From 4af78023ce7d3b5e3cec422a59bb4f48fa4f5886 Mon Sep 17 00:00:00 2001 From: Matthias Clasen Date: Fri, 11 Jul 2025 11:02:05 -0400 Subject: [PATCH] jpeg: Be more careful with chunked icc data We we inadvertendly trusting the sequence numbers not to lie. If they do we would report a larger data size than we actually allocated, leading to out of bounds memory access in base64 encoding later on. This has been assigned CVE-2025-7345. Fixes: #249 CVE: CVE-2025-7345 Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/4af78023ce7d3b5e3cec422a59bb4f48fa4f5886] Signed-off-by: Archana Polampalli --- gdk-pixbuf/io-jpeg.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/gdk-pixbuf/io-jpeg.c b/gdk-pixbuf/io-jpeg.c index 3841fc0..9ee1d21 100644 --- a/gdk-pixbuf/io-jpeg.c +++ b/gdk-pixbuf/io-jpeg.c @@ -356,6 +356,7 @@ jpeg_parse_exif_app2_segment (JpegExifContext *context, jpeg_saved_marker_ptr ma context->icc_profile = g_new (gchar, chunk_size); /* copy the segment data to the profile space */ memcpy (context->icc_profile, marker->data + 14, chunk_size); + ret = TRUE; goto out; } @@ -377,12 +378,15 @@ jpeg_parse_exif_app2_segment (JpegExifContext *context, jpeg_saved_marker_ptr ma /* copy the segment data to the profile space */ memcpy (context->icc_profile + offset, marker->data + 14, chunk_size); - /* it's now this big plus the new data we've just copied */ - context->icc_profile_size += chunk_size; + context->icc_profile_size = MAX (context->icc_profile_size, offset + chunk_size); /* success */ ret = TRUE; out: + if (!ret) { + g_free (context->icc_profile); + context->icc_profile = NULL; + } return ret; } -- 2.40.0