Commit b053021a authored by Nils Philippsen's avatar Nils Philippsen

GBR: more input data sanitation

Guard against bh.width or bh.height > GIMP_MAX_IMAGE_SIZE, only allow
valid values of bh.bytes.
parent 869dcd7b
......@@ -381,7 +381,10 @@ load_image (const gchar *filename,
bh.spacing = g_ntohl (bh.spacing);
/* Sanitize values */
if ((bh.width == 0) || (bh.height == 0) || (bh.bytes == 0) ||
if ((bh.width == 0) || (bh.width > GIMP_MAX_IMAGE_SIZE) ||
(bh.height == 0) || (bh.height > GIMP_MAX_IMAGE_SIZE) ||
((bh.bytes != 1) && (bh.bytes != 2) && (bh.bytes != 4) &&
(bh.bytes != 18)) ||
(G_MAXSIZE / bh.width / bh.height / bh.bytes < 1))
{
g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment