|
|
@@ -0,0 +1,45 @@
|
|
|
+CVE: CVE-2017-7961
|
|
|
+Upstream-Status: Backport
|
|
|
+Signed-off-by: Ross Burton <ross.burton@intel.com>
|
|
|
+
|
|
|
+From 9ad72875e9f08e4c519ef63d44cdbd94aa9504f7 Mon Sep 17 00:00:00 2001
|
|
|
+From: Ignacio Casal Quinteiro <qignacio@amazon.com>
|
|
|
+Date: Sun, 16 Apr 2017 13:56:09 +0200
|
|
|
+Subject: [PATCH] tknzr: support only max long rgb values
|
|
|
+
|
|
|
+This fixes a possible out of bound when reading rgbs which
|
|
|
+are longer than the support MAXLONG
|
|
|
+---
|
|
|
+ src/cr-tknzr.c | 10 ++++++++++
|
|
|
+ 1 file changed, 10 insertions(+)
|
|
|
+
|
|
|
+diff --git a/src/cr-tknzr.c b/src/cr-tknzr.c
|
|
|
+index 1a7cfeb..1548c35 100644
|
|
|
+--- a/src/cr-tknzr.c
|
|
|
++++ b/src/cr-tknzr.c
|
|
|
+@@ -1279,6 +1279,11 @@ cr_tknzr_parse_rgb (CRTknzr * a_this, CRRgb ** a_rgb)
|
|
|
+ status = cr_tknzr_parse_num (a_this, &num);
|
|
|
+ ENSURE_PARSING_COND ((status == CR_OK) && (num != NULL));
|
|
|
+
|
|
|
++ if (num->val > G_MAXLONG) {
|
|
|
++ status = CR_PARSING_ERROR;
|
|
|
++ goto error;
|
|
|
++ }
|
|
|
++
|
|
|
+ red = num->val;
|
|
|
+ cr_num_destroy (num);
|
|
|
+ num = NULL;
|
|
|
+@@ -1298,6 +1303,11 @@ cr_tknzr_parse_rgb (CRTknzr * a_this, CRRgb ** a_rgb)
|
|
|
+ status = cr_tknzr_parse_num (a_this, &num);
|
|
|
+ ENSURE_PARSING_COND ((status == CR_OK) && (num != NULL));
|
|
|
+
|
|
|
++ if (num->val > G_MAXLONG) {
|
|
|
++ status = CR_PARSING_ERROR;
|
|
|
++ goto error;
|
|
|
++ }
|
|
|
++
|
|
|
+ PEEK_BYTE (a_this, 1, &next_bytes[0]);
|
|
|
+ if (next_bytes[0] == '%') {
|
|
|
+ SKIP_CHARS (a_this, 1);
|
|
|
+--
|
|
|
+2.18.1
|
Ross Burton