[gimp/gimp-2-6] GBR: sanitize input data

[Nils Philippsen <nphilipp src gnome org>]

commit 343651e87f8a4227b02a34fbff4188b519417de5
Author: Nils Philippsen <nils redhat com>
Date:   Fri Dec 4 11:17:21 2009 +0100

    GBR: sanitize input data
    
    Guard against bogus zero width, height, bytes and allocation overflows.
    (cherry picked from commit 869dcd7be1c1ec991256ba079f670574f1e57b90)

 plug-ins/common/file-gbr.c |   14 +++++++++++++-
 1 files changed, 13 insertions(+), 1 deletions(-)
---
diff --git a/plug-ins/common/file-gbr.c b/plug-ins/common/file-gbr.c
index 53f3397..98cd314 100644
--- a/plug-ins/common/file-gbr.c
+++ b/plug-ins/common/file-gbr.c
@@ -351,7 +351,7 @@ load_image (const gchar  *filename,
   gint               bn_size;
   GimpImageBaseType  base_type;
   GimpImageType      image_type;
-  gssize             size;
+  gsize              size;
 
   fd = g_open (filename, O_RDONLY | _O_BINARY, 0);
 
@@ -381,6 +381,18 @@ load_image (const gchar  *filename,
   bh.magic_number = g_ntohl (bh.magic_number);
   bh.spacing      = g_ntohl (bh.spacing);
 
+  /* Sanitize values */
+  if ((bh.width == 0) || (bh.height == 0) || (bh.bytes == 0) ||
+      (G_MAXSIZE / bh.width / bh.height / bh.bytes < 1))
+    {
+      g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
+                   _("Invalid header data in '%s': width=%lu, height=%lu, "
+                     "bytes=%lu"), gimp_filename_to_utf8 (filename),
+                   (unsigned long int)bh.width, (unsigned long int)bh.height,
+                   (unsigned long int)bh.bytes);
+      return -1;
+    }
+
   switch (bh.version)
     {
     case 1: