Skip to content
Commit c2a40a92 authored by Tobias Mueller's avatar Tobias Mueller Committed by Bastien Nocera
Browse files

jpeg: Throw error when number of color components is unsupported 

Explicitly check "3" or "4" output color components.

gdk-pixbuf assumed that the value of output_components to be either
3 or 4, but not an invalid value (9) or an unsupported value (1).

The way the buffer size was deduced was using a naive "== 4" check,
with a 1, 3 or 9 color component picture getting the same buffer size,
a size just sufficient for 3 color components, causing invalid writes
later when libjpeg-turbo was decoding the image.

CVE-2017-2862

Sent by from Marcin 'Icewall' Noga of Cisco Talos

https://bugzilla.gnome.org/show_bug.cgi?id=784866
parent 4ffc78b6
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment