diff options
Diffstat (limited to 'user/atril/CVE-2019-1010006.patch')
| -rw-r--r-- | user/atril/CVE-2019-1010006.patch | 40 |
1 files changed, 19 insertions, 21 deletions
diff --git a/user/atril/CVE-2019-1010006.patch b/user/atril/CVE-2019-1010006.patch index ce107d193..913e40312 100644 --- a/user/atril/CVE-2019-1010006.patch +++ b/user/atril/CVE-2019-1010006.patch @@ -1,22 +1,18 @@ -From e02fe9170ad0ac2fd46c75329c4f1d4502d4a362 Mon Sep 17 00:00:00 2001 -From: Jason Crain <jcrain@src.gnome.org> -Date: Sat, 2 Dec 2017 20:24:33 -0600 -Subject: [PATCH] Fix overflow checks in tiff backend +From aa8c51c24a3d716986ace9a4104a9632436ccff5 Mon Sep 17 00:00:00 2001 +From: lukefromdc <lukefromdc@hushmail.com> +Date: Sat, 27 Jul 2019 15:07:13 -0400 +Subject: [PATCH] Fix buffer overflow in backend/tiff-document.c -The overflow checks in tiff_document_render and -tiff_document_get_thumbnail don't work when optimizations are enabled. -Change the checks so they don't rely on undefined behavior. - -https://bugzilla.gnome.org/show_bug.cgi?id=788980 + Apply https://gitlab.gnome.org/GNOME/evince/commit/e02fe9170ad0ac2fd46c75329c4f1d4502d4a362 --- - backend/tiff/tiff-document.c | 12 ++++++------ - 1 file changed, 6 insertions(+), 6 deletions(-) + backend/tiff/tiff-document.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/backend/tiff/tiff-document.c b/backend/tiff/tiff-document.c -index 8f40934e..7bf95c2b 100644 +index 0aa31cb6..94adc400 100644 --- a/backend/tiff/tiff-document.c +++ b/backend/tiff/tiff-document.c -@@ -284,12 +284,12 @@ tiff_document_render (EvDocument *document, +@@ -268,13 +268,14 @@ tiff_document_render (EvDocument *document, return NULL; } @@ -27,11 +23,13 @@ index 8f40934e..7bf95c2b 100644 /* overflow */ return NULL; } -+ bytes = height * rowstride; ++ bytes = height * rowstride; ++ pixels = g_try_malloc (bytes); if (!pixels) { -@@ -374,15 +374,15 @@ tiff_document_get_thumbnail (EvDocument *document, + g_warning("Failed to allocate memory for rendering."); +@@ -356,15 +357,17 @@ tiff_document_render_pixbuf (EvDocument *document, if (width <= 0 || height <= 0) return NULL; @@ -40,17 +38,17 @@ index 8f40934e..7bf95c2b 100644 + if (width >= INT_MAX / 4) /* overflow */ return NULL; -+ rowstride = width * 4; - bytes = height * rowstride; - if (bytes / rowstride != height) ++ rowstride = width * 4; ++ + if (height >= INT_MAX / rowstride) /* overflow */ - return NULL; -+ bytes = height * rowstride; +- return NULL; ++ return NULL; ++ ++ bytes = height * rowstride; pixels = g_try_malloc (bytes); if (!pixels) --- -2.21.0 - |