mirror of
https://git.yoctoproject.org/poky
synced 2026-01-29 21:08:42 +01:00
gdk-pixbuf: fix CVE-2025-7345
A flaw exists in gdk‑pixbuf within the gdk_pixbuf__jpeg_image_load_increment function (io-jpeg.c) and in glib’s g_base64_encode_step (glib/gbase64.c). When processing maliciously crafted JPEG images, a heap buffer overflow can occur during Base64 encoding, allowing out-of-bounds reads from heap memory, potentially causing application crashes or arbitrary code execution. (From OE-Core rev: 78a52a7feb995b4ab4f4df6b16feaac60f6ad59b) Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit is contained in:
Archana Polampalli
committed by
Steve Sakoman
Steve Sakoman
parent
83ba977250
commit
c172c46096
55
meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2025-7345.patch
Normal file
55
meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2025-7345.patch
Normal file
@@ -0,0 +1,55 @@
|
|||||||
|
From 4af78023ce7d3b5e3cec422a59bb4f48fa4f5886 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Matthias Clasen <mclasen@redhat.com>
|
||||||
|
Date: Fri, 11 Jul 2025 11:02:05 -0400
|
||||||
|
Subject: [PATCH] jpeg: Be more careful with chunked icc data
|
||||||
|
|
||||||
|
We we inadvertendly trusting the sequence numbers not to lie.
|
||||||
|
If they do we would report a larger data size than we actually
|
||||||
|
allocated, leading to out of bounds memory access in base64
|
||||||
|
encoding later on.
|
||||||
|
|
||||||
|
This has been assigned CVE-2025-7345.
|
||||||
|
|
||||||
|
Fixes: #249
|
||||||
|
|
||||||
|
CVE: CVE-2025-7345
|
||||||
|
|
||||||
|
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/4af78023ce7d3b5e3cec422a59bb4f48fa4f5886]
|
||||||
|
|
||||||
|
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
|
||||||
|
---
|
||||||
|
gdk-pixbuf/io-jpeg.c | 8 ++++++--
|
||||||
|
1 file changed, 6 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/gdk-pixbuf/io-jpeg.c b/gdk-pixbuf/io-jpeg.c
|
||||||
|
index 3841fc0..9ee1d21 100644
|
||||||
|
--- a/gdk-pixbuf/io-jpeg.c
|
||||||
|
+++ b/gdk-pixbuf/io-jpeg.c
|
||||||
|
@@ -356,6 +356,7 @@ jpeg_parse_exif_app2_segment (JpegExifContext *context, jpeg_saved_marker_ptr ma
|
||||||
|
context->icc_profile = g_new (gchar, chunk_size);
|
||||||
|
/* copy the segment data to the profile space */
|
||||||
|
memcpy (context->icc_profile, marker->data + 14, chunk_size);
|
||||||
|
+ ret = TRUE;
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -377,12 +378,15 @@ jpeg_parse_exif_app2_segment (JpegExifContext *context, jpeg_saved_marker_ptr ma
|
||||||
|
/* copy the segment data to the profile space */
|
||||||
|
memcpy (context->icc_profile + offset, marker->data + 14, chunk_size);
|
||||||
|
|
||||||
|
- /* it's now this big plus the new data we've just copied */
|
||||||
|
- context->icc_profile_size += chunk_size;
|
||||||
|
+ context->icc_profile_size = MAX (context->icc_profile_size, offset + chunk_size);
|
||||||
|
|
||||||
|
/* success */
|
||||||
|
ret = TRUE;
|
||||||
|
out:
|
||||||
|
+ if (!ret) {
|
||||||
|
+ g_free (context->icc_profile);
|
||||||
|
+ context->icc_profile = NULL;
|
||||||
|
+ }
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.40.0
|
||||||
@@ -20,6 +20,7 @@ SRC_URI = "${GNOME_MIRROR}/${BPN}/${MAJ_VER}/${BPN}-${PV}.tar.xz \
|
|||||||
file://run-ptest \
|
file://run-ptest \
|
||||||
file://fatal-loader.patch \
|
file://fatal-loader.patch \
|
||||||
file://0001-meson.build-allow-a-subset-of-tests-in-cross-compile.patch \
|
file://0001-meson.build-allow-a-subset-of-tests-in-cross-compile.patch \
|
||||||
|
file://CVE-2025-7345.patch \
|
||||||
"
|
"
|
||||||
|
|
||||||
SRC_URI[sha256sum] = "b9505b3445b9a7e48ced34760c3bcb73e966df3ac94c95a148cb669ab748e3c7"
|
SRC_URI[sha256sum] = "b9505b3445b9a7e48ced34760c3bcb73e966df3ac94c95a148cb669ab748e3c7"
|
||||||
|
|||||||
Reference in New Issue
Block a user