~ubuntu-branches/ubuntu/raring/gimp/raring-updates

« back to all changes in this revision

Viewing changes to debian/patches/CVE-2013-1913.patch

  • Committer: Package Import Robot
  • Author(s): Marc Deslauriers
  • Date: 2013-12-06 13:26:35 UTC
  • Revision ID: package-import@ubuntu.com-20131206132635-qpa5qocyku0xtpey
Tags: 2.8.4-1ubuntu1.1
* SECURITY UPDATE: denial of service and possible code execution via
  huge color maps in xwd plugin
  - debian/patches/CVE-2013-1913.patch: limit number of color map entries
    in plug-ins/common/file-xwd.c.
  - CVE-2013-1913
* SECURITY UPDATE: denial of service and possible code execution via
  large number of color map entries in xwd plugin
  - debian/patches/CVE-2013-1978.patch: validate number of color map
    entries in plug-ins/common/file-xwd.c
  - CVE-2013-1978

Show diffs side-by-side

added added

removed removed

Lines of Context:
 
1
From 32ae0f83e5748299641cceaabe3f80f1b3afd03e Mon Sep 17 00:00:00 2001
 
2
From: Nils Philippsen <nils@redhat.com>
 
3
Date: Thu, 14 Nov 2013 13:29:01 +0000
 
4
Subject: file-xwd: sanity check colormap size (CVE-2013-1913)
 
5
 
 
6
---
 
7
Index: gimp-2.8.6/plug-ins/common/file-xwd.c
 
8
===================================================================
 
9
--- gimp-2.8.6.orig/plug-ins/common/file-xwd.c  2013-12-06 13:16:41.718812351 -0500
 
10
+++ gimp-2.8.6/plug-ins/common/file-xwd.c       2013-12-06 13:16:41.714812331 -0500
 
11
@@ -459,6 +459,17 @@
 
12
   /* Position to start of XWDColor structures */
 
13
   fseek (ifp, (long)xwdhdr.l_header_size, SEEK_SET);
 
14
 
 
15
+  /* Guard against insanely huge color maps -- gimp_image_set_colormap() only
 
16
+   * accepts colormaps with 0..256 colors anyway. */
 
17
+  if (xwdhdr.l_colormap_entries > 256)
 
18
+    {
 
19
+      g_message (_("'%s':\nIllegal number of colormap entries: %ld"),
 
20
+                 gimp_filename_to_utf8 (filename),
 
21
+                 (long)xwdhdr.l_colormap_entries);
 
22
+      fclose (ifp);
 
23
+      return -1;
 
24
+    }
 
25
+
 
26
   if (xwdhdr.l_colormap_entries > 0)
 
27
     {
 
28
       xwdcolmap = g_new (L_XWDCOLOR, xwdhdr.l_colormap_entries);