[gimp/gimp-2-8] Bug 730396: GIMP crashes loading a XCF it saved

From: Massimo Valentini <mvalentini src gnome org>
To: commits-list gnome org
Cc:
Subject: [gimp/gimp-2-8] Bug 730396: GIMP crashes loading a XCF it saved
Date: Sat, 7 Jun 2014 14:37:38 +0000 (UTC)

commit 07e90e21415676a6286e22e37ccc40b04d833b04
Author: Massimo Valentini <mvalentini src gnome org>
Date:   Sat Jun 7 16:33:17 2014 +0200

    Bug 730396: GIMP crashes loading a XCF it saved
    
    add few validity checks loading a xcf file.
    
    (cherry picked from commit a64a319d78455a13d51fc7983fa18ce7ce5549d8)
    
    Conflicts:
        app/xcf/xcf-load.c

 app/xcf/xcf-load.c |   18 ++++++++++++++++--
 1 files changed, 16 insertions(+), 2 deletions(-)
---
diff --git a/app/xcf/xcf-load.c b/app/xcf/xcf-load.c
index f9ee714..a4f53cd 100644
--- a/app/xcf/xcf-load.c
+++ b/app/xcf/xcf-load.c
@@ -136,7 +136,7 @@ xcf_load_image (Gimp     *gimp,
                 XcfInfo  *info,
                 GError  **error)
 {
-  GimpImage          *image;
+  GimpImage          *image = NULL;
   const GimpParasite *parasite;
   guint32             saved_pos;
   guint32             offset;
@@ -149,6 +149,9 @@ xcf_load_image (Gimp     *gimp,
   info->cp += xcf_read_int32 (info->fp, (guint32 *) &width, 1);
   info->cp += xcf_read_int32 (info->fp, (guint32 *) &height, 1);
   info->cp += xcf_read_int32 (info->fp, (guint32 *) &image_type, 1);
+  if (image_type < GIMP_RGB || image_type > GIMP_INDEXED ||
+      width <= 0 || height <= 0)
+    goto hard_error;
 
   image = gimp_create_image (gimp, width, height, image_type, FALSE);
 
@@ -350,7 +353,8 @@ xcf_load_image (Gimp     *gimp,
                       _("This XCF file is corrupt!  I could not even "
                         "salvage any partial image data from it."));
 
-  g_object_unref (image);
+  if (image)
+    g_object_unref (image);
 
   return NULL;
 }
@@ -1100,6 +1104,10 @@ xcf_load_layer (XcfInfo    *info,
   info->cp += xcf_read_int32 (info->fp, (guint32 *) &width, 1);
   info->cp += xcf_read_int32 (info->fp, (guint32 *) &height, 1);
   info->cp += xcf_read_int32 (info->fp, (guint32 *) &type, 1);
+  if (gimp_image_base_type (image) != GIMP_IMAGE_TYPE_BASE_TYPE (type) ||
+      width <= 0 || height <= 0)
+    return NULL;
+
   info->cp += xcf_read_string (info->fp, &name, 1);
 
   /* create a new layer */
@@ -1214,6 +1222,9 @@ xcf_load_channel (XcfInfo   *info,
   /* read in the layer width, height and name */
   info->cp += xcf_read_int32 (info->fp, (guint32 *) &width, 1);
   info->cp += xcf_read_int32 (info->fp, (guint32 *) &height, 1);
+  if (width <= 0 || height <= 0)
+    return NULL;
+
   info->cp += xcf_read_string (info->fp, &name, 1);
 
   /* create a new channel */
@@ -1272,6 +1283,9 @@ xcf_load_layer_mask (XcfInfo   *info,
   /* read in the layer width, height and name */
   info->cp += xcf_read_int32 (info->fp, (guint32 *) &width, 1);
   info->cp += xcf_read_int32 (info->fp, (guint32 *) &height, 1);
+  if (width <= 0 || height <= 0)
+    return NULL;
+
   info->cp += xcf_read_string (info->fp, &name, 1);
 
   /* create a new layer mask */

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]