-
It is possible to trigger a heap overflow with insanely large GBR files with a deprecated file format on 32 bit systems. The problem is that old versions of GBR allowed an additional pattern after the brush data. These patterns have always 4 bytes per pixel, but the initial size check is performed with the bytes per pixel of the brush, which can be different. If the brush has 1 byte per pixel and the dimensions are sufficiently large, this can trigger a heap overflow with attacker-controlled amount and content of data. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
764056e1