packages/gdk-pixbuf2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!54 [sync] PR-50: Fix CVE-2022-48622

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @technology208, @open-bot 
Signed-off-by: @technology208, @open-bot
This commit is contained in:
openeuler-ci-bot 2024-09-14 01:20:44 +00:00 committed by Gitee
commit f6a16f4efe
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 118 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

113
backport-CVE-2022-48622.patch Normal file
View File

@ -0,0 +1,113 @@
From 00c071dd11f723ca608608eef45cb1aa98da89cc Mon Sep 17 00:00:00 2001
From: Benjamin Gilbert <bgilbert@backtick.net>
Date: Tue, 30 Apr 2024 07:26:54 -0500
Subject: [PATCH 1/3] ANI: Reject files with multiple anih chunks
An anih chunk causes us to initialize a bunch of state, which we only
expect to do once per file.
Fixes: #202
Fixes: CVE-2022-48622
---
gdk-pixbuf/io-ani.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/gdk-pixbuf/io-ani.c b/gdk-pixbuf/io-ani.c
index c6c4642cf4..a78ea7ace4 100644
--- a/gdk-pixbuf/io-ani.c
+++ b/gdk-pixbuf/io-ani.c
@@ -295,6 +295,15 @@ ani_load_chunk (AniLoaderContext *context, GError **error)
if (context->chunk_id == TAG_anih)
{
+ if (context->animation)
+ {
+ g_set_error_literal (error,
+ GDK_PIXBUF_ERROR,
+ GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+ _("Invalid header in animation"));
+ return FALSE;
+ }
+
context->HeaderSize = read_int32 (context);
context->NumFrames = read_int32 (context);
context->NumSteps = read_int32 (context);
--
GitLab
From d52134373594ff76614fb415125b0d1c723ddd56 Mon Sep 17 00:00:00 2001
From: Benjamin Gilbert <bgilbert@backtick.net>
Date: Tue, 30 Apr 2024 07:13:37 -0500
Subject: [PATCH 2/3] ANI: Reject files with multiple INAM or IART chunks
There should be at most one chunk each. These would cause memory leaks
otherwise.
---
gdk-pixbuf/io-ani.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/gdk-pixbuf/io-ani.c b/gdk-pixbuf/io-ani.c
index a78ea7ace4..8e8414117c 100644
--- a/gdk-pixbuf/io-ani.c
+++ b/gdk-pixbuf/io-ani.c
@@ -445,7 +445,7 @@ ani_load_chunk (AniLoaderContext *context, GError **error)
}
else if (context->chunk_id == TAG_INAM)
{
- if (!context->animation)
+ if (!context->animation || context->title)
{
g_set_error_literal (error,
GDK_PIXBUF_ERROR,
@@ -472,7 +472,7 @@ ani_load_chunk (AniLoaderContext *context, GError **error)
}
else if (context->chunk_id == TAG_IART)
{
- if (!context->animation)
+ if (!context->animation || context->author)
{
g_set_error_literal (error,
GDK_PIXBUF_ERROR,
--
GitLab
From 91b8aa5cd8a0eea28acb51f0e121827ca2e7eb78 Mon Sep 17 00:00:00 2001
From: Benjamin Gilbert <bgilbert@backtick.net>
Date: Tue, 30 Apr 2024 08:17:25 -0500
Subject: [PATCH 3/3] ANI: Validate anih chunk size
Before reading a chunk, we verify that enough bytes are available to match
the chunk size declared by the file. However, uniquely, the anih chunk
loader doesn't verify that this size matches the number of bytes it
actually intends to read. Thus, if the chunk size is too small and the
file ends in the middle of the chunk, we populate some context fields with
stack garbage. (But we'd still fail later on because the file doesn't
contain any images.) Fix this.
---
gdk-pixbuf/io-ani.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/gdk-pixbuf/io-ani.c b/gdk-pixbuf/io-ani.c
index 8e8414117c..cfafd7b196 100644
--- a/gdk-pixbuf/io-ani.c
+++ b/gdk-pixbuf/io-ani.c
@@ -295,6 +295,14 @@ ani_load_chunk (AniLoaderContext *context, GError **error)
if (context->chunk_id == TAG_anih)
{
+ if (context->chunk_size < 36)
+ {
+ g_set_error_literal (error,
+ GDK_PIXBUF_ERROR,
+ GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+ _("Malformed chunk in animation"));
+ return FALSE;
+ }
if (context->animation)
{
g_set_error_literal (error,
--
GitLab

6
gdk-pixbuf2.spec
View File

@ -2,7 +2,7 @@
Name: gdk-pixbuf2 Name: gdk-pixbuf2
Version: 2.42.6 Version: 2.42.6
Release: 6 Release: 7
Summary: gdk is a multi-platform toolkit for creating graphical user interfaces. Summary: gdk is a multi-platform toolkit for creating graphical user interfaces.
License: LGPLv2+ License: LGPLv2+
URL: https://gitlab.gnome.org/GNOME/gdk-pixbuf URL: https://gitlab.gnome.org/GNOME/gdk-pixbuf
@ -11,6 +11,7 @@ Source1: invalid-colors.gif
Patch6000: backport-CVE-2021-46829.patch Patch6000: backport-CVE-2021-46829.patch
Patch6001: backport-CVE-2021-44648.patch Patch6001: backport-CVE-2021-44648.patch
Patch6002: backport-CVE-2022-48622.patch
BuildRequires: docbook-style-xsl BuildRequires: docbook-style-xsl
BuildRequires: gettext BuildRequires: gettext
@ -130,6 +131,9 @@ gdk-pixbuf-query-loaders-%{__isa_bits} --update-cache
%{_mandir}/man1/gdk-pixbuf-csource.1* %{_mandir}/man1/gdk-pixbuf-csource.1*
%changelog %changelog
* Wed Jun 26 2024 liningjie <liningjie@xfusion.com> - 2.42.6-7
- Fix CVE-2022-48622
* Tue Jun 20 2023 zhangpan <zhangpan103@h-partners.com> - 2.42.6-6 * Tue Jun 20 2023 zhangpan <zhangpan103@h-partners.com> - 2.42.6-6
- fix CVE-2021-44648 - fix CVE-2021-44648