media-gfx/gimp/files/gimp-2.9.4-CVE-2007-3126.patch

   1 From 46bcd82800e37b0f5aead76184430ef2fe802748 Mon Sep 17 00:00:00 2001
   2 From: Michael Natterer <mitch@gimp.org>
   3 Date: Sun, 6 Nov 2016 21:34:43 +0100
   4 Subject: Bug 773233 - CVE-2007-3126 - Gimp 2.3.14 allows context-dependent
   5  attackers...
   6
   7 ...to cause a denial of service (crash) via an ICO file with an
   8 InfoHeader containing a Height of zero
   9
  10 Add some error handling to ico-load.c and bail out on zero width or height
  11 icons. Also some formatting cleanup.
  12 ---
  13  plug-ins/file-ico/ico-load.c | 103 ++++++++++++++++++++++++++-----------------
  14  1 file changed, 62 insertions(+), 41 deletions(-)
  15
  16 diff --git a/plug-ins/file-ico/ico-load.c b/plug-ins/file-ico/ico-load.c
  17 index c8091d3..8cce94f 100644
  18 --- a/plug-ins/file-ico/ico-load.c
  19 +++ b/plug-ins/file-ico/ico-load.c
  20 @@ -124,15 +124,17 @@ static guint32
  21  ico_read_init (FILE *fp)
  22  {
  23    IcoFileHeader header;
  24 +
  25    /* read and check file header */
  26 -  if (!ico_read_int16 (fp, &header.reserved, 1)
  27 -      || !ico_read_int16 (fp, &header.resource_type, 1)
  28 -      || !ico_read_int16 (fp, &header.icon_count, 1)
  29 -      || header.reserved != 0
  30 -      || header.resource_type != 1)
  31 +  if (! ico_read_int16 (fp, &header.reserved, 1)      ||
  32 +      ! ico_read_int16 (fp, &header.resource_type, 1) ||
  33 +      ! ico_read_int16 (fp, &header.icon_count, 1)    ||
  34 +      header.reserved != 0 ||
  35 +      header.resource_type != 1)
  36      {
  37        return 0;
  38      }
  39 +
  40    return header.icon_count;
  41  }
  42
  43 @@ -148,22 +150,25 @@ ico_read_size (FILE        *fp,
  44    gint32      color_type;
  45    guint32     magic;
  46
  47 -  if ( fseek (fp, info->offset, SEEK_SET) < 0 )
  48 +  if (fseek (fp, info->offset, SEEK_SET) < 0)
  49      return FALSE;
  50
  51    ico_read_int32 (fp, &magic, 1);
  52 +
  53    if (magic == ICO_PNG_MAGIC)
  54      {
  55        png_ptr = png_create_read_struct (PNG_LIBPNG_VER_STRING, NULL, NULL,
  56                                          NULL);
  57 -      if (! png_ptr )
  58 +      if (! png_ptr)
  59          return FALSE;
  60 +
  61        info_ptr = png_create_info_struct (png_ptr);
  62 -      if (! info_ptr )
  63 +      if (! info_ptr)
  64          {
  65            png_destroy_read_struct (&png_ptr, NULL, NULL);
  66            return FALSE;
  67          }
  68 +
  69        if (setjmp (png_jmpbuf (png_ptr)))
  70          {
  71            png_destroy_read_struct (&png_ptr, NULL, NULL);
  72 @@ -182,8 +187,8 @@ ico_read_size (FILE        *fp,
  73      }
  74    else if (magic == 40)
  75      {
  76 -      if (ico_read_int32 (fp, &info->width, 1)
  77 -          && ico_read_int32 (fp, &info->height, 1))
  78 +      if (ico_read_int32 (fp, &info->width, 1) &&
  79 +          ico_read_int32 (fp, &info->height, 1))
  80          {
  81            info->height /= 2;
  82            D(("ico_read_size: ICO: %ix%i\n", info->width, info->height));
  83 @@ -200,8 +205,9 @@ ico_read_size (FILE        *fp,
  84  }
  85
  86  static IcoLoadInfo*
  87 -ico_read_info (FILE *fp,
  88 -               gint  icon_count)
  89 +ico_read_info (FILE    *fp,
  90 +               gint     icon_count,
  91 +               GError **error)
  92  {
  93    gint            i;
  94    IcoFileEntry   *entries;
