Compare commits

...

No commits in common. 'c9' and 'c9-beta' have entirely different histories.
c9 ... c9-beta

@ -1,264 +0,0 @@
From 00c071dd11f723ca608608eef45cb1aa98da89cc Mon Sep 17 00:00:00 2001
From: Benjamin Gilbert <bgilbert@backtick.net>
Date: Tue, 30 Apr 2024 07:26:54 -0500
Subject: [PATCH 1/3] ANI: Reject files with multiple anih chunks
An anih chunk causes us to initialize a bunch of state, which we only
expect to do once per file.
Fixes: #202
Fixes: CVE-2022-48622
---
gdk-pixbuf/io-ani.c | 9 +++++++++
tests/test-images/fail/CVE-2022-48622.ani | Bin 0 -> 28012 bytes
2 files changed, 9 insertions(+)
create mode 100644 tests/test-images/fail/CVE-2022-48622.ani
diff --git a/gdk-pixbuf/io-ani.c b/gdk-pixbuf/io-ani.c
index c6c4642cf4..a78ea7ace4 100644
--- a/gdk-pixbuf/io-ani.c
+++ b/gdk-pixbuf/io-ani.c
@@ -295,6 +295,15 @@ ani_load_chunk (AniLoaderContext *context, GError **error)
if (context->chunk_id == TAG_anih)
{
+ if (context->animation)
+ {
+ g_set_error_literal (error,
+ GDK_PIXBUF_ERROR,
+ GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+ _("Invalid header in animation"));
+ return FALSE;
+ }
+
context->HeaderSize = read_int32 (context);
context->NumFrames = read_int32 (context);
context->NumSteps = read_int32 (context);
diff --git a/tests/test-images/fail/CVE-2022-48622.ani b/tests/test-images/fail/CVE-2022-48622.ani
new file mode 100644
index 0000000000000000000000000000000000000000..276b5b989f1e9ec9185e49eb45f710ee38278eb2
GIT binary patch
literal 28012
zcmeHQ2Ut|c+TMaKCefJWrWwJY#u6-vNsJ|8EU`vo%DpjvEQu|#CK_X<2#5tiihxLO
z(m|^9E?s(;zVxNDv@P#Hv#_`lDM~E&xt`}4=giDE-}laU=IlAlH}7%tnpLZI9$+w*
zE#LUnj)TAMox)%+Xkzswl8FyF@-LGlT2J%!YrgrmaX*8x`;Q$5e*NXp!DFA0O47<=
z%$-XmUSv2-WiY0ZIypJoGMeEqp24_7>ZX$t5n*g6iOG;7|2{vSd*HbT{#QNlFD7Fx
zNx$@@wf{|ipqOXA`Fgo@qILfbV<0%!QrrPPK1jZkjO65G1d?-FN86tE7zl<R2Esu7
zOtB^<C4p1HL3u^FH2$Z44SM|eKpfJ(=aiSBqOx4<|AG1p<cr7AMzQpVr`Pw1Nhslz
zpp1;+S(-c49~66#pPytti?74mBiT%8-<Q*QQ^^s}|Nh4MID9)4ofJ=0cqnqR((W6B
z#P{@`rGDpBJbS*E_&=K9Z)|M5Zwz!?bgs~QmZp^Cl>5dv6yH1v8H$tQ=ka)GX=x#2
zNXNYQWXos0{YH6ISR~3gfBVgO>c5%NexdkpM}(oRtqm=$t!Qp)L2*$5^7FGu%0*>W
z1<CWDN#9H6&+W)Cw70jTm0SaQ9cXH3XaKjKi|X1cq^G9$;-~jTKWUS+U!K%C^?wY(
z&*$^e+1V*h9UYx$@9027V;#74wMe-Wi<{2Q;xSP9{?fuV%&kufx5Q32{%{Bc0`VBS
zI=jSUXm9Tz*P|7!ZB1z5)uO4j9F4pZG_>ZSt~CQq?K!A!O+rexr+8ch`=1h>Pco<Y
zW23?$6bi{0_~`1Q*Pxvw9y&T(!E0|KW2ixEdnKCNN(k-(G_+--vMC;!h275$ihbEi
z=GZ5RTVhKZKOF;~PyF9S@OQPMy|W2zopoaDE$yXZ>`m<idrLf$irm_0Uxm$#lM-D|
zBmWzIVHdjiZRq5;prfmv;I9I&lY`dI0yK7JqPjgE@f>^cocZuDL;Y!BmbTd!zfjl-
zzOWTtf<|--YS1p=pq*cYMnO7C+CvaiX)DG)X*WYzTF=uur}*QdBgFGxDCCp8jo@!W
zmynB2VI|sxg=i9HprkVd;nijxRQ~Os87k6vuUE3@V$V}KB=|)l5y9R?QY*n<Pf|4*
zLm66yS*R375$xvOzn^>W$Np46OBt2m2RTIOgh12;K5D=hm6I_Ppq?L(=q5`s_P74S
zI4$W4h!@zzMOSNimb2B&uYBAWn+5xQ9uwrZG%LVoWtN}M${07N#b&mq(>7RMe~&Hc
z`%mWg<8Olib?8C`nL9;j?z)4FTK6vToY}`veUM#;>r<xtxy`Xjj{B;nqU<1f=AA)9
zvkJJ4s;H<rjoiEY5D~h%*3nME=9=NunGe!2oH}XzLbMY6Ty%*_iSO?st=d)WcLimZ
z=7Vgw+srt0Cwg6NL)}sGd!<T#XHTNG@po`)_M@b7AIhqK7pIcSgGkT%KX`e4$~7{a
zeCR>C9<}Zsei4~J&1C-9fXB~8R-T8DwoO!FTzZghABRO33$hQA*N&^?_w^!5D}O~?
z>S}n0%!QM;JRH5`;o(0AK~c+*kp7)0E%zrRrF{!epU?P)dh!<^r1Meg?%@|gMCLxP
zqY$};0pe%VjC~9>X`KjV$k4K@)zSmSIcj_n{K$L7b);tQfwQ{;42&l5^bN-5X=;wQ
zR6qN&={e08QnmD7<(XN}fLEX*BI7qAGHwIx9Y5h~pPzJ4TKA)#OXCNbKbe{S0$R6p
zH}gL1ska#7`_Ic{#k4!oC%6J(9C@DzM*N*4Fg2eAZS67Pm$aCh-P~kGOR%V&8_hmr
zBD3<W{!4+EuS^u#In9Glz;bx{t%RZBoI15LQ|Qw9unq}+5!#TR5zMFMxr-QoJV>dF
z)tWJW&RcBjYyHW)MKaPdufo*y3ux=g-_SA`MHl`1Jyb4_(K)aA8sEfxCT=({5t-X4
zLQQ3go$_(nG5vNLLW2Z<NlA+M*))9`qu=|>$!z7ixUe(a*49{*l)A#n<!2b^FS>o*
z`m>QkFvU<k@sf+W+AGjCm<baLMVvc7w@yuI+J>R@?N5f{zkc<C_;=>B*)oUwlcV(>
z_Up_ulC@D$;fk=(Bhc0Pw8P$E^{RpTNVln-8aY$x#0yQTs&7L}_hVepS^{;odFIkG
z4|`7W(<D2Av3sz-&bG^9(o-&xzh}<E-dYitHRMwV>(jSg_0&rd$B(@V<+BRVxUdY$
zD)VCc$~;V&Vt@ZFmiAEkm>PbP6&-OLp@BPKtUDE&%CBA@N<V2Cb*0w~jvspyXOw3{
zU2_GFAD@{e-TtuW1p6M^XSV#{?_heDKFRX;*#}SOjnKOw3ym|c8$GN&4W%~>luo^e
zv+9d+;nGH&`fJXx@IQ?G%j%0`+#Pqp)n+pc&MV;DnMnx`)1S(oKOrBZp*9Z}wbqIB
z47TE&^5S95pNFx3MMKft!E&d_&1M_Sbe7|S>a^DL$Jc!{R2{m9HhpwKd1{NE_9~c}
z?h#sA9Dwe{Rl~Y}hiaS3>8UMRXKA#R>+5m~4%dE!p5_AR9Qo+xP<0SlPu&Zj!rF8@
zyl!5ArTK2I-i6QC4YmJp<#bdQjxoHr)+T`1zU6ovH?IBw9kp2k^)v5k4W?WD^lLg-
zG!z83*S5g#=2-;aGJvtp1{)o<g~NJ&4Q97*`(?Fd(_C#1aTCKV5$dW0C!;OUQ=c!?
