GBR: more input data sanitation

Guard against bh.width or bh.height > GIMP_MAX_IMAGE_SIZE, only allow valid values of bh.bytes.

GBR: more input data sanitation
Guard against bh.width or bh.height > GIMP_MAX_IMAGE_SIZE, only allow valid values of bh.bytes.
b053021a · Nils Philippsen · 869dcd7b · b053021a
Commit b053021a authored Dec 08, 2009 by Nils Philippsen
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 1 deletion

plug-ins/common/file-gbr.c plug-ins/common/file-gbr.c +4 -1

No files found.
--- a/plug-ins/common/file-gbr.c
+++ b/plug-ins/common/file-gbr.c
@@ -381,7 +381,10 @@ load_image (const gchar  *filename,
  bh.spacing      = g_ntohl (bh.spacing);

  /* Sanitize values */
-  if ((bh.width == 0) || (bh.height == 0) || (bh.bytes == 0) ||
+  if ((bh.width == 0) || (bh.width > GIMP_MAX_IMAGE_SIZE) ||
+      (bh.height == 0) || (bh.height > GIMP_MAX_IMAGE_SIZE) ||
+      ((bh.bytes != 1) && (bh.bytes != 2) && (bh.bytes != 4) &&
+       (bh.bytes != 18)) ||
      (G_MAXSIZE / bh.width / bh.height / bh.bytes < 1))
    {
      g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,