From d30cc1ea0b9ba64d8a1e22105528b6cb8077692c Mon Sep 17 00:00:00 2001 From: Brecht Van Lommel Date: Sun, 14 Jan 2018 14:19:57 +0100 Subject: Fix buffer overflows in TIFF, PNG, IRIS, DPX, HDR and AVI loading. Solves these security issues from T52924: CVE-2017-2899 CVE-2017-2900 CVE-2017-2901 CVE-2017-2902 CVE-2017-2903 CVE-2017-2904 CVE-2017-2905 CVE-2017-2906 CVE-2017-2907 CVE-2017-2918 Differential Revision: https://developer.blender.org/D2999 --- source/blender/imbuf/intern/cineon/dpxlib.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source/blender/imbuf/intern/cineon/dpxlib.c') diff --git a/source/blender/imbuf/intern/cineon/dpxlib.c b/source/blender/imbuf/intern/cineon/dpxlib.c index 1e4f299def7..b6e8b43b009 100644 --- a/source/blender/imbuf/intern/cineon/dpxlib.c +++ b/source/blender/imbuf/intern/cineon/dpxlib.c @@ -193,7 +193,8 @@ LogImageFile *dpxOpen(const unsigned char *byteStuff, int fromMemory, size_t buf dpx->srcFormat = format_DPX; dpx->numElements = swap_ushort(header.imageHeader.elements_per_image, dpx->isMSB); - if (dpx->numElements == 0) { + size_t max_elements = sizeof(header.imageHeader.element)/sizeof(header.imageHeader.element[0]); + if (dpx->numElements == 0 || dpx->numElements >= max_elements) { if (verbose) printf("DPX: Wrong number of elements: %d\n", dpx->numElements); logImageClose(dpx); return NULL; -- cgit v1.2.3