aboutsummaryrefslogtreecommitdiff
path: root/package/lcms2
diff options
context:
space:
mode:
authorGravatar Peter Korsgaard <peter@korsgaard.com>2017-01-30 14:05:12 +0100
committerGravatar Peter Korsgaard <peter@korsgaard.com>2017-01-30 21:16:05 +0100
commitcd2e115a3feb501afc11d3c6ce29fd947a631cda (patch)
tree76aa7c34e10ede7e12256630473f39614c84c795 /package/lcms2
parent6b4acf923b0e4c46d058a28877df805785258496 (diff)
downloadbuildroot-cd2e115a3feb501afc11d3c6ce29fd947a631cda.tar.gz
buildroot-cd2e115a3feb501afc11d3c6ce29fd947a631cda.tar.bz2
lcms2: add upstream security fix for CVE-2016-10165
An out-of-bounds read in cmstypes.c in Type_MLU_Read function was found, leading to heap memory leak triggered by crafted ICC profile. https://bugzilla.redhat.com/show_bug.cgi?id=1367357 Add upstream patch to fix it. Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Diffstat (limited to 'package/lcms2')
-rw-r--r--package/lcms2/0002-Added-an-extra-check-to-MLU-bounds.patch27
1 files changed, 27 insertions, 0 deletions
diff --git a/package/lcms2/0002-Added-an-extra-check-to-MLU-bounds.patch b/package/lcms2/0002-Added-an-extra-check-to-MLU-bounds.patch
new file mode 100644
index 0000000000..9a5d9dd4e9
--- /dev/null
+++ b/package/lcms2/0002-Added-an-extra-check-to-MLU-bounds.patch
@@ -0,0 +1,27 @@
+From 5ca71a7bc18b6897ab21d815d15e218e204581e2 Mon Sep 17 00:00:00 2001
+From: Marti <marti.maria@tktbrainpower.com>
+Date: Mon, 15 Aug 2016 23:31:39 +0200
+Subject: [PATCH] Added an extra check to MLU bounds
+
+Thanks to Ibrahim el-sayed for spotting the bug
+
+Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
+---
+ src/cmstypes.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/cmstypes.c b/src/cmstypes.c
+index cb61860..c7328b9 100644
+--- a/src/cmstypes.c
++++ b/src/cmstypes.c
+@@ -1460,6 +1460,7 @@ void *Type_MLU_Read(struct _cms_typehandler_struct* self, cmsIOHANDLER* io, cmsU
+
+ // Check for overflow
+ if (Offset < (SizeOfHeader + 8)) goto Error;
++ if ((Offset + Len) > SizeOfTag + 8) goto Error;
+
+ // True begin of the string
+ BeginOfThisString = Offset - SizeOfHeader - 8;
+--
+2.11.0
+
generated by cgit v1.2.1 (git 2.18.0) at 2021-02-24 23:17:15 +0000