ | |
63 | gsize bpc; /* bytes per channel */ | |
64 | guchar *data; | |
65 | @@ -61,7 +62,7 @@ ppm_load_read_header(FILE *fp, | |
66 | gchar header[MAX_CHARS_IN_ROW]; | |
67 | gint maxval; | |
68 | ||
69 | - /* Check the PPM file Type P2 or P5 */ | |
70 | + /* Check the PPM file Type P3 or P6 */ | |
71 | fgets (header,MAX_CHARS_IN_ROW,fp); | |
72 | ||
73 | if (header[0] != ASCII_P || | |
74 | @@ -82,12 +83,33 @@ ppm_load_read_header(FILE *fp, | |
75 | } | |
76 | ||
77 | /* Get Width and Height */ | |
78 | - img->width = strtol (header,&ptr,0); | |
79 | - img->height = atoi (ptr); | |
80 | - img->numsamples = img->width * img->height * CHANNEL_COUNT; | |
81 | + errno = 0; | |
82 | + img->width = strtol (header,&ptr,10); | |
83 | + if (errno) | |
84 | + { | |
85 | + g_warning ("Error reading width: %s", strerror(errno)); | |
86 | + return FALSE; | |
87 | + } | |
88 | + else if (img->width < 0) | |
89 | + { | |
90 | + g_warning ("Error: width is negative"); | |
91 | + return FALSE; | |
92 | + } | |
93 | + | |
94 | + img->height = strtol (ptr,&ptr,10); | |
95 | + if (errno) | |
96 | + { | |
97 | + g_warning ("Error reading height: %s", strerror(errno)); | |
98 | + return FALSE; | |
99 | + } | |
100 | + else if (img->width < 0) | |
101 | + { | |
102 | + g_warning ("Error: height is negative"); | |
103 | + return FALSE; | |
104 | + } | |
105 | ||
106 | fgets (header,MAX_CHARS_IN_ROW,fp); | |
107 | - maxval = strtol (header,&ptr,0); | |
108 | + maxval = strtol (header,&ptr,10); | |
109 | ||
110 | if ((maxval != 255) && (maxval != 65535)) | |
111 | { | |
112 | @@ -109,6 +131,16 @@ ppm_load_read_header(FILE *fp, | |
113 | g_warning ("%s: Programmer stupidity error", G_STRLOC); | |
114 | } | |
115 | ||
116 | + /* Later on, img->numsamples is multiplied with img->bpc to allocate | |
117 | + * memory. Ensure it doesn't overflow. */ | |
118 | + if (!img->width || !img->height || | |
119 | + G_MAXSIZE / img->width / img->height / CHANNEL_COUNT < img->bpc) | |
120 | + { | |
121 | + g_warning ("Illegal width/height: %ld/%ld", img->width, img->height); | |
122 | + return FALSE; | |
123 | + } | |
124 | + img->numsamples = img->width * img->height * CHANNEL_COUNT; | |
125 | + | |
126 | return TRUE; | |
127 | } | |
128 | ||
129 | @@ -229,12 +261,24 @@ process (GeglOperation *operation, | |
130 | if (!ppm_load_read_header (fp, &img)) | |
131 | goto out; | |
132 | ||
133 | - rect.height = img.height; | |
134 | - rect.width = img.width; | |
135 | - | |
136 | /* Allocating Array Size */ | |
137 | + | |
138 | + /* Should use g_try_malloc(), but this causes crashes elsewhere because the | |
139 | + * error signalled by returning FALSE isn't properly acted upon. Therefore | |
140 | + * g_malloc() is used here which aborts if the requested memory size can't be | |
141 | + * allocated causing a controlled crash. */ | |
142 | img.data = (guchar*) g_malloc (img.numsamples * img.bpc); | |
143 | ||
144 | + /* No-op without g_try_malloc(), see above. */ | |
145 | + if (! img.data) | |
146 | + { | |
147 | + g_warning ("Couldn't allocate %" G_GSIZE_FORMAT " bytes, giving up.", ((gsize)img.numsamples * img.bpc)); | |
148 | + goto out; | |
149 | + } | |
150 | + | |
151 | + rect.height = img.height; | |
152 | + rect.width = img.width; | |
153 | + | |
154 | switch (img.bpc) | |
155 | { | |
156 | case 1: | |
157 | -- | |
158 | 1.8.3.1 | |
159 |