packages/gdk-pixbuf2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2021-46829

Browse Source
This commit is contained in:
wangkerong 2022-08-25 15:52:35 +08:00
parent 911e0704e0
commit 88f20277f5
2 changed files with 66 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
backport-CVE-2021-46829.patch Normal file
View File

@ -0,0 +1,61 @@
From 6976bdc8ee9dd2c2954f91066f7b0f643769a379 Mon Sep 17 00:00:00 2001
From: Robert Ancell <robert.ancell@canonical.com>
Date: Thu, 3 Jun 2021 11:05:56 +1200
Subject: [PATCH] gif: Check for overflow when compositing or clearing frames.
Fixes: #190
Similar to fix in 086e8adf4cc352cd11572f96066b001b545f354e
---
gdk-pixbuf/io-gif-animation.c | 21 +++++++++++++--------
1 file changed, 13 insertions(+), 8 deletions(-)
diff --git a/gdk-pixbuf/io-gif-animation.c b/gdk-pixbuf/io-gif-animation.c
index 8335cdd76..71d9265e6 100644
--- a/gdk-pixbuf/io-gif-animation.c
+++ b/gdk-pixbuf/io-gif-animation.c
@@ -369,7 +369,7 @@ composite_frame (GdkPixbufGifAnim *anim, GdkPixbufFrame *frame)
for (i = 0; i < n_indexes; i++) {
guint8 index = index_buffer[i];
guint x, y;
- int offset;
+ gsize offset;
if (index == frame->transparent_index)
continue;
@@ -379,11 +379,13 @@ composite_frame (GdkPixbufGifAnim *anim, GdkPixbufFrame *frame)
if (x >= anim->width || y >= anim->height)
continue;
- offset = y * gdk_pixbuf_get_rowstride (anim->last_frame_data) + x * 4;
- pixels[offset + 0] = frame->color_map[index * 3 + 0];
- pixels[offset + 1] = frame->color_map[index * 3 + 1];
- pixels[offset + 2] = frame->color_map[index * 3 + 2];
- pixels[offset + 3] = 255;
+ if (g_size_checked_mul (&offset, gdk_pixbuf_get_rowstride (anim->last_frame_data), y) &&
+ g_size_checked_add (&offset, offset, x * 4)) {
+ pixels[offset + 0] = frame->color_map[index * 3 + 0];
+ pixels[offset + 1] = frame->color_map[index * 3 + 1];
+ pixels[offset + 2] = frame->color_map[index * 3 + 2];
+ pixels[offset + 3] = 255;
+ }
}
out:
@@ -448,8 +450,11 @@ gdk_pixbuf_gif_anim_iter_get_pixbuf (GdkPixbufAnimationIter *anim_iter)
x_end = MIN (anim->last_frame->x_offset + anim->last_frame->width, anim->width);
y_end = MIN (anim->last_frame->y_offset + anim->last_frame->height, anim->height);
for (y = anim->last_frame->y_offset; y < y_end; y++) {
- guchar *line = pixels + y * gdk_pixbuf_get_rowstride (anim->last_frame_data) + anim->last_frame->x_offset * 4;
- memset (line, 0, (x_end - anim->last_frame->x_offset) * 4);
+ gsize offset;
+ if (g_size_checked_mul (&offset, gdk_pixbuf_get_rowstride (anim->last_frame_data), y) &&
+ g_size_checked_add (&offset, offset, anim->last_frame->x_offset * 4)) {
+ memset (pixels + offset, 0, (x_end - anim->last_frame->x_offset) * 4);
+ }
}
break;
case GDK_PIXBUF_FRAME_REVERT:
--
GitLab

6
gdk-pixbuf2.spec
View File

@ -1,6 +1,6 @@
Name: gdk-pixbuf2
Version: 2.40.0
Release: 2
Release: 3
Summary: gdk is a multi-platform toolkit for creating graphical user interfaces.
License: LGPLv2+
@ -9,6 +9,7 @@ Source0: http://download.gnome.org/sources/gdk-pixbuf/2.40/gdk-pixbuf-%{v
Patch0001: backport-CVE-2021-20240.patch
Patch0002: backport-CVE-2020-29385.patch
Patch0003: backport-CVE-2021-46829.patch
BuildRequires: gettext gtk-doc pkgconfig(gio-2.0) >= 2.48.0 libpng-devel libjpeg-devel libtiff-devel shared-mime-info
BuildRequires: meson pkgconfig(x11) pkgconfig(gobject-introspection-1.0) >= 0.9.3 gobject-introspection-devel libxslt gdb
@ -98,6 +99,9 @@ gdk-pixbuf-query-loaders-%{__isa_bits} --update-cache
%{_mandir}/man1/gdk-pixbuf-csource.1*
%changelog
* Thu Aug 25 2022 wangkerong <wangkerong@h-partners.com> - 2.40.0-3
- fix CVE-2021-46829
* Tue Jul 19 2022 zhouwenpei <zhouwenpei@h-partners.com> - 2.40.0-2
- fix CVE-2021-20240 and CVE-2020-29385