1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
| | Fix CVE-2017-17789:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17789
https://bugzilla.gnome.org/show_bug.cgi?id=790849
Patch copied from upstream source repository:
https://git.gnome.org/browse/gimp/commit/?id=01898f10f87a094665a7fdcf7153990f4e511d3f
From 01898f10f87a094665a7fdcf7153990f4e511d3f Mon Sep 17 00:00:00 2001
From: Jehan <jehan@girinstud.io>
Date: Wed, 20 Dec 2017 16:44:20 +0100
Subject: [PATCH] Bug 790849 - (CVE-2017-17789) CVE-2017-17789 Heap buffer
overflow...
... in PSP importer.
Check if declared block length is valid (i.e. within the actual file)
before going further.
Consider the file as broken otherwise and fail loading it.
(cherry picked from commit 28e95fbeb5720e6005a088fa811f5bf3c1af48b8)
---
plug-ins/common/file-psp.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/plug-ins/common/file-psp.c b/plug-ins/common/file-psp.c
index ac0fff78f0..4cbafe37b1 100644
--- a/plug-ins/common/file-psp.c
+++ b/plug-ins/common/file-psp.c
@@ -1771,6 +1771,15 @@ load_image (const gchar *filename,
{
block_start = ftell (f);
+ if (block_start + block_total_len > st.st_size)
+ {
+ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
+ _("Could not open '%s' for reading: %s"),
+ gimp_filename_to_utf8 (filename),
+ _("invalid block size"));
+ goto error;
+ }
+
if (id == PSP_IMAGE_BLOCK)
{
if (block_number != 0)
--
2.15.1
|