Commit 764056e1 authored by Tobias Stoeckmann's avatar Tobias Stoeckmann Committed by Michael Natterer

Bug 789612 - Prevent heap overflow in GBR parser

It is possible to trigger a heap overflow with insanely large GBR
files with a deprecated file format on 32 bit systems.

The problem is that old versions of GBR allowed an additional pattern
after the brush data. These patterns have always 4 bytes per pixel,
but the initial size check is performed with the bytes per pixel of
the brush, which can be different.

If the brush has 1 byte per pixel and the dimensions are sufficiently
large, this can trigger a heap overflow with attacker-controlled
amount and content of data.
Signed-off-by: Tobias Stoeckmann's avatarTobias Stoeckmann <tobias@stoeckmann.org>
parent f98d1b3a
......@@ -390,7 +390,7 @@ load_image (GFile *file,
(bh.height == 0) || (bh.height > GIMP_MAX_IMAGE_SIZE) ||
((bh.bytes != 1) && (bh.bytes != 2) && (bh.bytes != 4) &&
(bh.bytes != 18)) ||
(G_MAXSIZE / bh.width / bh.height / bh.bytes < 1))
(G_MAXSIZE / bh.width / bh.height / MAX (4, bh.bytes) < 1))
{
g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
_("Invalid header data in '%s': width=%lu, height=%lu, "
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment