Brad Bishop | 6ef3265 | 2018-10-09 18:59:25 +0100 | [diff] [blame] | 1 | From 5fa3165613b77b516e2b0dc128f73b673bd3ec8b Mon Sep 17 00:00:00 2001 |
| 2 | From: Ignacio Casal Quinteiro <qignacio@amazon.com> |
| 3 | Date: Sun, 16 Apr 2017 13:56:09 +0200 |
| 4 | Subject: [PATCH] tknzr: support only max long rgb values |
| 5 | |
| 6 | This fixes a possible out of bound when reading rgbs which |
| 7 | are longer than the support MAXLONG |
| 8 | |
| 9 | Upstream-Status: Backport [https://git.gnome.org/browse/libcroco/patch/?id=9ad72875e9f08e4c519ef63d44cdbd94aa9504f7] |
| 10 | CVE: CVE-2017-7961 |
| 11 | Signed-off-by: Sinan Kaya <okaya@kernel.org> |
| 12 | --- |
| 13 | src/cr-tknzr.c | 10 ++++++++++ |
| 14 | 1 file changed, 10 insertions(+) |
| 15 | |
| 16 | diff --git a/src/cr-tknzr.c b/src/cr-tknzr.c |
| 17 | index e3af0ee..76886ec 100644 |
| 18 | --- a/src/cr-tknzr.c |
| 19 | +++ b/src/cr-tknzr.c |
| 20 | @@ -1280,6 +1280,11 @@ cr_tknzr_parse_rgb (CRTknzr * a_this, CRRgb ** a_rgb) |
| 21 | status = cr_tknzr_parse_num (a_this, &num); |
| 22 | ENSURE_PARSING_COND ((status == CR_OK) && (num != NULL)); |
| 23 | |
| 24 | + if (num->val > G_MAXLONG) { |
| 25 | + status = CR_PARSING_ERROR; |
| 26 | + goto error; |
| 27 | + } |
| 28 | + |
| 29 | red = num->val; |
| 30 | cr_num_destroy (num); |
| 31 | num = NULL; |
| 32 | @@ -1299,6 +1304,11 @@ cr_tknzr_parse_rgb (CRTknzr * a_this, CRRgb ** a_rgb) |
| 33 | status = cr_tknzr_parse_num (a_this, &num); |
| 34 | ENSURE_PARSING_COND ((status == CR_OK) && (num != NULL)); |
| 35 | |
| 36 | + if (num->val > G_MAXLONG) { |
| 37 | + status = CR_PARSING_ERROR; |
| 38 | + goto error; |
| 39 | + } |
| 40 | + |
| 41 | PEEK_BYTE (a_this, 1, &next_bytes[0]); |
| 42 | if (next_bytes[0] == '%') { |
| 43 | SKIP_CHARS (a_this, 1); |
| 44 | -- |
| 45 | 2.19.0 |
| 46 | |