Commit 679ecb80 authored by Tobias Stoeckmann's avatar Tobias Stoeckmann Committed by Ell

Bug 789436 - Fix out of boundary write in file-xmc.c.

A malicious XMC file can contain an invalid TOC count, which could lead
to an out of boundary write on 32 bit systems due to integer overflow.

This error occurs during thumbnail creation.
Signed-off-by: Tobias Stoeckmann's avatarTobias Stoeckmann <tobias@stoeckmann.org>
(cherry picked from commit 9a073508)
parent e1c54f68
......@@ -858,6 +858,13 @@ load_thumbnail (const gchar *filename, gint32 thumb_size,
fseek (fp, 12, SEEK_SET);
/* read the number of chunks */
ntoc = READ32 (fp, error)
if (ntoc > (G_MAXINT32 / sizeof (guint32)))
{
g_set_error (error, 0, 0,
"'%s' seems to have an incorrect toc size.",
gimp_filename_to_utf8 (filename));
return -1;
}
positions = g_malloc (ntoc * sizeof (guint32));
/* enter list of toc(table of contents) */
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment