blob: a0c7f3f4b5799e1070ac316ae104c98975a59d4e (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
--- a/flatspec.c 2006-02-22 01:38:49.000000000 +0100
+++ b/flatspec.c 2009-07-03 22:32:55.000000000 +0200
@@ -210,7 +210,15 @@
}
}
computeDimensions(&spec->dim);
-
+
+ /* We can't handle negative coordinates properly, so abort rather than
+ * crash chaotically. See CVE-2009-217; Debian bug #533361.
+ */
+ if( spec->dim.c.t < 0 || spec->dim.c.l < 0 ) {
+ FatalUnsupportedXCF("This version cannot extract pixels above or to the "
+ "left of the canvas");
+ }
+
/* Turn off layers that we don't hit at all */
for( i=0; i<spec->numLayers; i++ )
if( spec->layers[i].isVisible &&
|