zIXc%{Re9zz^)qtf_YB%klbmaiI_)EKee^Uw7CM;zh)^F5B;K}%yZsTauErO`et+nT
zZzyFGtuGFS`)ctsW1SH1cNxCc`(bfqHLhsP<&pWFtf};lvF4d~j4mooxudHwk7uq+
z-b?KdA}&}D*~uOVzopGLx%|aH^8PjyybqGGySnLOT(CaBBqI>HagIpv*Fmt;33yuV
zfeV@6&L-R7VYwRtj>ixia2YvC&M3(AM@)zw-^O6mg$L<;(sj1_YYv5bDc2UH`k*2|
z3Y_c^6s36MZjw9l5?xV{auX%lfhfNlh5R&cgnB8}+UT$D_x<Wg<EQqlbXQMzHT%&f
z%2%y6C&>k6x#8dtycGqv!O4$6Zi+jiZfVrISo~;Xsker1D|zM)8~wGc8&}tDxM{i7
z%-``qOn~#DtU%|(StO6~wBBK6Z?t}cjp4ch->;v!K|LWrblrrkg)j!qBYWgjdvb9P
z23dsbE`QGK&L{QcquJeMnVy_6s=M5qkLxKjWXTB~EUloqq%6smd+JF>+k5mg*rDBJ
ziQbn~WX0{WR1uN;oLVCJX$C<+@+#VsbWa&c5HlF;V%acdl8-80T1@kC#meGbwiu1H
zytF6Z){~<*@0LT4Jc^f!^`Nm^FFLyIK+tU$qHY|-rWhB{jgx>UNB2H0IRa0Sr04sz
zh!dV4|5Y9!vHrJ7$|lL2q<K#oJhAB=5f+B@^mLH(#K&cy=nf{Sm84H4Ht0D?**Q5m
zhzJX%_8<E1afz<Ma-zF3KR1`!=*2+Jy?s19#PQ{~N3nfKd01;H17V={X<S$u1F1_d
zEiFYtTr4JzVP_1~f4FVbeg}!^N@H-gvnBhHIG8k+9XxqFd*g6z4Ah_6r!nSk46Vq|
z%SC;C4T+DJV#@36uo-W&!WHD$5%Z?8BR~Ft6*Z8qM`@$>yW^7-1C7-;prNS}wGDSs
z!A(JFbrcFKZy_Pm6w8;h;vdDvKz*ov`ot0l1>*Q(TL)Jh&*iqHkyvg7${M^7SE!9u
zyIE;VwzK~6c_^_jA`ylz5?^cQm!p})Gwa$T!Qr_gvQh;rb(nV*4zRu+XdI8))@@%v
zVgw|<N8(HE!hAFdVo=-V0k?)<u}F_uFntH>D~bNkdg4n9z!>u>IVbrDN!z33?~Gzs
ziQ`*nAW^Pj@Q{QCp$|No_F<7et5E)XmUv$bzk)IHdMay*W~|Jg=MqQUFiM&bu9-d}
zMl)>mwL=jy2foi`$v=vHa(`FS_)Zr{OcUuOQWA{(Mjd?a!K|3Jk-eJg<kT=GyJxYk
z#FdXPscQYUliRE$;I-dEO|vzs8qEbc<)@kqk|x~V7sB36{2`7-3>6Ex$1C|{>>Vf~
zC}L4mZ-Ot3nMKp~GsV|Cy_WG>R4Ut@+d8wOgKvTA=8Z@zoPp5vSKyg69zi)X5nuQX
zvPzEgJ#K%Lx%D#pS8`p3j6v>Yc9r<LBO4`LXKdQbOq+d~xlMvU=nm7fq1CXnjqin8
zo)di1#-w=!k2&rTGir`Q;;0YJea9TK4SpdkF!nRVru+;e$9d^1ce01P-{iel*j3c`
zWwpUrvznE#@ORcX65A;uj0Hu-bGSlLy{N1)2%gECeSBLdzAI^`c`TWO=48C~UXx8+
zedmd8`fU~bXaCC{3%4*QNXzwiF8?aKs=O)@3+J<AmaS*qw`Lyf$<!;a*6*ln%0pnb
zc5bJzv^NIRSKkFNMrjz2a91;$g@dO*%wM{i_03|bSZrT;NqNevtg6|QS&^U3Wh+YR
