diff options
author | Markus Koschany <apo@debian.org> | 2021-02-08 11:57:56 (EST) |
---|---|---|
committer | P. J. McDermott <pj@pehjota.net> | 2023-02-22 11:30:18 (EST) |
commit | 8f9564c8d9b8747c9ad1c7250828d7cc10f7f4b0 (patch) | |
tree | 3de43da7444a3dfa3b5837379b4afb555da43704 | |
parent | 2e3b70a464771785398fd8617f2e08a874a0f256 (diff) | |
download | xcftools-8f9564c8d9b8747c9ad1c7250828d7cc10f7f4b0.zip xcftools-8f9564c8d9b8747c9ad1c7250828d7cc10f7f4b0.tar.gz xcftools-8f9564c8d9b8747c9ad1c7250828d7cc10f7f4b0.tar.bz2 |
CVE-2019-5086 and CVE-2019-5087
Patch by Anton Gladky and Markus Koschany.
Bug-Debian: https://bugs.debian.org/945317
Origin: https://github.com/j-jorge/xcftools/pull/15
-rw-r--r-- | xcf-general.c | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/xcf-general.c b/xcf-general.c index b23c260..43ec48b 100644 --- a/xcf-general.c +++ b/xcf-general.c @@ -19,6 +19,8 @@ #include "xcftools.h" #include <string.h> #include <errno.h> +#include <limits.h> +#include <stdlib.h> #ifdef HAVE_ICONV # include <iconv.h> #elif !defined(ICONV_CONST) @@ -182,6 +184,27 @@ xcfString(uint32_t ptr,uint32_t *after) void computeDimensions(struct tileDimensions *d) { + // [ CVE-2019-5086 and CVE-2019-5087 ] + // This part of the code is the check to prevent integer overflow, see CVE-2019-5086 and CVE-2019-5087 + + if (d->c.l < INT_MIN/4) { + fprintf(stderr,("d->c.l is too small (%d)! Stopping execution...\n"), (d->c.l)); + exit(0); + } + if (d->c.t < INT_MIN/4) { + fprintf(stderr,("d->c.t is too small (%d)! Stopping execution...\n"), (d->c.t)); + exit(0); + } + if (d->width > (INT_MAX - d->c.l)/4) { + fprintf(stderr,("Width is too large (%d)! Stopping execution...\n"), (d->c.l + d->width)); + exit(0); + } + if (d->height > (INT_MAX - d->c.t)/4) { + fprintf(stderr,("Height is too large (%d)! Stopping execution...\n"), (d->c.t + d->height)); + exit(0); + } + // [ CVE-2019-5086 and CVE-2019-5087 ] + d->c.r = d->c.l + d->width ; d->c.b = d->c.t + d->height ; d->tilesx = (d->width+TILE_WIDTH-1)/TILE_WIDTH ; |