summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorChangqing Li <changqing.li@windriver.com>2021-04-22 16:09:59 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2021-05-05 17:43:23 +0100
commit454dcd199de4fd0fddb92be864f9398a560c8ca6 (patch)
tree3aa3001309a48a74ce082bec2690ab53e347fb20
parent5faaedd8e39746930f982a088c4de9541652aa97 (diff)
downloadpoky-454dcd199de4fd0fddb92be864f9398a560c8ca6.tar.gz
gdk-pixbuf: fix CVE-2021-20240
(From OE-Core rev: 69314f890b208ac5ac5d63b905c42f3d3c39da7c) Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2021-20240.patch40
-rw-r--r--meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.40.0.bb1
2 files changed, 41 insertions, 0 deletions
diff --git a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2021-20240.patch b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2021-20240.patch
new file mode 100644
index 0000000000..fe594b24bb
--- /dev/null
+++ b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf/CVE-2021-20240.patch
@@ -0,0 +1,40 @@
1From 086e8adf4cc352cd11572f96066b001b545f354e Mon Sep 17 00:00:00 2001
2From: Emmanuele Bassi <ebassi@gnome.org>
3Date: Wed, 1 Apr 2020 18:11:55 +0100
4Subject: [PATCH] Check the memset length argument
5
6Avoid overflows by using the checked multiplication macro for gsize.
7
8Fixes: #132
9
10Upstream-Status: Backported [https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/086e8adf4cc352cd11572f96066b001b545f354e]
11CVE: CVE-2021-20240
12
13Signed-off-by: Changqing Li <changqing.li@windriver.com>
14---
15 gdk-pixbuf/io-gif-animation.c | 6 +++++-
16 1 file changed, 5 insertions(+), 1 deletion(-)
17
18diff --git a/gdk-pixbuf/io-gif-animation.c b/gdk-pixbuf/io-gif-animation.c
19index c9db3c66e..49674fd2e 100644
20--- a/gdk-pixbuf/io-gif-animation.c
21+++ b/gdk-pixbuf/io-gif-animation.c
22@@ -412,11 +412,15 @@ gdk_pixbuf_gif_anim_iter_get_pixbuf (GdkPixbufAnimationIter *anim_iter)
23
24 /* If no rendered frame, render the first frame */
25 if (anim->last_frame == NULL) {
26+ gsize len = 0;
27 if (anim->last_frame_data == NULL)
28 anim->last_frame_data = gdk_pixbuf_new (GDK_COLORSPACE_RGB, TRUE, 8, anim->width, anim->height);
29 if (anim->last_frame_data == NULL)
30 return NULL;
31- memset (gdk_pixbuf_get_pixels (anim->last_frame_data), 0, gdk_pixbuf_get_rowstride (anim->last_frame_data) * anim->height);
32+ if (g_size_checked_mul (&len, gdk_pixbuf_get_rowstride (anim->last_frame_data), anim->height))
33+ memset (gdk_pixbuf_get_pixels (anim->last_frame_data), 0, len);
34+ else
35+ return NULL;
36 composite_frame (anim, g_list_nth_data (anim->frames, 0));
37 }
38
39--
40GitLab
diff --git a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.40.0.bb b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.40.0.bb
index 16708fd581..32af2de1e8 100644
--- a/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.40.0.bb
+++ b/meta/recipes-gnome/gdk-pixbuf/gdk-pixbuf_2.40.0.bb
@@ -25,6 +25,7 @@ SRC_URI = "${GNOME_MIRROR}/${BPN}/${MAJ_VER}/${BPN}-${PV}.tar.xz \
25 file://0006-Build-thumbnailer-and-tests-also-in-cross-builds.patch \ 25 file://0006-Build-thumbnailer-and-tests-also-in-cross-builds.patch \
26 file://missing-test-data.patch \ 26 file://missing-test-data.patch \
27 file://CVE-2020-29385.patch \ 27 file://CVE-2020-29385.patch \
28 file://CVE-2021-20240.patch \
28 " 29 "
29 30
30SRC_URI_append_class-target = " \ 31SRC_URI_append_class-target = " \