49 lines
1.5 KiB
Diff
49 lines
1.5 KiB
Diff
Fix CVE-2017-17789:
|
|
|
|
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17789
|
|
https://bugzilla.gnome.org/show_bug.cgi?id=790849
|
|
|
|
Patch copied from upstream source repository:
|
|
|
|
https://git.gnome.org/browse/gimp/commit/?id=01898f10f87a094665a7fdcf7153990f4e511d3f
|
|
|
|
From 01898f10f87a094665a7fdcf7153990f4e511d3f Mon Sep 17 00:00:00 2001
|
|
From: Jehan <jehan@girinstud.io>
|
|
Date: Wed, 20 Dec 2017 16:44:20 +0100
|
|
Subject: [PATCH] Bug 790849 - (CVE-2017-17789) CVE-2017-17789 Heap buffer
|
|
overflow...
|
|
|
|
... in PSP importer.
|
|
Check if declared block length is valid (i.e. within the actual file)
|
|
before going further.
|
|
Consider the file as broken otherwise and fail loading it.
|
|
|
|
(cherry picked from commit 28e95fbeb5720e6005a088fa811f5bf3c1af48b8)
|
|
---
|
|
plug-ins/common/file-psp.c | 9 +++++++++
|
|
1 file changed, 9 insertions(+)
|
|
|
|
diff --git a/plug-ins/common/file-psp.c b/plug-ins/common/file-psp.c
|
|
index ac0fff78f0..4cbafe37b1 100644
|
|
--- a/plug-ins/common/file-psp.c
|
|
+++ b/plug-ins/common/file-psp.c
|
|
@@ -1771,6 +1771,15 @@ load_image (const gchar *filename,
|
|
{
|
|
block_start = ftell (f);
|
|
|
|
+ if (block_start + block_total_len > st.st_size)
|
|
+ {
|
|
+ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
|
|
+ _("Could not open '%s' for reading: %s"),
|
|
+ gimp_filename_to_utf8 (filename),
|
|
+ _("invalid block size"));
|
|
+ goto error;
|
|
+ }
|
|
+
|
|
if (id == PSP_IMAGE_BLOCK)
|
|
{
|
|
if (block_number != 0)
|
|
--
|
|
2.15.1
|
|
|