[gimp] Bug 685086 - hangs while opening damaged XCF file

[Michael Natterer <mitch src gnome org>]

commit 191c2c15efe25d9dde5770262621b1788022c4bc
Author: Michael Natterer <mitch gimp org>
Date:   Tue Oct 2 22:00:16 2012 +0200

    Bug 685086 - hangs while opening damaged XCF file
    
    Fix crash for this specific XCF corruption (XCF damaged in the middle
    of a parasite header). Instead, abort loading immediately.

 app/xcf/xcf-load.c |   38 +++++++++++++++++++++++++++++---------
 1 files changed, 29 insertions(+), 9 deletions(-)
---
diff --git a/app/xcf/xcf-load.c b/app/xcf/xcf-load.c
index 861aadf..5f12659 100644
--- a/app/xcf/xcf-load.c
+++ b/app/xcf/xcf-load.c
@@ -70,8 +70,11 @@
 #include "gimp-intl.h"
 
 
+#define MAX_XCF_PARASITE_DATA_LEN (256L * 1024 * 1024)
+
 /* #define GIMP_XCF_PATH_DEBUG */
 
+
 static void            xcf_load_add_masks     (GimpImage     *image);
 static gboolean        xcf_load_image_props   (XcfInfo       *info,
                                                GimpImage     *image);
@@ -585,12 +588,15 @@ xcf_load_image_props (XcfInfo   *info,
 
         case PROP_PARASITES:
           {
-            glong         base = info->cp;
-            GimpParasite *p;
+            glong base = info->cp;
 
             while (info->cp - base < prop_size)
               {
-                p = xcf_load_parasite (info);
+                GimpParasite *p = xcf_load_parasite (info);
+
+                if (! p)
+                  return FALSE;
+
                 gimp_image_parasite_attach (image, p);
                 gimp_parasite_free (p);
               }
@@ -843,12 +849,15 @@ xcf_load_layer_props (XcfInfo    *info,
 
         case PROP_PARASITES:
           {
-            glong         base = info->cp;
-            GimpParasite *p;
+            glong base = info->cp;
 
             while (info->cp - base < prop_size)
               {
-                p = xcf_load_parasite (info);
+                GimpParasite *p = xcf_load_parasite (info);
+
+                if (! p)
+                  return FALSE;
+
                 gimp_item_parasite_attach (GIMP_ITEM (*layer), p, FALSE);
                 gimp_parasite_free (p);
               }
@@ -1026,12 +1035,15 @@ xcf_load_channel_props (XcfInfo      *info,
 
         case PROP_PARASITES:
           {
-            glong         base = info->cp;
-            GimpParasite *p;
+            glong base = info->cp;
 
             while ((info->cp - base) < prop_size)
               {
-                p = xcf_load_parasite (info);
+                GimpParasite *p = xcf_load_parasite (info);
+
+                if (! p)
+                  return FALSE;
+
                 gimp_item_parasite_attach (GIMP_ITEM (*channel), p, FALSE);
                 gimp_parasite_free (p);
               }
@@ -1717,6 +1729,14 @@ xcf_load_parasite (XcfInfo *info)
   info->cp += xcf_read_int32  (info->fp, &flags, 1);
   info->cp += xcf_read_int32  (info->fp, &size, 1);
 
+  if (size > MAX_XCF_PARASITE_DATA_LEN)
+    {
+      g_warning ("Maximum parasite data length (%ld bytes) exceeded. "
+                 "Possibly corrupt XCF file.", MAX_XCF_PARASITE_DATA_LEN);
+      g_free (name);
+      return NULL;
+    }
+
   data = g_new (gchar, size);
   info->cp += xcf_read_int8 (info->fp, data, size);