• Shmuel H's avatar
    Bug 767873 - (CVE-2016-4994) Multiple Use-After-Free when parsing... · e82aaa4b
    Shmuel H authored
    ...XCF channel and layer properties
    PROP_ACTIVE_CHANNEL saves the current object pointer the @info
    structure. Others like PROP_SELECTION (for channel) and
    PROP_GROUP_ITEM (for layer) will delete the current object and create
    a new object, leaving the pointers in @info invalid (dangling).
    Therefore, if a property from the first type will come before the
    second, the result will be an UaF in the last lines of xcf_load_image
    (when it actually using the pointers from @info).
    I wasn't able to exploit this bug because that
    g_object_instance->c_class gets cleared by the last g_object_unref and
    GIMP_IS_{LAYER,CHANNEL} detects that and return FALSE.
    (cherry picked from commit 6d804bf9)
xcf-load.c 61.1 KB