62 lines
1.7 KiB
Diff
62 lines
1.7 KiB
Diff
From 59c38e3e45b9112c2bcb4392bccf56e297854f8a Mon Sep 17 00:00:00 2001
|
|
From: Anton Gladky <gladk@debian.org>
|
|
Date: Sat, 23 May 2020 17:44:33 +0200
|
|
Subject: [PATCH] Prevent integer overflow in computeDimensions. #12
|
|
|
|
Fix for CVE-2019-5086 and CVE-2019-5087
|
|
|
|
The code checks the sizes of width and height and stop execution, if it exceeds
|
|
maximal values.
|
|
---
|
|
xcf-general.c | 16 ++++++++++++++++
|
|
xcftools.h | 2 +-
|
|
2 files changed, 17 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/xcf-general.c b/xcf-general.c
|
|
index b23c260..169b4f7 100644
|
|
--- a/xcf-general.c
|
|
+++ b/xcf-general.c
|
|
@@ -19,6 +19,7 @@
|
|
#include "xcftools.h"
|
|
#include <string.h>
|
|
#include <errno.h>
|
|
+#include <limits.h>
|
|
#ifdef HAVE_ICONV
|
|
# include <iconv.h>
|
|
#elif !defined(ICONV_CONST)
|
|
@@ -182,6 +183,21 @@ xcfString(uint32_t ptr,uint32_t *after)
|
|
void
|
|
computeDimensions(struct tileDimensions *d)
|
|
{
|
|
+ // [ CVE-2019-5086 and CVE-2019-5087 ]
|
|
+ // This part of code is the check to prevent integer overflow, see CVE-2019-5086 and CVE-2019-5087
|
|
+
|
|
+ if ((d->c.l + d->width)*4 > INT_MAX) {
|
|
+ fprintf(stderr,("Width is too large (%d)! Stopping execution...\n"), (d->c.l + d->width));
|
|
+ exit(0);
|
|
+ }
|
|
+
|
|
+ if ((d->c.t + d->height)*4 > INT_MAX) {
|
|
+ fprintf(stderr,("Height is too large (%d)! Stopping execution...\n"), (d->c.t + d->height));
|
|
+ exit(0);
|
|
+ }
|
|
+
|
|
+ // [ CVE-2019-5086 and CVE-2019-5087 ]
|
|
+
|
|
d->c.r = d->c.l + d->width ;
|
|
d->c.b = d->c.t + d->height ;
|
|
d->tilesx = (d->width+TILE_WIDTH-1)/TILE_WIDTH ;
|
|
diff --git a/xcftools.h b/xcftools.h
|
|
index 5a1efcc..4bb02ea 100644
|
|
--- a/xcftools.h
|
|
+++ b/xcftools.h
|
|
@@ -121,7 +121,7 @@ FILE* openout(const char*);
|
|
void closeout(FILE *,const char*);
|
|
|
|
struct rect {
|
|
- int t, b, l, r ;
|
|
+ int64_t t, b, l, r ;
|
|
};
|
|
|
|
#define isSubrect(A,B) \
|