  95 @@ -209,8 +215,11 @@ ico_read_info (FILE *fp,
  96
  97    /* read icon entries */
  98    entries = g_new (IcoFileEntry, icon_count);
  99 -  if ( fread (entries, sizeof(IcoFileEntry), icon_count, fp) <= 0 )
 100 +  if (fread (entries, sizeof (IcoFileEntry), icon_count, fp) <= 0)
 101      {
 102 +      g_set_error (error, G_FILE_ERROR, 0,
 103 +                   _("Could not read '%lu' bytes"),
 104 +                   sizeof (IcoFileEntry));
 105        g_free (entries);
 106        return NULL;
 107      }
 108 @@ -218,23 +227,33 @@ ico_read_info (FILE *fp,
 109    info = g_new (IcoLoadInfo, icon_count);
 110    for (i = 0; i < icon_count; i++)
 111      {
 112 -      info[i].width = entries[i].width;
 113 +      info[i].width  = entries[i].width;
 114        info[i].height = entries[i].height;
 115 -      info[i].bpp = GUINT16_FROM_LE (entries[i].bpp);
 116 -      info[i].size = GUINT32_FROM_LE (entries[i].size);
 117 +      info[i].bpp    = GUINT16_FROM_LE (entries[i].bpp);
 118 +      info[i].size   = GUINT32_FROM_LE (entries[i].size);
 119        info[i].offset = GUINT32_FROM_LE (entries[i].offset);
 120
 121        if (info[i].width == 0 || info[i].height == 0)
 122          {
 123 -          ico_read_size (fp, info+i);
 124 +          ico_read_size (fp, info + i);
 125          }
 126
 127        D(("ico_read_info: %ix%i (%i bits, size: %i, offset: %i)\n",
 128           info[i].width, info[i].height, info[i].bpp,
 129           info[i].size, info[i].offset));
 130 +
 131 +      if (info[i].width == 0 || info[i].height == 0)
 132 +        {
 133 +          g_set_error (error, G_FILE_ERROR, 0,
 134 +                       _("Icon #%d has zero width or height"), i);
 135 +          g_free (info);
 136 +          g_free (entries);
 137 +          return NULL;
 138 +        }
 139      }
 140
 141    g_free (entries);
 142 +
 143    return info;
 144  }
 145
 146 @@ -256,10 +275,10 @@ ico_read_png (FILE    *fp,
 147    gint          i;
 148
 149    png_ptr = png_create_read_struct (PNG_LIBPNG_VER_STRING, NULL, NULL, NULL);
 150 -  if (! png_ptr )
 151 +  if (! png_ptr)
 152      return FALSE;
 153    info = png_create_info_struct (png_ptr);
 154 -  if (! info )
 155 +  if (! info)
 156      {
 157        png_destroy_read_struct (&png_ptr, NULL, NULL);
 158        return FALSE;
 159 @@ -287,14 +306,14 @@ ico_read_png (FILE    *fp,
 160      {
 161      case PNG_COLOR_TYPE_GRAY:
 162        png_set_expand_gray_1_2_4_to_8 (png_ptr);
 163 -      if ( bit_depth == 16 )
 164 +      if (bit_depth == 16)
 165          png_set_strip_16 (png_ptr);
 166        png_set_gray_to_rgb (png_ptr);
 167        png_set_add_alpha (png_ptr, 0xff, PNG_FILLER_AFTER);
 168        break;
 169      case PNG_COLOR_TYPE_GRAY_ALPHA:
 170        png_set_expand_gray_1_2_4_to_8 (png_ptr);
 171 -      if ( bit_depth == 16 )
 172 +      if (bit_depth == 16)
 173          png_set_strip_16 (png_ptr);
 174        png_set_gray_to_rgb (png_ptr);
 175        break;
 176 @@ -427,16 +446,18 @@ ico_read_icon (FILE    *fp,
 177       data.planes, data.image_size, data.bpp,
 178       data.used_clrs, data.important_clrs));
 179
 180 -  if (data.planes != 1
 181 -      || data.compression != 0)
 182 +  if (data.planes      != 1 ||
 183 +      data.compression != 0)
 184      {
 185        D(("skipping image: invalid header\n"));
 186        return FALSE;
 187      }
 188
 189 -  if (data.bpp != 1 && data.bpp != 4
 190 -      && data.bpp != 8 && data.bpp != 24
