wok diff advancecomp/stuff/CVE-2019-8383.patch @ rev 24905
updated metasploit (5.0.91 -> 6.1.36)
| author | Hans-G?nter Theisgen |
|---|---|
| date | Sat Apr 09 13:21:57 2022 +0100 (2022-04-09) |
| parents | |
| children |
line diff
1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 1.2 +++ b/advancecomp/stuff/CVE-2019-8383.patch Sat Apr 09 13:21:57 2022 +0100 1.3 @@ -0,0 +1,44 @@ 1.4 +commit 78a56b21340157775be2462a19276b4d31d2bd01 1.5 +Author: Andrea Mazzoleni <amadvance@gmail.com> 1.6 +Date: Fri Jan 4 20:49:25 2019 +0100 1.7 + 1.8 + Fix a buffer overflow caused by invalid images 1.9 + 1.10 +diff --git a/lib/png.c b/lib/png.c 1.11 +index 0939a5a..cbf140b 100644 1.12 +--- a/lib/png.c 1.13 ++++ b/lib/png.c 1.14 +@@ -603,6 +603,7 @@ adv_error adv_png_read_ihdr( 1.15 + unsigned pixel; 1.16 + unsigned width; 1.17 + unsigned width_align; 1.18 ++ unsigned scanline; 1.19 + unsigned height; 1.20 + unsigned depth; 1.21 + int r; 1.22 +@@ -719,9 +720,23 @@ adv_error adv_png_read_ihdr( 1.23 + goto err_ptr; 1.24 + } 1.25 + 1.26 +- *dat_size = height * (width_align * pixel + 1); 1.27 ++ /* check for overflow */ 1.28 ++ if (pixel == 0 || width_align >= UINT_MAX / pixel) { 1.29 ++ error_set("Invalid image size"); 1.30 ++ goto err_ptr; 1.31 ++ } 1.32 ++ 1.33 ++ scanline = width_align * pixel + 1; 1.34 ++ 1.35 ++ /* check for overflow */ 1.36 ++ if (scanline == 0 || height >= UINT_MAX / scanline) { 1.37 ++ error_set("Invalid image size"); 1.38 ++ goto err_ptr; 1.39 ++ } 1.40 ++ 1.41 ++ *dat_size = height * scanline; 1.42 + *dat_ptr = malloc(*dat_size); 1.43 +- *pix_scanline = width_align * pixel + 1; 1.44 ++ *pix_scanline = scanline; 1.45 + *pix_ptr = *dat_ptr + 1; 1.46 + 1.47 + z.zalloc = 0;