zXpRcT>uwG*UZoY9g3hisxQ6dkzb*6`@VcJVmifuk?IeCVI;-h(MW(W}zW&aqyvDBj
zK#sMzZ#%I+&cc`#aMS-S;SKLuu)Y1pqP{YH%c|-!?`%0CgRc&}!(aLtOTTaX!<32r
zQKyfvTrID^FETThgSY#vS%dYr)?XrbKuHcxc3OhZKW1GSOn$KTZJSx=4YfD5dfwOr
zADeXp#$c!}Tl4k%O`P}OuM1zdEd7Yp8<QW*PJiu+b6FcNsctLub5en?<+h;y<RtZu
zPCtd`rH7ID)7B!|S5p6|`La2z@q50X?HuK6ER6M5N3iWqv;K4ik+w*G4TOXk33qK#
zaG`zslYN-_)gQ9IanReHoD=7O%*gAAbUhXsXus#Ezr{~e1I@Nh3ANe#M}+&asFWBJ
zWF_3d4ZYndw9muX7)<u?TA3{&*83AmG6MKT8NMh^@j*tk8PZA0ymJHj*}kYLN)QCt
z?MtGvgXw#ecHN&wth#wl(KRhdzoIlVsDoRUhMI~ra7$9UlEU;VT`w$kr!tSCd#HV`
zZ5{a%N$W}aizK6-M9*p6OGDKoEl1zI`W}L%<b8~!H%S^z5<|Hs(Uk^Ck|pQ!mBCPy
z1w&;Nm}FUkP149wOuRfU3=_wdV6kio1SE+hX<RtzM3zm6Ji>^gVp%+ApGjYh=jYEo
z@Z1AK_W)&sko0p;692U@^xjWblJ0hw?9%ATIkfKSq8gfYg7Z21Y-p}}Bq=%{`kM>V
zzJJa>dnES`+KKxAIs0r-H$651>i_5Lv&ZJ%K^0T~-+s<Mql~mogF5Rm2vGl1_E}d~
zmpC#&S#)h}?cfnM;C~bQj7B!-7&_YtbB>IG$7@4VOB2~0UWdl!3e+_ff!myi+NM-g
zH^rfjcL$uNFhnI;h<DyTZT49=dyX>aI?&P1BV%Ym8)2Tc@an|Oxh4s7j+cpA!kR0o
zCp*Wp?0T_38|*U@*&yt>4#J$H%rjm)Wu8@mVsGT-qn==|;}PtQ!3fVb>1CgNvTN|2
ztB+yoi&fJ3FJb=)X=F%1*nfmM*U{BTm}i9b*HMa=jsi4wWP(eWXB=KIf(x#Q{Z80t
zY6=_fv2Y$2#)0(Sk6%dGAMN7kQYW7)jxh1~1>kjMgUgRaF3%1AC6~q6Df>)rEAy$b
zwj^Vs`0ugLy4hP@!a6bYtX)_lW^dIA;*i(whMOFXUiO*%k1Xb#U!UH*>5IRceMZ<@
zV&+^8xdt3EhP#A0mxvO94?H>N#D1Si*k}LxQv7)&iHfJ1OZ*RVh|o@0XOz8FP8d*y
zWDFUo=?aE#{dqBV%03(WF;lz?jV!PA&K*aq$t)+U8S8!AKQ|5ZQH;6ey(G)mOEJsG
z`^y+N7ezB`v-dYxUVHDc>|VPcKVkl%S{z;M5N4yHGXilH*Cp&TmCwKZ`+TuAojTpi
zdA3!2^tzg&q64U`J%dW_S#WC4qPRjC899d#61=w7!DhCtnc@47nSDl?f0gJI<rCkh
zBZgxv_B&ypol`UY`<!vKlHV5-v81A+;uldv>k(8p9zj{nVH8#zz+KKk<dq&qZrLBm
zDL#zEl&$c*xsZF^=)FOs8xJ!f@A;py&l<@5CsFOLWF)4VQuY~#u+J`z*w{U1r1g5(
zzptK^wyv$2w_C(*+Kqy;?~s_j6v5F7@C}^;?_hb{3ZH|pxaEjR{Wsz>wjwI=d$@Qk
z;u{*s|6{vn@8PHHvpTf2Wg$7skv^L^gnf2aVLy|laIkyc5cZjP4!c;&@5{^F+}_@K
zP*l^f1L=8R;FkYn*xHWou(TYTaY^eHQ%&^=MtTM>CYe}G;N5VY4&RVv2#MJYzmTtB
zY5Pg%<#YcG3s4$A(1iH-8<c&<A?!2N>3g~vXVmY6eI~wNy-YrsmK61MRY#|)sG<27
z(z4dV)pa6F9Y=+^d9hX}CXVQh@@rpxk!9f~v&`D;#aq|RCy5+g=fl-|73`c=;EK*1
zuF8q`hrN4Tf?q^q;&HB&ea0c|v)>o*Wyrj{^Zw_PyY;Fu{w|wr8fx`LybgWj75s*q
zt_pB>9p$Lc{rmkPJ>Rr%zIa(r=Pka4^=z0~E)f_QDMI<g6x-8B<c76-UxGh3FN!{!
zID~z6aP=k@d*R;uu~RG_)~h!p-&W=d1Yu;?jWxo8w!zD4dR$`2_#t6X_jtisOZ_$I
zUQrNf>n(+<(p>J@WA6`(JwfsJu+KPzeRgQYqI+{j+JE#s_~v$tiV_#{ew2c|91FrA
z_^vbl)|b6IM*7P4EvqK6W~!eW+j#cO+fY-V4^`F0Q2A3~SnL(*bCSvk`)t>Od8}UM
zLtopp9N~K?rjZ*>zS5F{q!>Nenk-LFjs9c6K7I9QD8Cqf`sf6lKB)jDm8Cd&RAE@`
zA%eYxFu1fnn!#o*n*aCbleGO%&wW|-wNa?&CL%Ui16pd64W-+Ma;|aaRf98szKWB_
zXG2MO1x_BBJuLPX!M=UwL^gZwG}fTc_h65mS=HsYP|3N4XulIM(w4Ot3T9~;O_etc
zHP6UH`Sb#jn%a7t{&ViI@Js6+>^#8byO`p;_9!iM6h-^}0VgZ@?C?C9-rvi?`qTC+
znsV{Fgf(?Za~&>g{Q$L73x+j+hGJ79<7&CuG$rPuupq}m5F2<1&e!L)`*@CCCTSlm
z*VS3`v9Z>iR&)KYaP8_2m>BKB70ngHx_<|=Dcx?Rzj$4c=YDQ}x+!7<kHE+3OITlf
z`IfZIK<9>93q5W1SHaO@7o2Y>!NO!G*Wkj^Vf}s%WUp_VsrHgFcGouAq{bQ{IZ_kh
zt~+r<f05w&*#$a%W&4%`{U%<v(_1X?wBCh)n`-d))`5xc*EV|R6o>Te=&SEh%LeDa
zoa*m#jGL2WhlBt%gpwUIj{3`mrrMwQx?WzTXnE<w-rrM8&3SBh?G=h9Iv@Mm>8}(9
z*#Cwo-}6X{wu7g`Q7&QP4g3A!QO04Zz4~BWkRHDv#RDn9I*4}p6Tap@z)|lDo`u%@
zWGyv0BdxQth87p+-*GZn!Sl8JKSX()!kth9WD#c6?SLzMOa0YPm3`)X?YoP~;l}*p
z%mCykI3X>>010I0PPE%`L^%JBaHqqFbUBK6A2p<f8zVp29YvXeNC>^kcQN_*Klb&8
zNAbU;kE`*<L(zn_RhaHe*k{p%eHM)3RBsd#hF@XwO%xHvSy@g9VRA*IFvAbgzGrJ)
zuWfv$*k|qr8>ahOZL_)Ur%{_n*k_!)2r=Hu!dNi_EuYM>82|INzSi4qJPg)9lk78h
z<BcqrYa2KC+Wc%5<nnt=kn7<rl4k|G9*Oa@`^C)V+NKTe#+wFxzDus_|58rZO~_iv
zGt53)D#k~6Zaq242;OeQB$Ke)MySY&>&JDoycm;u*k_BW1d*HG%?e}mu+JDh>@#K$
z`)pJXn~bo~#O$+iJ!~`Cd#p2Y{XN#1goXB;eMYaw^W%Th1B8|FoPCx}*=J!-mwiT<
zXoP__<h6{4ovoC8BhCCGWy-vhW}l@$tj>p#r}iJjKC2*K1s1c<#yv^)SvLz$!akFK
zl@&_X5yEFpVn@u8XGMNEo&6ZuXI<pWs)T(;zDnBIOxb6JWW7I~u+Io1r!t6q>C6g>
zi`lUc<J+OgQvcH@Fa5$I{kkRnDra+B8R}Zd7cHA&2>Z+r2?d7u@;|IQpYC{E>@&JX
z-$lM`*GyuA<ZGs#xrBWdi}F@4gqLeT@gy_*gWp(>WgkNK_$BN!5}PDnm24IylK7Gj
ze7JvM!9`a7G^ueDc9ocMM)DU3%c=Ko%AxrBK{C|-J@#2CVV|X<Q5XRK#=r217At@1
zW>)W>&L5K5@BW@7b6hK2#^hqy2w%0h7ekK3$XNXmIAYh&QS3J*%(w^H>96jc(d<fr
zn0;17qHH;6K{zrRw6VyM$$4*WHyg>miNX4fFw3m-#;0f2eBV-9tHiHvutr_8Khi6d
zI`5VnG?@p;`u$}i^Yt<eyx!dx$Gc<MRRS^dj<V0<k=}3>E7h5~@006I7<bHo2F7?D
zZ}#~+^|P8<JKRNO^`{V)J_FwI<KdI=20T(`AnxuS#1$Op+Xu~0-hNVMdtVy^mAlzz
z)nx2hgnj0OHAk3P^A0jM(>~SJj0t9btgH2He|EKWC?UOeExgjFq?w10IpG*OdWN?5
zn5kxNWA_?+kM(y5nk5R1*#a%I5AP_hXMZ=4P3g97_8AAIHU3z)j+MChFte9A5}v|b
zo0Rnqr={a0GAb9tIbo!iZ71V3N&gfw7ZXVe1Y@L$^IQ5pfg54(zE!a4KjR!0u3)_)
zksBzd?5pzXI1si}3}L_B$KLRdWjfV2>GA7Z%Hf*2KBKB}(!cuCMXvjZvpS=lPoA5F
zU3)*uUbJXv_v_Tx+0}EWv7?qOVEt{qFFBi;-`W-{s;Mu6Q`p|K-tGS$a82{%Ihh|$
zDJx*d?zxSN7P8LthgG_M+P{eXsq7`vb@ZIFzfxjGXY+W4<O`VrxZ=O&gT69-%f~fF
zyz|$oY4~Q_B>v(B!)Bko8RjQ<r@qb+$?=v*3fcH^UweJaW`>L9em^-GhmS4i50`yL
z*?&%EOt<9tuey?B_aoACrBYveeam*{8}?b*{sukWgRR45pAq|`jWk(DL;SYXrpBot
z+VjU4QrG|WC%-#hPJ6-w{dI9pb8GQG!9FwAU{1VrdS*a!l(8r&h%n3Sf3aXl?JtlX
zzrX!2<}ra6MRDP_!d?IO&$7>)uI^6FjdwssqzR(jjz@;r|9aHlT+BY38e+HSNF-sO
zrAJ*yc7g-!uI@_taz6W8X>7wir;M^-!age{?6Z;#f80%Q7PHSXZkr)H@dirB{ZW=3
zA_%tGpZGZ0XC9hM-BKm&GftYQt}<K1$qnmF4K=Lv)LP}Cvwg&u!yW5D{VBt&hiN8e
zpPB4<!PsQyizf_sjND-O^HX4-%_S=!+sBF7XXJZ3U{UtjNXkA7$0RBC8D*deNS$cZ
M-`Qsm^M9uOKm6?EwEzGB
literal 0
HcmV?d00001
--
GitLab
From d52134373594ff76614fb415125b0d1c723ddd56 Mon Sep 17 00:00:00 2001
From: Benjamin Gilbert <bgilbert@backtick.net>
Date: Tue, 30 Apr 2024 07:13:37 -0500
Subject: [PATCH 2/3] ANI: Reject files with multiple INAM or IART chunks
There should be at most one chunk each. These would cause memory leaks
otherwise.
