rpms / exempi

Clone
Source Code
GIT

Blame SOURCES/CVE-2018-7730.patch

c4 c5 c5-plus c6 c6-plus c7 c7-beta c8 c8-beta c9 c9-beta
  1.   a3db16dbfd2b567a14f11ef0b7678ea642580d09
  2.   SOURCES
  3.   CVE-2018-7730.patch
Blob History Raw
a3db16 
From d942fea1cf7891818de357e08319d881b0f2f0df Mon Sep 17 00:00:00 2001
a3db16 
From: =?UTF-8?q?Hubert=20Figui=C3=A8re?= <hub@figuiere.net>
a3db16 
Date: Sun, 25 Feb 2018 13:28:28 -0500
a3db16 
Subject: [PATCH 5/5] Bug 105204 - Fix a buffer overflow in PSD parser
a3db16
a3db16 
---
a3db16 
 source/XMPFiles/FormatSupport/PSIR_FileWriter.cpp | 6 ++++++
a3db16 
 1 file changed, 6 insertions(+)
a3db16
a3db16 
diff --git a/source/XMPFiles/FormatSupport/PSIR_FileWriter.cpp b/source/XMPFiles/FormatSupport/PSIR_FileWriter.cpp
a3db16 
index 0e57b49..bed14b0 100644
a3db16 
--- a/source/XMPFiles/FormatSupport/PSIR_FileWriter.cpp
a3db16 
+++ b/source/XMPFiles/FormatSupport/PSIR_FileWriter.cpp
a3db16 
@@ -291,6 +291,12 @@ void PSIR_FileWriter::ParseFileResources ( LFA_FileRef fileRef, XMP_Uns32 length
a3db16 
 		ioBuf.ptr += paddedLen;	// Move to the data length.
a3db16 
 		XMP_Uns32 dataLen   = GetUns32BE(ioBuf.ptr);
a3db16 
 		XMP_Uns32 dataTotal = ((dataLen + 1) & 0xFFFFFFFEUL);	// Round up to an even total.
a3db16 
+		// See bug https://bugs.freedesktop.org/show_bug.cgi?id=105204
a3db16 
+		// If dataLen is 0xffffffff, then dataTotal might be 0
a3db16 
+		// and therefor make the CheckFileSpace test pass.
a3db16 
+		if (dataTotal < dataLen) {
a3db16 
+			break;
a3db16 
+		}
a3db16 
 		ioBuf.ptr += 4;	// Advance to the resource data.
a3db16
a3db16 
 		XMP_Int64 thisDataPos = ioBuf.filePos + (ioBuf.ptr - ioBuf.data);
a3db16 
--
a3db16 
2.17.2
a3db16

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation