mirror of
https://git.yoctoproject.org/poky
synced 2026-04-21 03:32:12 +02:00
gdk-pixbuf: CVE-2021-46829 a heap-based buffer overflow
Source: https://gitlab.gnome.org/GNOME/gdk-pixbuf
MR: 120380
Type: Security Fix
Disposition: Backport from 5398f04d77
ChangeID: d8a843bcf97268ee4f0c6870f1339790a9a908e5
Description:
CVE-2021-46829 gdk-pixbuf: a heap-based buffer overflow when compositing or clearing frames in GIF files.
(From OE-Core rev: ef3f5fba3c3b5e8b16d6b8b7721468e61c65f72f)
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Hitendra Prajapati
committed by
Richard Purdie
Richard Purdie
parent
820e8891b8
commit
c35c1e15f0
@@ -0,0 +1,61 @@
|
||||
From bdf3a2630c02a63803309cf0ad4b274234c814ce Mon Sep 17 00:00:00 2001
|
||||
From: Hitendra Prajapati <hprajapati@mvista.com>
|
||||
Date: Tue, 9 Aug 2022 09:45:42 +0530
|
||||
Subject: [PATCH] CVE-2021-46829
|
||||
|
||||
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/5398f04d772f7f8baf5265715696ed88db0f0512]
|
||||
CVE: CVE-2021-46829
|
||||
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
|
||||
---
|
||||
gdk-pixbuf/io-gif-animation.c | 21 +++++++++++++--------
|
||||
1 file changed, 13 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/gdk-pixbuf/io-gif-animation.c b/gdk-pixbuf/io-gif-animation.c
|
||||
index d742963..9544391 100644
|
||||
--- a/gdk-pixbuf/io-gif-animation.c
|
||||
+++ b/gdk-pixbuf/io-gif-animation.c
|
||||
@@ -364,7 +364,7 @@ composite_frame (GdkPixbufGifAnim *anim, GdkPixbufFrame *frame)
|
||||
for (i = 0; i < n_indexes; i++) {
|
||||
guint8 index = index_buffer[i];
|
||||
guint x, y;
|
||||
- int offset;
|
||||
+ gsize offset;
|
||||
|
||||
if (index == frame->transparent_index)
|
||||
continue;
|
||||
@@ -374,11 +374,13 @@ composite_frame (GdkPixbufGifAnim *anim, GdkPixbufFrame *frame)
|
||||
if (x >= anim->width || y >= anim->height)
|
||||
continue;
|
||||
|
||||
- offset = y * gdk_pixbuf_get_rowstride (anim->last_frame_data) + x * 4;
|
||||
- pixels[offset + 0] = frame->color_map[index * 3 + 0];
|
||||
- pixels[offset + 1] = frame->color_map[index * 3 + 1];
|
||||
- pixels[offset + 2] = frame->color_map[index * 3 + 2];
|
||||
- pixels[offset + 3] = 255;
|
||||
+ if (g_size_checked_mul (&offset, gdk_pixbuf_get_rowstride (anim->last_frame_data), y) &&
|
||||
+ g_size_checked_add (&offset, offset, x * 4)) {
|
||||
+ pixels[offset + 0] = frame->color_map[index * 3 + 0];
|
||||
+ pixels[offset + 1] = frame->color_map[index * 3 + 1];
|
||||
+ pixels[offset + 2] = frame->color_map[index * 3 + 2];
|
||||
+ pixels[offset + 3] = 255;
|
||||
+ }
|
||||
}
|
||||
|
||||
out:
|
||||
@@ -443,8 +445,11 @@ gdk_pixbuf_gif_anim_iter_get_pixbuf (GdkPixbufAnimationIter *anim_iter)
|
||||
x_end = MIN (anim->last_frame->x_offset + anim->last_frame->width, anim->width);
|
||||
y_end = MIN (anim->last_frame->y_offset + anim->last_frame->height, anim->height);
|
||||
for (y = anim->last_frame->y_offset; y < y_end; y++) {
|
||||
- guchar *line = pixels + y * gdk_pixbuf_get_rowstride (anim->last_frame_data) + anim->last_frame->x_offset * 4;
|
||||
- memset (line, 0, (x_end - anim->last_frame->x_offset) * 4);
|
||||
+ gsize offset;
|
||||
+ if (g_size_checked_mul (&offset, gdk_pixbuf_get_rowstride (anim->last_frame_data), y) &&
|
||||
+ g_size_checked_add (&offset, offset, anim->last_frame->x_offset * 4)) {
|
||||
+ memset (pixels + offset, 0, (x_end - anim->last_frame->x_offset) * 4);
|
||||
+ }
|
||||
}
|
||||
break;
|
||||
case GDK_PIXBUF_FRAME_REVERT:
|
||||
--
|
||||
2.25.1
|
||||
|
||||
@@ -26,6 +26,7 @@ SRC_URI = "${GNOME_MIRROR}/${BPN}/${MAJ_VER}/${BPN}-${PV}.tar.xz \
|
||||
file://missing-test-data.patch \
|
||||
file://CVE-2020-29385.patch \
|
||||
file://CVE-2021-20240.patch \
|
||||
file://CVE-2021-46829.patch \
|
||||
"
|
||||
|
||||
SRC_URI_append_class-target = " \
|
||||
|
||||
Reference in New Issue
Block a user