---
gdk-pixbuf/io-ani.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gdk-pixbuf/io-ani.c b/gdk-pixbuf/io-ani.c
index a78ea7ace4..8e8414117c 100644
--- a/gdk-pixbuf/io-ani.c
+++ b/gdk-pixbuf/io-ani.c
@@ -445,7 +445,7 @@ ani_load_chunk (AniLoaderContext *context, GError **error)
}
else if (context->chunk_id == TAG_INAM)
{
- if (!context->animation)
+ if (!context->animation || context->title)
{
g_set_error_literal (error,
GDK_PIXBUF_ERROR,
@@ -472,7 +472,7 @@ ani_load_chunk (AniLoaderContext *context, GError **error)
}
else if (context->chunk_id == TAG_IART)
{
- if (!context->animation)
+ if (!context->animation || context->author)
{
g_set_error_literal (error,
GDK_PIXBUF_ERROR,
--
GitLab
From 91b8aa5cd8a0eea28acb51f0e121827ca2e7eb78 Mon Sep 17 00:00:00 2001
From: Benjamin Gilbert <bgilbert@backtick.net>
Date: Tue, 30 Apr 2024 08:17:25 -0500
Subject: [PATCH 3/3] ANI: Validate anih chunk size
Before reading a chunk, we verify that enough bytes are available to match
the chunk size declared by the file. However, uniquely, the anih chunk
loader doesn't verify that this size matches the number of bytes it
actually intends to read. Thus, if the chunk size is too small and the
file ends in the middle of the chunk, we populate some context fields with
stack garbage. (But we'd still fail later on because the file doesn't
contain any images.) Fix this.
---
gdk-pixbuf/io-ani.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/gdk-pixbuf/io-ani.c b/gdk-pixbuf/io-ani.c
index 8e8414117c..cfafd7b196 100644
--- a/gdk-pixbuf/io-ani.c
+++ b/gdk-pixbuf/io-ani.c
@@ -295,6 +295,14 @@ ani_load_chunk (AniLoaderContext *context, GError **error)
if (context->chunk_id == TAG_anih)
{
+ if (context->chunk_size < 36)
+ {
+ g_set_error_literal (error,
+ GDK_PIXBUF_ERROR,
+ GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+ _("Malformed chunk in animation"));
+ return FALSE;
+ }
if (context->animation)
{
g_set_error_literal (error,
--
GitLab

@ -2,7 +2,7 @@
Name: gdk-pixbuf2
Version: 2.42.6
Release: 4%{?dist}
Release: 3%{?dist}
Summary: An image loading library
License: LGPLv2+
@ -11,7 +11,6 @@ Source0: https://download.gnome.org/sources/gdk-pixbuf/2.42/gdk-pixbuf-%{
Patch0: gif-check-for-overflow.patch
Patch1: gif-lzw-code-size-overflow.patch
Patch2: CVE-2022-48622.patch
BuildRequires: docbook-style-xsl
BuildRequires: gettext
@ -122,10 +121,6 @@ gdk-pixbuf-query-loaders-%{__isa_bits} --update-cache
%{_datadir}/installed-tests
%changelog
* Wed May 15 2024 Tomas Popela <tpopela@redhat.com> - 2.42.6-4
- Backport fixes for CVE-2022-48622
- Resolves: RHEL-36432
* Mon Oct 31 2022 Tomas Popela <tpopela@redhat.com> - 2.42.6-3
- Backport fixes for CVE-2021-46829 and CVE-2021-44648
- Resolves: rhbz#2115213

Loading…
Cancel
Save