Commit dec9ca22 authored by Dhiru Kholia's avatar Dhiru Kholia Committed by Bastien Nocera

ico: Fix potential integer overflow

Which relies on undefined behaviour. Instead of checking for an
overflowed integer after the fact, check whether the addition would
be possible at all.

Fixes: CVE-2017-6312

https://bugzilla.gnome.org/show_bug.cgi?id=779012
parent ce52cefb
......@@ -333,10 +333,8 @@ static void DecodeHeader(guchar *Data, gint Bytes,
for (l = State->entries; l != NULL; l = g_list_next (l)) {
entry = l->data;
/* We know how many bytes are in the "header" part. */
State->HeaderSize = entry->DIBoffset + INFOHEADER_SIZE;
if (State->HeaderSize < 0) {
/* Avoid invoking undefined behavior in the State->HeaderSize calculation below */
if (entry->DIBoffset > G_MAXINT - INFOHEADER_SIZE) {
g_set_error (error,
GDK_PIXBUF_ERROR,
GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
......@@ -344,6 +342,9 @@ static void DecodeHeader(guchar *Data, gint Bytes,
return;
}
/* We know how many bytes are in the "header" part. */
State->HeaderSize = entry->DIBoffset + INFOHEADER_SIZE;
if (State->HeaderSize>State->BytesInHeaderBuf) {
guchar *tmp=g_try_realloc(State->HeaderBuf,State->HeaderSize);
if (!tmp) {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment