1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
| | Fix CVE-2017-17786:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17786
https://bugzilla.gnome.org/show_bug.cgi?id=739134
Both patches copied from upstream source repository:
https://git.gnome.org/browse/gimp/commit/?id=ef9c821fff8b637a2178eab1c78cae6764c50e12
https://git.gnome.org/browse/gimp/commit/?id=22e2571c25425f225abdb11a566cc281fca6f366
From ef9c821fff8b637a2178eab1c78cae6764c50e12 Mon Sep 17 00:00:00 2001
From: Jehan <jehan@girinstud.io>
Date: Wed, 20 Dec 2017 13:02:38 +0100
Subject: [PATCH] Bug 739134 - (CVE-2017-17786) Out of bounds read / heap
overflow in...
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
... TGA importer.
Be more thorough on valid TGA RGB and RGBA images.
In particular current TGA plug-in can import RGBA as 32 bits (8 bits per
channel) and 16 bits (5 bits per color channel and 1 bit for alpha), and
RGB as 15 and 24 bits.
Maybe there exist more variants, but if they do exist, we simply don't
support them yet.
Thanks to Hanno Böck for the report and a first patch attempt.
(cherry picked from commit 674b62ad45b6579ec6d7923dc3cb1ef4e8b5498b)
---
plug-ins/common/file-tga.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/plug-ins/common/file-tga.c b/plug-ins/common/file-tga.c
index aef98702d4..426acc2925 100644
--- a/plug-ins/common/file-tga.c
+++ b/plug-ins/common/file-tga.c
@@ -564,12 +564,16 @@ load_image (const gchar *filename,
}
break;
case TGA_TYPE_COLOR:
- if (info.bpp != 15 && info.bpp != 16 &&
- info.bpp != 24 && info.bpp != 32)
+ if ((info.bpp != 15 && info.bpp != 16 &&
+ info.bpp != 24 && info.bpp != 32) ||
+ ((info.bpp == 15 || info.bpp == 24) &&
+ info.alphaBits != 0) ||
+ (info.bpp == 16 && info.alphaBits != 1) ||
+ (info.bpp == 32 && info.alphaBits != 8))
{
- g_message ("Unhandled sub-format in '%s' (type = %u, bpp = %u)",
+ g_message ("Unhandled sub-format in '%s' (type = %u, bpp = %u, alpha = %u)",
gimp_filename_to_utf8 (filename),
- info.imageType, info.bpp);
+ info.imageType, info.bpp, info.alphaBits);
return -1;
}
break;
--
2.15.1
From 22e2571c25425f225abdb11a566cc281fca6f366 Mon Sep 17 00:00:00 2001
From: Jehan <jehan@girinstud.io>
Date: Wed, 20 Dec 2017 13:26:26 +0100
Subject: [PATCH] plug-ins: TGA 16-bit RGB (without alpha bit) is also valid.
According to some spec on the web, 16-bit RGB is also valid. In this
case, the last bit is simply ignored (at least that's how it is
implemented right now).
(cherry picked from commit 8ea316667c8a3296bce2832b3986b58d0fdfc077)
---
plug-ins/common/file-tga.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/plug-ins/common/file-tga.c b/plug-ins/common/file-tga.c
index 426acc2925..eb14a1dadc 100644
--- a/plug-ins/common/file-tga.c
+++ b/plug-ins/common/file-tga.c
@@ -568,7 +568,8 @@ load_image (const gchar *filename,
info.bpp != 24 && info.bpp != 32) ||
((info.bpp == 15 || info.bpp == 24) &&
info.alphaBits != 0) ||
- (info.bpp == 16 && info.alphaBits != 1) ||
+ (info.bpp == 16 && info.alphaBits != 1 &&
+ info.alphaBits != 0) ||
(info.bpp == 32 && info.alphaBits != 8))
{
g_message ("Unhandled sub-format in '%s' (type = %u, bpp = %u, alpha = %u)",
--
2.15.1
|