fix CVE-2022-48622

2024-09-13 11:11:23 +00:00 · 2024-09-13 11:11:23 +00:00 · cea7e567c3
commit cea7e567c3
parent c12f505ae5
2 changed files with 120 additions and 1 deletions
--- a/backport-CVE-2022-48622.patch
+++ b/backport-CVE-2022-48622.patch
@ -0,0 +1,113 @@
+From 00c071dd11f723ca608608eef45cb1aa98da89cc Mon Sep 17 00:00:00 2001
+From: Benjamin Gilbert <bgilbert@backtick.net>
+Date: Tue, 30 Apr 2024 07:26:54 -0500
+Subject: [PATCH 1/3] ANI: Reject files with multiple anih chunks
+
+An anih chunk causes us to initialize a bunch of state, which we only
+expect to do once per file.
+
+Fixes: #202
+Fixes: CVE-2022-48622
+---
+ gdk-pixbuf/io-ani.c                       |   9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/gdk-pixbuf/io-ani.c b/gdk-pixbuf/io-ani.c
+index c6c4642cf4..a78ea7ace4 100644
+--- a/gdk-pixbuf/io-ani.c
+++ b/gdk-pixbuf/io-ani.c
+@@ -295,6 +295,15 @@ ani_load_chunk (AniLoaderContext *context, GError **error)
+         
+         if (context->chunk_id == TAG_anih) 
+ 	{
+		if (context->animation)
+		{
+			g_set_error_literal (error,
+                                             GDK_PIXBUF_ERROR,
+                                             GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+                                             _("Invalid header in animation"));
+			return FALSE;
+		}
+
+ 		context->HeaderSize = read_int32 (context);
+ 		context->NumFrames = read_int32 (context);
+ 		context->NumSteps = read_int32 (context);
+-- 
+GitLab
+
+
+From d52134373594ff76614fb415125b0d1c723ddd56 Mon Sep 17 00:00:00 2001
+From: Benjamin Gilbert <bgilbert@backtick.net>
+Date: Tue, 30 Apr 2024 07:13:37 -0500
+Subject: [PATCH 2/3] ANI: Reject files with multiple INAM or IART chunks
+
+There should be at most one chunk each.  These would cause memory leaks
+otherwise.
+---
+ gdk-pixbuf/io-ani.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/gdk-pixbuf/io-ani.c b/gdk-pixbuf/io-ani.c
+index a78ea7ace4..8e8414117c 100644
+--- a/gdk-pixbuf/io-ani.c
+++ b/gdk-pixbuf/io-ani.c
+@@ -445,7 +445,7 @@ ani_load_chunk (AniLoaderContext *context, GError **error)
+ 	}
+         else if (context->chunk_id == TAG_INAM) 
+ 	{
+-		if (!context->animation) 
+		if (!context->animation || context->title)
+ 		{
+ 			g_set_error_literal (error,
+                                              GDK_PIXBUF_ERROR,
+@@ -472,7 +472,7 @@ ani_load_chunk (AniLoaderContext *context, GError **error)
+ 	}
+         else if (context->chunk_id == TAG_IART) 
+ 	{
+-		if (!context->animation) 
+		if (!context->animation || context->author)
+ 		{
+ 			g_set_error_literal (error,
+                                              GDK_PIXBUF_ERROR,
+-- 
+GitLab
+
+
+From 91b8aa5cd8a0eea28acb51f0e121827ca2e7eb78 Mon Sep 17 00:00:00 2001
+From: Benjamin Gilbert <bgilbert@backtick.net>
+Date: Tue, 30 Apr 2024 08:17:25 -0500
+Subject: [PATCH 3/3] ANI: Validate anih chunk size
+
+Before reading a chunk, we verify that enough bytes are available to match
+the chunk size declared by the file.  However, uniquely, the anih chunk
+loader doesn't verify that this size matches the number of bytes it
+actually intends to read.  Thus, if the chunk size is too small and the
+file ends in the middle of the chunk, we populate some context fields with
+stack garbage.  (But we'd still fail later on because the file doesn't
+contain any images.)  Fix this.
+---
+ gdk-pixbuf/io-ani.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/gdk-pixbuf/io-ani.c b/gdk-pixbuf/io-ani.c
+index 8e8414117c..cfafd7b196 100644
+--- a/gdk-pixbuf/io-ani.c
+++ b/gdk-pixbuf/io-ani.c
+@@ -295,6 +295,14 @@ ani_load_chunk (AniLoaderContext *context, GError **error)
+         
+         if (context->chunk_id == TAG_anih) 
+ 	{
+		if (context->chunk_size < 36)
+		{
+			g_set_error_literal (error,
+                                             GDK_PIXBUF_ERROR,
+                                             GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+                                             _("Malformed chunk in animation"));
+			return FALSE;
+		}
+ 		if (context->animation)
+ 		{
+ 			g_set_error_literal (error,
+-- 
+GitLab
+
--- a/gdk-pixbuf2.spec
+++ b/gdk-pixbuf2.spec
@ -1,6 +1,6 @@
 Name:           gdk-pixbuf2
 Version:        2.40.0
-Release:        5
+Release:        6
 Summary:        gdk is a multi-platform toolkit for creating graphical user interfaces.

 License:        LGPLv2+
@ -12,6 +12,7 @@ Patch0001:	backport-CVE-2021-20240.patch
 Patch0002:	backport-CVE-2020-29385.patch
 Patch0003:	backport-CVE-2021-46829.patch
 Patch0004:	backport-CVE-2021-44648.patch
+Patch0005:	backport-CVE-2022-48622.patch

 BuildRequires:  gettext gtk-doc pkgconfig(gio-2.0) >= 2.48.0 libpng-devel libjpeg-devel libtiff-devel shared-mime-info
 BuildRequires:  meson pkgconfig(x11) pkgconfig(gobject-introspection-1.0) >= 0.9.3 gobject-introspection-devel libxslt gdb
@ -51,6 +52,8 @@ developing applications that uses gdk-pixbuf2 xlib and test.
 cp %{SOURCE1} ./tests/test-images/gif-test-suite/invalid-colors.gif

 %build
+# remove bug793470-crasher.png to resolve pixbuf-fail use case failure
+rm -rf tests/test-images/fail/bug793470-crasher.png
 %meson -Dbuiltin_loaders=png -Ddocs=true 

 %global _smp_mflags -j1
@ -105,6 +108,9 @@ gdk-pixbuf-query-loaders-%{__isa_bits} --update-cache
 %{_mandir}/man1/gdk-pixbuf-csource.1*

 %changelog
+* Fri Sep 13 2024 zhangpan <zhangpan103@h-partners.com> - 2.40.0-6
+- fix CVE-2022-48622
+
 * Tue Jun 20 2023 zhangpan <zhangpan103@h-partners.com> - 2.40.0-5
 - fix CVE-2021-44648