| From 9ad72875e9f08e4c519ef63d44cdbd94aa9504f7 Mon Sep 17 00:00:00 2001 |
| From: Ignacio Casal Quinteiro <qignacio@amazon.com> |
| Date: Sun, 16 Apr 2017 13:56:09 +0200 |
| Subject: [PATCH] tknzr: support only max long rgb values |
| |
| Fixes CVE-2017-7961 |
| |
| This fixes a possible out of bound when reading rgbs which |
| are longer than the support MAXLONG |
| |
| Signed-off-by: Peter Korsgaard <peter@korsgaard.com> |
| --- |
| src/cr-tknzr.c | 10 ++++++++++ |
| 1 file changed, 10 insertions(+) |
| |
| diff --git a/src/cr-tknzr.c b/src/cr-tknzr.c |
| index 1a7cfeb..1548c35 100644 |
| --- a/src/cr-tknzr.c |
| +++ b/src/cr-tknzr.c |
| @@ -1279,6 +1279,11 @@ cr_tknzr_parse_rgb (CRTknzr * a_this, CRRgb ** a_rgb) |
| status = cr_tknzr_parse_num (a_this, &num); |
| ENSURE_PARSING_COND ((status == CR_OK) && (num != NULL)); |
| |
| + if (num->val > G_MAXLONG) { |
| + status = CR_PARSING_ERROR; |
| + goto error; |
| + } |
| + |
| red = num->val; |
| cr_num_destroy (num); |
| num = NULL; |
| @@ -1298,6 +1303,11 @@ cr_tknzr_parse_rgb (CRTknzr * a_this, CRRgb ** a_rgb) |
| status = cr_tknzr_parse_num (a_this, &num); |
| ENSURE_PARSING_COND ((status == CR_OK) && (num != NULL)); |
| |
| + if (num->val > G_MAXLONG) { |
| + status = CR_PARSING_ERROR; |
| + goto error; |
| + } |
| + |
| PEEK_BYTE (a_this, 1, &next_bytes[0]); |
| if (next_bytes[0] == '%') { |
| SKIP_CHARS (a_this, 1); |
| -- |
| 2.11.0 |
| |
