Commit 9a073508 authored by Tobias Stoeckmann's avatar Tobias Stoeckmann Committed by Ell

Bug 789436 - Fix out of boundary write in file-xmc.c.

A malicious XMC file can contain an invalid TOC count, which could lead
to an out of boundary write on 32 bit systems due to integer overflow.

This error occurs during thumbnail creation.
Signed-off-by: Tobias Stoeckmann's avatarTobias Stoeckmann <tobias@stoeckmann.org>
parent 7a4d5385
......@@ -857,6 +857,13 @@ load_thumbnail (const gchar *filename,
fseek (fp, 12, SEEK_SET);
/* read the number of chunks */
ntoc = READ32 (fp, error)
if (ntoc > (G_MAXINT32 / sizeof (guint32)))
{
g_set_error (error, 0, 0,
"'%s' seems to have an incorrect toc size.",
gimp_filename_to_utf8 (filename));
return -1;
}
positions = g_malloc (ntoc * sizeof (guint32));
/* enter list of toc(table of contents) */
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment