| 1 |
luigiwalser |
1188362 |
From: Jehan <jehan@girinstud.io> |
| 2 |
|
|
Date: Wed, 20 Dec 2017 13:02:38 +0100 |
| 3 |
|
|
Subject: Bug 739134 - (CVE-2017-17786) Out of bounds read / heap overflow |
| 4 |
|
|
in... |
| 5 |
|
|
MIME-Version: 1.0 |
| 6 |
|
|
Content-Type: text/plain; charset=UTF-8 |
| 7 |
|
|
Content-Transfer-Encoding: 8bit |
| 8 |
|
|
Origin: https://git.gnome.org/browse/GIMP/commit/?id=ef9c821fff8b637a2178eab1c78cae6764c50e12 |
| 9 |
|
|
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-17786 |
| 10 |
|
|
Bug-Debian: https://bugs.debian.org/884862 |
| 11 |
|
|
Bug: https://bugzilla.gnome.org/show_bug.cgi?id=739134 |
| 12 |
|
|
|
| 13 |
|
|
... TGA importer. |
| 14 |
|
|
|
| 15 |
|
|
Be more thorough on valid TGA RGB and RGBA images. |
| 16 |
|
|
In particular current TGA plug-in can import RGBA as 32 bits (8 bits per |
| 17 |
|
|
channel) and 16 bits (5 bits per color channel and 1 bit for alpha), and |
| 18 |
|
|
RGB as 15 and 24 bits. |
| 19 |
|
|
Maybe there exist more variants, but if they do exist, we simply don't |
| 20 |
|
|
support them yet. |
| 21 |
|
|
|
| 22 |
|
|
Thanks to Hanno Böck for the report and a first patch attempt. |
| 23 |
|
|
|
| 24 |
|
|
(cherry picked from commit 674b62ad45b6579ec6d7923dc3cb1ef4e8b5498b) |
| 25 |
|
|
--- |
| 26 |
|
|
plug-ins/common/file-tga.c | 12 ++++++++---- |
| 27 |
|
|
1 file changed, 8 insertions(+), 4 deletions(-) |
| 28 |
|
|
|
| 29 |
|
|
diff --git a/plug-ins/common/file-tga.c b/plug-ins/common/file-tga.c |
| 30 |
|
|
index aef98702d4..426acc2925 100644 |
| 31 |
|
|
--- a/plug-ins/common/file-tga.c |
| 32 |
|
|
+++ b/plug-ins/common/file-tga.c |
| 33 |
|
|
@@ -564,12 +564,16 @@ load_image (const gchar *filename, |
| 34 |
|
|
} |
| 35 |
|
|
break; |
| 36 |
|
|
case TGA_TYPE_COLOR: |
| 37 |
|
|
- if (info.bpp != 15 && info.bpp != 16 && |
| 38 |
|
|
- info.bpp != 24 && info.bpp != 32) |
| 39 |
|
|
+ if ((info.bpp != 15 && info.bpp != 16 && |
| 40 |
|
|
+ info.bpp != 24 && info.bpp != 32) || |
| 41 |
|
|
+ ((info.bpp == 15 || info.bpp == 24) && |
| 42 |
|
|
+ info.alphaBits != 0) || |
| 43 |
|
|
+ (info.bpp == 16 && info.alphaBits != 1) || |
| 44 |
|
|
+ (info.bpp == 32 && info.alphaBits != 8)) |
| 45 |
|
|
{ |
| 46 |
|
|
- g_message ("Unhandled sub-format in '%s' (type = %u, bpp = %u)", |
| 47 |
|
|
+ g_message ("Unhandled sub-format in '%s' (type = %u, bpp = %u, alpha = %u)", |
| 48 |
|
|
gimp_filename_to_utf8 (filename), |
| 49 |
|
|
- info.imageType, info.bpp); |
| 50 |
|
|
+ info.imageType, info.bpp, info.alphaBits); |
| 51 |
|
|
return -1; |
| 52 |
|
|
} |
| 53 |
|
|
break; |
| 54 |
|
|
-- |
| 55 |
|
|
2.15.1 |
| 56 |
|
|
|
Parent Directory
| 
Revision Log