Commit 674b62ad authored by Jehan's avatar Jehan

Bug 739134 - (CVE-2017-17786) Out of bounds read / heap overflow in...

... TGA importer.

Be more thorough on valid TGA RGB and RGBA images.
In particular current TGA plug-in can import RGBA as 32 bits (8 bits per
channel) and 16 bits (5 bits per color channel and 1 bit for alpha), and
RGB as 15 and 24 bits.
Maybe there exist more variants, but if they do exist, we simply don't
support them yet.

Thanks to Hanno Böck for the report and a first patch attempt.
parent 9d31d4ca
......@@ -564,12 +564,16 @@ load_image (const gchar *filename,
}
break;
case TGA_TYPE_COLOR:
if (info.bpp != 15 && info.bpp != 16 &&
info.bpp != 24 && info.bpp != 32)
if ((info.bpp != 15 && info.bpp != 16 &&
info.bpp != 24 && info.bpp != 32) ||
((info.bpp == 15 || info.bpp == 24) &&
info.alphaBits != 0) ||
(info.bpp == 16 && info.alphaBits != 1) ||
(info.bpp == 32 && info.alphaBits != 8))
{
g_message ("Unhandled sub-format in '%s' (type = %u, bpp = %u)",
g_message ("Unhandled sub-format in '%s' (type = %u, bpp = %u, alpha = %u)",
gimp_filename_to_utf8 (filename),
info.imageType, info.bpp);
info.imageType, info.bpp, info.alphaBits);
return -1;
}
break;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment