[gimp] Bug 730980: GIMP enters an infinite loop loading a truncated xcf

From: Massimo Valentini <mvalentini src gnome org>
To: commits-list gnome org
Cc:
Subject: [gimp] Bug 730980: GIMP enters an infinite loop loading a truncated xcf
Date: Fri, 6 Jun 2014 16:41:54 +0000 (UTC)

commit fe4502fe0410b25dfac999daad3127263bae7e0d
Author: Massimo Valentini <mvalentini src gnome org>
Date:   Fri Jun 6 18:35:25 2014 +0200

    Bug 730980: GIMP enters an infinite loop loading a truncated xcf

 app/xcf/xcf-load.c |   32 +++++++-------------------------
 1 files changed, 7 insertions(+), 25 deletions(-)
---
diff --git a/app/xcf/xcf-load.c b/app/xcf/xcf-load.c
index 29aa33a..d0c44a7 100644
--- a/app/xcf/xcf-load.c
+++ b/app/xcf/xcf-load.c
@@ -1096,8 +1096,13 @@ xcf_load_layer_props (XcfInfo    *info,
               {
                 guint32 index;
 
-                info->cp += xcf_read_int32 (info->input, &index, 1);
+                if (xcf_read_int32 (info->input, &index, 1) != 4)
+                  {
+                    g_list_free (path);
+                    return FALSE;
+                  }
 
+                info->cp += 4;
                 path = g_list_append (path, GUINT_TO_POINTER (index));
               }
 
@@ -1605,9 +1610,7 @@ xcf_load_buffer (XcfInfo    *info,
                  GeglBuffer *buffer)
 {
   const Babl *format;
-  guint32     saved_pos;
   guint32     offset;
-  guint32     junk;
   gint        width;
   gint        height;
   gint        bpp;
@@ -1626,26 +1629,8 @@ xcf_load_buffer (XcfInfo    *info,
       bpp    != babl_format_get_bytes_per_pixel (format))
     return FALSE;
 
-  /* load in the levels...we make sure that the number of levels
-   *  calculated when the TileManager was created is the same
-   *  as the number of levels found in the file.
-   */
-
   info->cp += xcf_read_int32 (info->input, &offset, 1); /* top level */
 
-  /* discard offsets for layers below first, if any.
-   */
-  do
-    {
-      info->cp += xcf_read_int32 (info->input, &junk, 1);
-    }
-  while (junk != 0);
-
-  /* save the current position as it is where the
-   *  next level offset is stored.
-   */
-  saved_pos = info->cp;
-
   /* seek to the level offset */
   if (!xcf_seek_pos (info, offset, NULL))
     return FALSE;
@@ -1654,11 +1639,8 @@ xcf_load_buffer (XcfInfo    *info,
   if (!xcf_load_level (info, buffer))
     return FALSE;
 
-  /* restore the saved position so we'll be ready to
-   *  read the next offset.
+  /* discard levels below first.
    */
-  if (!xcf_seek_pos (info, saved_pos, NULL))
-    return FALSE;
 
   return TRUE;
 }

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]