 191 -      && data.bpp != 32)
 192 +  if (data.bpp != 1  &&
 193 +      data.bpp != 4  &&
 194 +      data.bpp != 8  &&
 195 +      data.bpp != 24 &&
 196 +      data.bpp != 32)
 197      {
 198        D(("skipping image: invalid depth: %i\n", data.bpp));
 199        return FALSE;
 200 @@ -590,8 +611,8 @@ ico_load_layer (FILE        *fp,
 201    GeglBuffer *buffer;
 202    gchar       name[ICO_MAXBUF];
 203
 204 -  if ( fseek (fp, info->offset, SEEK_SET) < 0
 205 -       || !ico_read_int32 (fp, &first_bytes, 1) )
 206 +  if (fseek (fp, info->offset, SEEK_SET) < 0 ||
 207 +      ! ico_read_int32 (fp, &first_bytes, 1))
 208      return -1;
 209
 210    if (first_bytes == ICO_PNG_MAGIC)
 211 @@ -643,7 +664,7 @@ ico_load_image (const gchar  *filename,
 212                               gimp_filename_to_utf8 (filename));
 213
 214    fp = g_fopen (filename, "rb");
 215 -  if (! fp )
 216 +  if (! fp)
 217      {
 218        g_set_error (error, G_FILE_ERROR, g_file_error_from_errno (errno),
 219                     _("Could not open '%s' for reading: %s"),
 220 @@ -658,8 +679,8 @@ ico_load_image (const gchar  *filename,
 221        return -1;
 222      }
 223
 224 -  info = ico_read_info (fp, icon_count);
 225 -  if (!info)
 226 +  info = ico_read_info (fp, icon_count, error);
 227 +  if (! info)
 228      {
 229        fclose (fp);
 230        return -1;
 231 @@ -670,12 +691,12 @@ ico_load_image (const gchar  *filename,
 232    max_height = 0;
 233    for (i = 0; i < icon_count; i++)
 234      {
 235 -      if ( info[i].width > max_width )
 236 +      if (info[i].width > max_width)
 237          max_width = info[i].width;
 238 -      if ( info[i].height > max_height )
 239 +      if (info[i].height > max_height)
 240          max_height = info[i].height;
 241      }
 242 -  if ( max_width <= 0 || max_height <= 0 )
 243 +  if (max_width <= 0 || max_height <= 0)
 244      {
 245        g_free (info);
 246        fclose (fp);
 247 @@ -721,7 +742,7 @@ ico_load_thumbnail_image (const gchar  *filename,
 248                               gimp_filename_to_utf8 (filename));
 249
 250    fp = g_fopen (filename, "rb");
 251 -  if (! fp )
 252 +  if (! fp)
 253      {
 254        g_set_error (error, G_FILE_ERROR, g_file_error_from_errno (errno),
 255                     _("Could not open '%s' for reading: %s"),
 256 @@ -730,7 +751,7 @@ ico_load_thumbnail_image (const gchar  *filename,
 257      }
 258
 259    icon_count = ico_read_init (fp);
 260 -  if (! icon_count )
 261 +  if (! icon_count)
 262      {
 263        fclose (fp);
 264        return -1;
 265 @@ -739,8 +760,8 @@ ico_load_thumbnail_image (const gchar  *filename,
 266    D(("*** %s: Microsoft icon file, containing %i icon(s)\n",
 267       filename, icon_count));
 268
 269 -  info = ico_read_info (fp, icon_count);
 270 -  if (! info )
 271 +  info = ico_read_info (fp, icon_count, error);
 272 +  if (! info)
 273      {
 274        fclose (fp);
 275        return -1;
 276 @@ -758,9 +779,9 @@ ico_load_thumbnail_image (const gchar  *filename,
 277
 278            match = i;
 279          }
 280 -      else if ( w == info[i].width
 281 -                && h == info[i].height
 282 -                && info[i].bpp > bpp )
 283 +      else if (w == info[i].width  &&
 284 +               h == info[i].height &&
 285 +               info[i].bpp > bpp)
 286          {
 287            /* better quality */
 288            bpp = info[i].bpp;
 289 --
 290 cgit v0.12
 291