mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-17 04:37:19 +00:00
gimp: patch CVE-2026-0797
Details: https://nvd.nist.gov/vuln/detail/CVE-2026-0797 The patch referenced in the NVD report looks incorrect. This change in this patch was taken from the related upstream issue[1]. [1]: https://gitlab.gnome.org/GNOME/gimp/-/issues/15555 Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
This commit is contained in:
committed by
Anuj Mittal
parent
3dd2d0dc98
commit
74f6a2e5ac
@@ -0,0 +1,91 @@
|
|||||||
|
From b00dbb729ef8218ffadc3ddeee6841b8ffb1b7ea Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alx Sa <cmyk.student@gmail.com>
|
||||||
|
Date: Fri, 26 Dec 2025 15:49:45 +0000
|
||||||
|
Subject: [PATCH] plug-ins: Add more fread () checks in ICO loading
|
||||||
|
|
||||||
|
Resolves #15555
|
||||||
|
|
||||||
|
This patch adds some guards for ico_read_int8 (),
|
||||||
|
which was used for loading palettes and maps
|
||||||
|
without verifying that it returned the same number
|
||||||
|
of bytes as what it tried to read in.
|
||||||
|
|
||||||
|
CVE: CVE-2026-0797
|
||||||
|
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gimp/-/commit/09e72ef32bf47dea047b044dba789557f334b7d5]
|
||||||
|
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
|
||||||
|
---
|
||||||
|
plug-ins/file-ico/ico-load.c | 33 ++++++++++++++++++++++++++-------
|
||||||
|
1 file changed, 26 insertions(+), 7 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/plug-ins/file-ico/ico-load.c b/plug-ins/file-ico/ico-load.c
|
||||||
|
index c144b6e..7eb9cb7 100644
|
||||||
|
--- a/plug-ins/file-ico/ico-load.c
|
||||||
|
+++ b/plug-ins/file-ico/ico-load.c
|
||||||
|
@@ -69,7 +69,9 @@ ico_read_int32 (FILE *fp,
|
||||||
|
total = count;
|
||||||
|
if (count > 0)
|
||||||
|
{
|
||||||
|
- ico_read_int8 (fp, (guint8 *) data, count * 4);
|
||||||
|
+ if (ico_read_int8 (fp, (guint8 *) data, count * 4) != (count * 4))
|
||||||
|
+ return FALSE;
|
||||||
|
+
|
||||||
|
for (i = 0; i < count; i++)
|
||||||
|
data[i] = GUINT32_FROM_LE (data[i]);
|
||||||
|
}
|
||||||
|
@@ -88,7 +90,9 @@ ico_read_int16 (FILE *fp,
|
||||||
|
total = count;
|
||||||
|
if (count > 0)
|
||||||
|
{
|
||||||
|
- ico_read_int8 (fp, (guint8 *) data, count * 2);
|
||||||
|
+ if (ico_read_int8 (fp, (guint8 *) data, count * 2) != (count * 2))
|
||||||
|
+ return FALSE;
|
||||||
|
+
|
||||||
|
for (i = 0; i < count; i++)
|
||||||
|
data[i] = GUINT16_FROM_LE (data[i]);
|
||||||
|
}
|
||||||
|
@@ -109,8 +113,8 @@ ico_read_int8 (FILE *fp,
|
||||||
|
while (count > 0)
|
||||||
|
{
|
||||||
|
bytes = fread ((gchar *) data, sizeof (gchar), count, fp);
|
||||||
|
- if (bytes <= 0) /* something bad happened */
|
||||||
|
- break;
|
||||||
|
+ if (bytes != count) /* something bad happened */
|
||||||
|
+ return -1;
|
||||||
|
|
||||||
|
count -= bytes;
|
||||||
|
data += bytes;
|
||||||
|
@@ -485,16 +489,31 @@ ico_read_icon (FILE *fp,
|
||||||
|
data.used_clrs, data.bpp));
|
||||||
|
|
||||||
|
palette = g_new0 (guint32, data.used_clrs);
|
||||||
|
- ico_read_int8 (fp, (guint8 *) palette, data.used_clrs * 4);
|
||||||
|
+ if (ico_read_int8 (fp,
|
||||||
|
+ (guint8 *) palette,
|
||||||
|
+ data.used_clrs * 4) != (data.used_clrs * 4))
|
||||||
|
+ {
|
||||||
|
+ D(("skipping image: too large\n"));
|
||||||
|
+ return FALSE;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
}
|
||||||
|
|
||||||
|
xor_map = ico_alloc_map (w, h, data.bpp, &length);
|
||||||
|
- ico_read_int8 (fp, xor_map, length);
|
||||||
|
+ if (ico_read_int8 (fp, xor_map, length) != length)
|
||||||
|
+ {
|
||||||
|
+ D(("skipping image: too large\n"));
|
||||||
|
+ return FALSE;
|
||||||
|
+ }
|
||||||
|
D((" length of xor_map: %i\n", length));
|
||||||
|
|
||||||
|
/* Read in and_map. It's padded out to 32 bits per line: */
|
||||||
|
and_map = ico_alloc_map (w, h, 1, &length);
|
||||||
|
- ico_read_int8 (fp, and_map, length);
|
||||||
|
+ if (! ico_read_int8 (fp, and_map, length) != length)
|
||||||
|
+ {
|
||||||
|
+ D(("skipping image: too large\n"));
|
||||||
|
+ return FALSE;
|
||||||
|
+ }
|
||||||
|
D((" length of and_map: %i\n", length));
|
||||||
|
|
||||||
|
dest_vec = (guint32 *) buf;
|
||||||
@@ -54,6 +54,7 @@ SRC_URI = "https://download.gimp.org/pub/${BPN}/v${SHPV}/${BP}.tar.bz2 \
|
|||||||
file://CVE-2025-2760-1.patch \
|
file://CVE-2025-2760-1.patch \
|
||||||
file://CVE-2025-2760-2.patch \
|
file://CVE-2025-2760-2.patch \
|
||||||
file://CVE-2025-2761.patch \
|
file://CVE-2025-2761.patch \
|
||||||
|
file://CVE-2026-0797.patch \
|
||||||
"
|
"
|
||||||
SRC_URI[sha256sum] = "50a845eec11c8831fe8661707950f5b8446e35f30edfb9acf98f85c1133f856e"
|
SRC_URI[sha256sum] = "50a845eec11c8831fe8661707950f5b8446e35f30edfb9acf98f85c1133f856e"
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user