[gimp/gimp-2-8] Bug 685086 - hangs while opening damaged XCF file

[Michael Natterer <mitch src gnome org>]

commit 018a02d8dadcffbc4ebd337ee35930ebff59091b
Author: Michael Natterer <mitch gimp org>
Date:   Tue Oct 2 22:00:16 2012 +0200

    Bug 685086 - hangs while opening damaged XCF file
    
    Fix crash for this specific XCF corruption (XCF damaged in the middle
    of a parasite header). Instead, abort loading immediately.
    (cherry picked from commit 191c2c15efe25d9dde5770262621b1788022c4bc)

 app/xcf/xcf-load.c |   38 +++++++++++++++++++++++++++++---------
 1 files changed, 29 insertions(+), 9 deletions(-)
---
diff --git a/app/xcf/xcf-load.c b/app/xcf/xcf-load.c
index f703922..107e98a 100644
--- a/app/xcf/xcf-load.c
+++ b/app/xcf/xcf-load.c
@@ -71,8 +71,11 @@
 #include "gimp-intl.h"
 
 
+#define MAX_XCF_PARASITE_DATA_LEN (256L * 1024 * 1024)
+
 /* #define GIMP_XCF_PATH_DEBUG */
 
+
 static void            xcf_load_add_masks     (GimpImage    *image);
 static gboolean        xcf_load_image_props   (XcfInfo      *info,
                                                GimpImage    *image);
@@ -559,12 +562,15 @@ xcf_load_image_props (XcfInfo   *info,
 
         case PROP_PARASITES:
           {
-            glong         base = info->cp;
-            GimpParasite *p;
+            glong base = info->cp;
 
             while (info->cp - base < prop_size)
               {
-                p = xcf_load_parasite (info);
+                GimpParasite *p = xcf_load_parasite (info);
+
+                if (! p)
+                  return FALSE;
+
                 gimp_image_parasite_attach (image, p);
                 gimp_parasite_free (p);
               }
@@ -817,12 +823,15 @@ xcf_load_layer_props (XcfInfo    *info,
 
         case PROP_PARASITES:
           {
-            glong         base = info->cp;
-            GimpParasite *p;
+            glong base = info->cp;
 
             while (info->cp - base < prop_size)
               {
-                p = xcf_load_parasite (info);
+                GimpParasite *p = xcf_load_parasite (info);
+
+                if (! p)
+                  return FALSE;
+
                 gimp_item_parasite_attach (GIMP_ITEM (*layer), p, FALSE);
                 gimp_parasite_free (p);
               }
@@ -1003,12 +1012,15 @@ xcf_load_channel_props (XcfInfo      *info,
 
         case PROP_PARASITES:
           {
-            glong         base = info->cp;
-            GimpParasite *p;
+            glong base = info->cp;
 
             while ((info->cp - base) < prop_size)
               {
-                p = xcf_load_parasite (info);
+                GimpParasite *p = xcf_load_parasite (info);
+
+                if (! p)
+                  return FALSE;
+
                 gimp_item_parasite_attach (GIMP_ITEM (*channel), p, FALSE);
                 gimp_parasite_free (p);
               }
@@ -1645,6 +1657,14 @@ xcf_load_parasite (XcfInfo *info)
   info->cp += xcf_read_int32  (info->fp, &flags, 1);
   info->cp += xcf_read_int32  (info->fp, &size, 1);
 
+  if (size > MAX_XCF_PARASITE_DATA_LEN)
+    {
+      g_warning ("Maximum parasite data length (%ld bytes) exceeded. "
+                 "Possibly corrupt XCF file.", MAX_XCF_PARASITE_DATA_LEN);
+      g_free (name);
+      return NULL;
+    }
+
   data = g_new (gchar, size);
   info->cp += xcf_read_int8 (info->fp, data, size);