rpms / exempi

Clone
Source Code
GIT

Blame SOURCES/CVE-2018-7730.patch

c4 c5 c5-plus c6 c6-plus c7 c7-beta c8 c8-beta c9 c9-beta
  1.   c7
  2.   SOURCES
  3.   CVE-2018-7730.patch
Blob History Raw
376dba 
From d942fea1cf7891818de357e08319d881b0f2f0df Mon Sep 17 00:00:00 2001
376dba 
From: =?UTF-8?q?Hubert=20Figui=C3=A8re?= <hub@figuiere.net>
376dba 
Date: Sun, 25 Feb 2018 13:28:28 -0500
376dba 
Subject: [PATCH 5/5] Bug 105204 - Fix a buffer overflow in PSD parser
376dba
376dba 
---
376dba 
 source/XMPFiles/FormatSupport/PSIR_FileWriter.cpp | 6 ++++++
376dba 
 1 file changed, 6 insertions(+)
376dba
376dba 
diff --git a/source/XMPFiles/FormatSupport/PSIR_FileWriter.cpp b/source/XMPFiles/FormatSupport/PSIR_FileWriter.cpp
376dba 
index 0e57b49..bed14b0 100644
376dba 
--- a/source/XMPFiles/FormatSupport/PSIR_FileWriter.cpp
376dba 
+++ b/source/XMPFiles/FormatSupport/PSIR_FileWriter.cpp
376dba 
@@ -291,6 +291,12 @@ void PSIR_FileWriter::ParseFileResources ( LFA_FileRef fileRef, XMP_Uns32 length
376dba 
 		ioBuf.ptr += paddedLen;	// Move to the data length.
376dba 
 		XMP_Uns32 dataLen   = GetUns32BE(ioBuf.ptr);
376dba 
 		XMP_Uns32 dataTotal = ((dataLen + 1) & 0xFFFFFFFEUL);	// Round up to an even total.
376dba 
+		// See bug https://bugs.freedesktop.org/show_bug.cgi?id=105204
376dba 
+		// If dataLen is 0xffffffff, then dataTotal might be 0
376dba 
+		// and therefor make the CheckFileSpace test pass.
376dba 
+		if (dataTotal < dataLen) {
376dba 
+			break;
376dba 
+		}
376dba 
 		ioBuf.ptr += 4;	// Advance to the resource data.
376dba
376dba 
 		XMP_Int64 thisDataPos = ioBuf.filePos + (ioBuf.ptr - ioBuf.data);
376dba 
--
376dba 
2.17.2
376dba

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation