Commit 210b1639 authored by Bastien Nocera's avatar Bastien Nocera

icns: Protect against too short blocklen (CVE-2017-6313)

The blocklen needs to be at least header sized to be valid, otherwise we
can underflow picture data or mask data lengths.

https://bugzilla.gnome.org/show_bug.cgi?id=779016
parent 1e513abd
......@@ -95,7 +95,8 @@ load_resources (unsigned size, IN gpointer data, gsize datalen,
blocklen = GUINT32_FROM_BE (header->size);
/* Check that blocklen isn't garbage */
if (blocklen > icnslen - (current - bytes))
if (blocklen > icnslen - (current - bytes) ||
blocklen < sizeof (IcnsBlockHeader))
return FALSE;
switch (size)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment