GBR: sanitize input data

Guard against bogus zero width, height, bytes and allocation overflows.

GBR: sanitize input data
Guard against bogus zero width, height, bytes and allocation overflows.
869dcd7b · Nils Philippsen · a9671395 · 869dcd7b
Commit 869dcd7b authored Dec 04, 2009 by Nils Philippsen
Hide whitespace changes
Inline Side-by-side

Showing with 13 additions and 1 deletion

plug-ins/common/file-gbr.c plug-ins/common/file-gbr.c +13 -1

No files found.
--- a/plug-ins/common/file-gbr.c
+++ b/plug-ins/common/file-gbr.c
@@ -350,7 +350,7 @@ load_image (const gchar  *filename,
  gint               bn_size;
  GimpImageBaseType  base_type;
  GimpImageType      image_type;
-  gssize             size;
+  gsize              size;

  fd = g_open (filename, O_RDONLY | _O_BINARY, 0);

@@ -380,6 +380,18 @@ load_image (const gchar  *filename,
  bh.magic_number = g_ntohl (bh.magic_number);
  bh.spacing      = g_ntohl (bh.spacing);

+  /* Sanitize values */
+  if ((bh.width == 0) || (bh.height == 0) || (bh.bytes == 0) ||
+      (G_MAXSIZE / bh.width / bh.height / bh.bytes < 1))
+    {
+      g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
+                   _("Invalid header data in '%s': width=%lu, height=%lu, "
+                     "bytes=%lu"), gimp_filename_to_utf8 (filename),
+                   (unsigned long int)bh.width, (unsigned long int)bh.height,
+                   (unsigned long int)bh.bytes);
+      return -1;
+    }
+
  switch (bh.version)
    {
    case 1: