Commit c57f9dcf authored by Jehan's avatar Jehan

Bug 790784 - (CVE-2017-17784) heap overread in gbr parser / load_image.

We were assuming the input name was well formed, hence was
nul-terminated. As any data coming from external input, this has to be
thorougly checked.
Similar to commit 06d24a79 but adapted
to older gimp-2-8 code.
parent decab3bf
......@@ -443,7 +443,8 @@ load_image (const gchar *filename,
{
gchar *temp = g_new (gchar, bn_size);
if ((read (fd, temp, bn_size)) < bn_size)
if ((read (fd, temp, bn_size)) < bn_size ||
temp[bn_size - 1] != '\0')
{
g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
_("Error in GIMP brush file '%s'"),
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment