From 09e5459de913172fc51da3bd6b6adc533acd368e Mon Sep 17 00:00:00 2001 From: Alx Sa Date: Thu, 5 Mar 2026 23:58:45 +0000 Subject: [PATCH] plug-ins: Resolve ZDI-CAN-28813 in ANI loading Resolves #15968 It is possible to cause a buffer overflow in our ANI loading code by setting the Name or Artist metadata files to 0xFFFFFFFF. This patch changes our allocation code to use g_try_new0 () instead of g_new0 (), and verifies if it is NULL before trying to read data into it. --- plug-ins/file-ico/ico-load.c | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/plug-ins/file-ico/ico-load.c b/plug-ins/file-ico/ico-load.c index 29ad4c5eb5..e20d79a713 100644 --- a/plug-ins/file-ico/ico-load.c +++ b/plug-ins/file-ico/ico-load.c @@ -893,7 +893,16 @@ ani_load_image (GFile *file, if (inam) g_free (inam); - inam = g_new0 (gchar, size + 1); + inam = g_try_new0 (gchar, size + 1); + if (inam == NULL) + { + fclose (fp); + g_set_error (error, G_FILE_ERROR, + g_file_error_from_errno (errno), + _("Invalid ANI metadata")); + return NULL; + } + n_read = fread (inam, sizeof (gchar), size, fp); inam[size] = '\0'; } @@ -924,7 +933,16 @@ ani_load_image (GFile *file, if (iart) g_free (iart); - iart = g_new0 (gchar, size + 1); + iart = g_try_new0 (gchar, size + 1); + if (iart == NULL) + { + fclose (fp); + g_set_error (error, G_FILE_ERROR, + g_file_error_from_errno (errno), + _("Invalid ANI metadata")); + return NULL; + } + n_read = fread (iart, sizeof (gchar), size, fp); iart[size] = '\0'; }