CVE-2019-5086 and CVE-2019-5087

Patch by Anton Gladky and Markus Koschany.

Bug-Debian: https://bugs.debian.org/945317
Origin: https://github.com/j-jorge/xcftools/pull/15

1 files changed, 23 insertions, 0 deletions

diff --git a/xcf-general.c b/xcf-general.c
index b23c260..43ec48b 100644
--- a/xcf-general.c
+++ b/xcf-general.c
@@ -19,6 +19,8 @@
 #include "xcftools.h"
 #include <string.h>
 #include <errno.h>
+#include <limits.h>
+#include <stdlib.h>
 #ifdef HAVE_ICONV
 # include <iconv.h>
 #elif !defined(ICONV_CONST)
@@ -182,6 +184,27 @@ xcfString(uint32_t ptr,uint32_t *after)
 void
 computeDimensions(struct tileDimensions *d)
 {
+  // [ CVE-2019-5086 and CVE-2019-5087 ]
+  // This part of the code is the check to prevent integer overflow, see CVE-2019-5086 and CVE-2019-5087
+
+  if (d->c.l < INT_MIN/4) {
+    fprintf(stderr,("d->c.l is too small (%d)! Stopping execution...\n"), (d->c.l));
+    exit(0);
+  }
+  if (d->c.t < INT_MIN/4) {
+    fprintf(stderr,("d->c.t is too small (%d)! Stopping execution...\n"), (d->c.t));
+    exit(0);
+  }
+  if (d->width > (INT_MAX - d->c.l)/4) {
+    fprintf(stderr,("Width is too large (%d)! Stopping execution...\n"), (d->c.l + d->width));
+    exit(0);
+  }
+  if (d->height > (INT_MAX - d->c.t)/4) {
+    fprintf(stderr,("Height is too large (%d)! Stopping execution...\n"), (d->c.t + d->height));
+    exit(0);
+  }
+  // [ CVE-2019-5086 and CVE-2019-5087 ]
+
   d->c.r = d->c.l + d->width ;
   d->c.b = d->c.t + d->height ;
   d->tilesx = (d->width+TILE_WIDTH-1)/TILE_WIDTH ;