From f520f4c2688a3411d1e52e5e6804f7e1f55278e4 Mon Sep 17 00:00:00 2001 From: Alx Sa Date: Wed, 3 Sep 2025 13:41:10 +0000 Subject: [PATCH] plug-ins: Fix ZDI-CAN-27684 Prevent overflow attack by checking if output >= max, not just output > max. (cherry picked from commit 5f4329d324b0db7a857918941ef7e1d27f3d3992) --- plug-ins/file-icns/file-icns-load.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/plug-ins/file-icns/file-icns-load.c b/plug-ins/file-icns/file-icns-load.c index c8f16fef60..f2298c056e 100644 --- a/plug-ins/file-icns/file-icns-load.c +++ b/plug-ins/file-icns/file-icns-load.c @@ -323,7 +323,7 @@ icns_decompress (guchar *dest, for (run -= 125; run > 0; run--) { - if (out > max) + if (out >= max) { g_message ("Corrupt icon? compressed run overflows output size."); return FALSE; @@ -341,7 +341,7 @@ icns_decompress (guchar *dest, g_message ("Corrupt icon: uncompressed run overflows input size."); return FALSE; } - if (out > max) + if (out >= max) { g_message ("Corrupt icon: uncompressed run overflows output size."); return FALSE;