Package: gdk-pixbuf / 2.36.5-2+deb9u2

CVE-2017-2862.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
Backport of c2a40a92fe3df4111ed9da51fe3368c079b86926 and
6dd89e126a277460faafc1f679db44ccf78446fb

--- gdk-pixbuf-2.36.5.orig/gdk-pixbuf/io-jpeg.c
+++ gdk-pixbuf-2.36.5/gdk-pixbuf/io-jpeg.c
@@ -1026,6 +1026,7 @@ gdk_pixbuf__jpeg_image_load_increment (g
 		/* try to load jpeg header */
 		if (!context->got_header) {
 			int rc;
+			gboolean has_alpha;
 		
 			jpeg_save_markers (cinfo, JPEG_APP0+1, 0xffff);
 			jpeg_save_markers (cinfo, JPEG_APP0+2, 0xffff);
@@ -1063,10 +1064,27 @@ gdk_pixbuf__jpeg_image_load_increment (g
 				}
 			}
 			jpeg_calc_output_dimensions (cinfo);
-			
-			context->pixbuf = gdk_pixbuf_new (GDK_COLORSPACE_RGB, 
-							  cinfo->output_components == 4 ? TRUE : FALSE,
-							  8, 
+
+			if (cinfo->output_components == 3) {
+				has_alpha = FALSE;
+			} else if (cinfo->output_components == 4) {
+				has_alpha = TRUE;
+			} else if (cinfo->output_components == 1 &&
+				   cinfo->out_color_space == JCS_GRAYSCALE) {
+				has_alpha = FALSE;
+			} else {
+				g_set_error (error,
+					     GDK_PIXBUF_ERROR,
+					     GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+					     _("Unsupported number of color components (%d)"),
+					     cinfo->output_components);
+				retval = FALSE;
+				goto out;
+			}
+
+			context->pixbuf = gdk_pixbuf_new (GDK_COLORSPACE_RGB,
+							  has_alpha,
+							  8,
 							  cinfo->output_width,
 							  cinfo->output_height);