diff options
Diffstat (limited to 'user/atril/CVE-2019-11459.patch')
| -rw-r--r-- | user/atril/CVE-2019-11459.patch | 69 |
1 files changed, 69 insertions, 0 deletions
diff --git a/user/atril/CVE-2019-11459.patch b/user/atril/CVE-2019-11459.patch new file mode 100644 index 000000000..a826cbd29 --- /dev/null +++ b/user/atril/CVE-2019-11459.patch @@ -0,0 +1,69 @@ +Backport of the following, since it did not apply due to whitespace / +formatting + +From bd4ce9171fef52720e74ffeeeeca3b0c5b5d4808 Mon Sep 17 00:00:00 2001 +From: Victor Kareh <vkareh@redhat.com> +Date: Sun, 11 Aug 2019 05:20:09 +0300 +Subject: [PATCH] tiff: Handle failure from TIFFReadRGBAImageOriented + +The TIFFReadRGBAImageOriented function returns zero if it was unable to +read the image. Return NULL in this case instead of displaying +uninitialized memory. + +This addresses CVE-2019-11459 + +upstream commit: +https://gitlab.gnome.org/GNOME/evince/commit/234f034a4 +--- + +--- atril-1.22.1/backend/tiff/tiff-document.c ++++ atril-1.22.1/backend/tiff/tiff-document.c +@@ -282,17 +282,21 @@ tiff_document_render (EvDocument *d + return NULL; + } + ++ if (!TIFFReadRGBAImageOriented (tiff_document->tiff, ++ width, height, ++ (uint32 *)pixels, ++ orientation, 0)) { ++ g_warning ("Failed to read TIFF image."); ++ g_free (pixels); ++ return NULL; ++ } ++ + surface = cairo_image_surface_create_for_data (pixels, + CAIRO_FORMAT_RGB24, + width, height, + rowstride); + cairo_surface_set_user_data (surface, &key, + pixels, (cairo_destroy_func_t)g_free); +- +- TIFFReadRGBAImageOriented (tiff_document->tiff, +- width, height, +- (uint32 *)pixels, +- orientation, 0); + pop_handlers (); + + /* Convert the format returned by libtiff to +@@ -373,13 +377,17 @@ tiff_document_render_pixbuf (EvDocument + if (!pixels) + return NULL; + ++ if (!TIFFReadRGBAImageOriented (tiff_document->tiff, ++ width, height, ++ (uint32 *)pixels, ++ ORIENTATION_TOPLEFT, 0)) { ++ g_free (pixels); ++ return NULL; ++ } ++ + pixbuf = gdk_pixbuf_new_from_data (pixels, GDK_COLORSPACE_RGB, TRUE, 8, + width, height, rowstride, + (GdkPixbufDestroyNotify) g_free, NULL); +- TIFFReadRGBAImageOriented (tiff_document->tiff, +- width, height, +- (uint32 *)pixels, +- ORIENTATION_TOPLEFT, 0); + pop_handlers (); + + scaled_pixbuf = gdk_pixbuf_scale_simple (pixbuf, |