Skip to content
Snippets Groups Projects
Commit c35c1e15 authored by Hitendra Prajapati's avatar Hitendra Prajapati Committed by Richard Purdie
Browse files

gdk-pixbuf: CVE-2021-46829 a heap-based buffer overflow 

Source: https://gitlab.gnome.org/GNOME/gdk-pixbuf
MR: 120380
Type: Security Fix
Disposition: Backport from https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/5398f04d772f7f8baf5265715696ed88db0f0512


ChangeID: d8a843bcf97268ee4f0c6870f1339790a9a908e5
Description:
         CVE-2021-46829 gdk-pixbuf: a heap-based buffer overflow when compositing or clearing frames in GIF files.

(From OE-Core rev: ef3f5fba3c3b5e8b16d6b8b7721468e61c65f72f)

Signed-off-by: default avatarHitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: default avatarSteve Sakoman <steve@sakoman.com>
Signed-off-by: default avatarRichard Purdie <richard.purdie@linuxfoundation.org>
parent 820e8891
No related branches found
Tags
No related merge requests found
Show whitespace changes
Inline Side-by-side
meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2021-46829.patch 0 → 100644
+ 61
0
View file @ c35c1e15
From bdf3a2630c02a63803309cf0ad4b274234c814ce Mon Sep 17 00:00:00 2001
From: Hitendra Prajapati <hprajapati@mvista.com>
Date: Tue, 9 Aug 2022 09:45:42 +0530
Subject: [PATCH] CVE-2021-46829
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/5398f04d772f7f8baf5265715696ed88db0f0512]
CVE: CVE-2021-46829
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
gdk-pixbuf/io-gif-animation.c | 21 +++++++++++++--------
1 file changed, 13 insertions(+), 8 deletions(-)
diff --git a/gdk-pixbuf/io-gif-animation.c b/gdk-pixbuf/io-gif-animation.c
index d742963..9544391 100644
--- a/gdk-pixbuf/io-gif-animation.c
+++ b/gdk-pixbuf/io-gif-animation.c
@@ -364,7 +364,7 @@ composite_frame (GdkPixbufGifAnim *anim, GdkPixbufFrame *frame)
for (i = 0; i < n_indexes; i++) {
guint8 index = index_buffer[i];
guint x, y;
- int offset;
+ gsize offset;
if (index == frame->transparent_index)
continue;
@@ -374,11 +374,13 @@ composite_frame (GdkPixbufGifAnim *anim, GdkPixbufFrame *frame)
if (x >= anim->width || y >= anim->height)
continue;
- offset = y * gdk_pixbuf_get_rowstride (anim->last_frame_data) + x * 4;
- pixels[offset + 0] = frame->color_map[index * 3 + 0];
- pixels[offset + 1] = frame->color_map[index * 3 + 1];
- pixels[offset + 2] = frame->color_map[index * 3 + 2];
- pixels[offset + 3] = 255;
+ if (g_size_checked_mul (&offset, gdk_pixbuf_get_rowstride (anim->last_frame_data), y) &&
+ g_size_checked_add (&offset, offset, x * 4)) {
+ pixels[offset + 0] = frame->color_map[index * 3 + 0];
+ pixels[offset + 1] = frame->color_map[index * 3 + 1];
+ pixels[offset + 2] = frame->color_map[index * 3 + 2];
+ pixels[offset + 3] = 255;
+ }
}
out:
@@ -443,8 +445,11 @@ gdk_pixbuf_gif_anim_iter_get_pixbuf (GdkPixbufAnimationIter *anim_iter)
x_end = MIN (anim->last_frame->x_offset + anim->last_frame->width, anim->width);
y_end = MIN (anim->last_frame->y_offset + anim->last_frame->height, anim->height);
for (y = anim->last_frame->y_offset; y < y_end; y++) {
- guchar *line = pixels + y * gdk_pixbuf_get_rowstride (anim->last_frame_data) + anim->last_frame->x_offset * 4;
- memset (line, 0, (x_end - anim->last_frame->x_offset) * 4);
+ gsize offset;
+ if (g_size_checked_mul (&offset, gdk_pixbuf_get_rowstride (anim->last_frame_data), y) &&
+ g_size_checked_add (&offset, offset, anim->last_frame->x_offset * 4)) {
+ memset (pixels + offset, 0, (x_end - anim->last_frame->x_offset) * 4);
+ }
}
break;
case GDK_PIXBUF_FRAME_REVERT:
--
2.25.1
meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.40.0.bb
+ 1
0
View file @ c35c1e15
......@@ -26,6 +26,7 @@ SRC_URI = "${GNOME_MIRROR}/${BPN}/${MAJ_VER}/${BPN}-${PV}.tar.xz \
file://missing-test-data.patch \
file://CVE-2020-29385.patch \
file://CVE-2021-20240.patch \
file://CVE-2021-46829.patch \
"
SRC_URI_append_class-target = " \
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment