1 From 23f685931e5f000dd033a45c60c1e60d7f78caf4 Mon Sep 17 00:00:00 2001
2 From: Nils Philippsen <nils@redhat.com>
3 Date: Tue, 26 Nov 2013 09:49:42 +0000
4 Subject: file-xwd: sanity check # of colors and map entries (CVE-2013-1978)
5
6 The number of colors in an image shouldn't be higher than the number of
7 colormap entries. Additionally, consolidate post error cleanup in
8 load_image().
9 ---
10 diff --git a/plug-ins/common/file-xwd.c b/plug-ins/common/file-xwd.c
11 index 343129a..4df9ce8 100644
12 --- a/plug-ins/common/file-xwd.c
13 +++ b/plug-ins/common/file-xwd.c
14 @@ -429,9 +429,9 @@ static gint32
15 load_image (const gchar *filename,
16 GError **error)
17 {
18 - FILE *ifp;
19 + FILE *ifp = NULL;
20 gint depth, bpp;
21 - gint32 image_ID;
22 + gint32 image_ID = -1;
23 L_XWDFILEHEADER xwdhdr;
24 L_XWDCOLOR *xwdcolmap = NULL;
25
26 @@ -441,7 +441,7 @@ load_image (const gchar *filename,
27 g_set_error (error, G_FILE_ERROR, g_file_error_from_errno (errno),
28 _("Could not open '%s' for reading: %s"),
29 gimp_filename_to_utf8 (filename), g_strerror (errno));
30 - return -1;
31 + goto out;
32 }
33
34 read_xwd_header (ifp, &xwdhdr);
35 @@ -450,8 +450,7 @@ load_image (const gchar *filename,
36 g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
37 _("Could not read XWD header from '%s'"),
38 gimp_filename_to_utf8 (filename));
39 - fclose (ifp);
40 - return -1;
41 + goto out;
42 }
43
44 #ifdef XWD_COL_WAIT_DEBUG
45 @@ -473,12 +472,18 @@ load_image (const gchar *filename,
46 g_message (_("'%s':\nIllegal number of colormap entries: %ld"),
47 gimp_filename_to_utf8 (filename),
48 (long)xwdhdr.l_colormap_entries);
49 - fclose (ifp);
50 - return -1;
51 + goto out;
52 }
53
54 if (xwdhdr.l_colormap_entries > 0)
55 {
56 + if (xwdhdr.l_colormap_entries < xwdhdr.l_ncolors)
57 + {
58 + g_message (_("'%s':\nNumber of colormap entries < number of colors"),
59 + gimp_filename_to_utf8 (filename));
60 + goto out;
61 + }
62 +
63 xwdcolmap = g_new (L_XWDCOLOR, xwdhdr.l_colormap_entries);
64
65 read_xwd_cols (ifp, &xwdhdr, xwdcolmap);
66 @@ -498,9 +503,7 @@ load_image (const gchar *filename,
67 if (xwdhdr.l_file_version != 7)
68 {
69 g_message (_("Can't read color entries"));
70 - g_free (xwdcolmap);
71 - fclose (ifp);
72 - return (-1);
73 + goto out;
74 }
75 }
76
77 @@ -508,9 +511,7 @@ load_image (const gchar *filename,
78 {
79 g_message (_("'%s':\nNo image width specified"),
80 gimp_filename_to_utf8 (filename));
81 - g_free (xwdcolmap);
82 - fclose (ifp);
83 - return (-1);
84 + goto out;
85 }
86
87 if (xwdhdr.l_pixmap_width > GIMP_MAX_IMAGE_SIZE
88 @@ -518,27 +519,21 @@ load_image (const gchar *filename,
89 {
90 g_message (_("'%s':\nImage width is larger than GIMP can handle"),
91 gimp_filename_to_utf8 (filename));
92 - g_free (xwdcolmap);
93 - fclose (ifp);
94 - return (-1);
95 + goto out;
96 }
97
98 if (xwdhdr.l_pixmap_height <= 0)
99 {
100 g_message (_("'%s':\nNo image height specified"),
101 gimp_filename_to_utf8 (filename));
102 - g_free (xwdcolmap);
103 - fclose (ifp);
104 - return (-1);
105 + goto out;
106 }
107
108 if (xwdhdr.l_pixmap_height > GIMP_MAX_IMAGE_SIZE)
109 {
110 g_message (_("'%s':\nImage height is larger than GIMP can handle"),
111 gimp_filename_to_utf8 (filename));
112 - g_free (xwdcolmap);
113 - fclose (ifp);
114 - return (-1);
115 + goto out;
116 }
117
118 gimp_progress_init_printf (_("Opening '%s'"),
119 @@ -591,11 +586,6 @@ load_image (const gchar *filename,
120 }
121 gimp_progress_update (1.0);
122
123 - fclose (ifp);
124 -
125 - if (xwdcolmap)
126 - g_free (xwdcolmap);
127 -
128 if (image_ID == -1 && ! (error && *error))
129 g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
130 _("XWD-file %s has format %d, depth %d and bits per pixel %d. "
131 @@ -603,6 +593,17 @@ load_image (const gchar *filename,
132 gimp_filename_to_utf8 (filename),
133 (gint) xwdhdr.l_pixmap_format, depth, bpp);
134
135 +out:
136 + if (ifp)
137 + {
138 + fclose (ifp);
139 + }
140 +
141 + if (xwdcolmap)
142 + {
143 + g_free (xwdcolmap);
144 + }
145 +
146 return image_ID;
147 }
148
149 --
150 cgit v0.9.2
|
