From d95c2f0bcb6775bdee2bef35b7d84f6dfd490783 Mon Sep 17 00:00:00 2001 From: Jan Lieskovsky Date: Tue, 14 Aug 2012 12:18:22 +0200 Subject: [PATCH] file-gif-load: limit len and height (CVE-2012-3481) Ensure values of len and height can't overflow g_malloc() argument type. --- plug-ins/common/file-gif-load.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/plug-ins/common/file-gif-load.c b/plug-ins/common/file-gif-load.c index 4fdbe7a1d2..4287b46197 100644 --- a/plug-ins/common/file-gif-load.c +++ b/plug-ins/common/file-gif-load.c @@ -1057,6 +1057,13 @@ ReadImage (FILE *fd, cur_progress = 0; max_progress = height; + if (len > (G_MAXSIZE / height / (alpha_frame ? (promote_to_rgb ? 4 : 2) : 1))) + { + g_message ("'%s' has a larger image size than GIMP can handle.", + gimp_filename_to_utf8 (filename)); + return -1; + } + if (alpha_frame) dest = (guchar *) g_malloc (len * height * (promote_to_rgb ? 4 : 2)); else