GNOME Bugzilla – Bug 790784
heap overread in gbr parser / load_image / gimp_any_to_utf8
Last modified: 2017-12-21 11:30:32 UTC
Created attachment 364316 [details] example file The attached sample file will cause a heap buffer overread in the gbr import parser. This can be detected with address sanitizer. I haven't fully analyzed it, but judging on the function names it looks like either malformed utf8 or a non-terminated string is causing this (may be similar to #790783).
Created attachment 364317 [details] asan stack trace
commit 06d24a79af94837d615d0024916bb95a01bf3c59 (HEAD -> master, origin/master, origin/HEAD) Author: Jehan <jehan@girinstud.io> Date: Thu Dec 21 12:15:34 2017 +0100 Bug 790784 - (CVE-2017-17784) heap overread in gbr parser / load_image. We were assuming the input name was well formed, hence was nul-terminated. As any data coming from external input, this has to be thorougly checked. plug-ins/common/file-gbr.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
And in 2.8: commit c57f9dcf1934a9ab0cd67650f2dea18cb0902270 (HEAD -> gimp-2-8, origin/gimp-2-8) Author: Jehan <jehan@girinstud.io> Date: Thu Dec 21 12:25:32 2017 +0100 Bug 790784 - (CVE-2017-17784) heap overread in gbr parser / load_image. We were assuming the input name was well formed, hence was nul-terminated. As any data coming from external input, this has to be thorougly checked. Similar to commit 06d24a79af94837d615d0024916bb95a01bf3c59 but adapted to older gimp-2-8 code. plug-ins/common/file-gbr.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)