1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
|
From: Benjamin Gilbert <bgilbert@backtick.net>
Date: Tue, 30 Apr 2024 08:17:25 -0500
Subject: ANI: Validate anih chunk size
Origin: https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/91b8aa5cd8a0eea28acb51f0e121827ca2e7eb78
Before reading a chunk, we verify that enough bytes are available to match
the chunk size declared by the file. However, uniquely, the anih chunk
loader doesn't verify that this size matches the number of bytes it
actually intends to read. Thus, if the chunk size is too small and the
file ends in the middle of the chunk, we populate some context fields with
stack garbage. (But we'd still fail later on because the file doesn't
contain any images.) Fix this.
---
gdk-pixbuf/io-ani.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/gdk-pixbuf/io-ani.c b/gdk-pixbuf/io-ani.c
index 8e8414117c3a..cfafd7b1961b 100644
--- a/gdk-pixbuf/io-ani.c
+++ b/gdk-pixbuf/io-ani.c
@@ -295,6 +295,14 @@ ani_load_chunk (AniLoaderContext *context, GError **error)
if (context->chunk_id == TAG_anih)
{
+ if (context->chunk_size < 36)
+ {
+ g_set_error_literal (error,
+ GDK_PIXBUF_ERROR,
+ GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+ _("Malformed chunk in animation"));
+ return FALSE;
+ }
if (context->animation)
{
g_set_error_literal (error,
--
2.45.1
|
