Bug 789612 - Prevent heap overflow in GBR parser

It is possible to trigger a heap overflow with insanely large GBR
files with a deprecated file format on 32 bit systems.

The problem is that old versions of GBR allowed an additional pattern
after the brush data. These patterns have always 4 bytes per pixel,
but the initial size check is performed with the bytes per pixel of
the brush, which can be different.

If the brush has 1 byte per pixel and the dimensions are sufficiently
large, this can trigger a heap overflow with attacker-controlled
amount and content of data.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>

plug-ins/common/file-gbr.c

@@ -390,7 +390,7 @@ load_image (GFile   *file,
       (bh.height == 0) || (bh.height > GIMP_MAX_IMAGE_SIZE) ||
       ((bh.bytes != 1) && (bh.bytes != 2) && (bh.bytes != 4) &&
        (bh.bytes != 18)) ||
-      (G_MAXSIZE / bh.width / bh.height / bh.bytes < 1))
+      (G_MAXSIZE / bh.width / bh.height / MAX (4, bh.bytes) < 1))
     {
       g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
                    _("Invalid header data in '%s': width=%lu, height=%lu, "