[gimp] Bug 739134 - (CVE-2017-17786) Out of bounds read / heap overflow in...

[Jehan Pagès <jehanp src gnome org>]

commit 674b62ad45b6579ec6d7923dc3cb1ef4e8b5498b
Author: Jehan <jehan girinstud io>
Date:   Wed Dec 20 13:02:38 2017 +0100

    Bug 739134 - (CVE-2017-17786) Out of bounds read / heap overflow in...
    
    ... TGA importer.
    
    Be more thorough on valid TGA RGB and RGBA images.
    In particular current TGA plug-in can import RGBA as 32 bits (8 bits per
    channel) and 16 bits (5 bits per color channel and 1 bit for alpha), and
    RGB as 15 and 24 bits.
    Maybe there exist more variants, but if they do exist, we simply don't
    support them yet.
    
    Thanks to Hanno Böck for the report and a first patch attempt.

 plug-ins/common/file-tga.c |   12 ++++++++----
 1 files changed, 8 insertions(+), 4 deletions(-)
---
diff --git a/plug-ins/common/file-tga.c b/plug-ins/common/file-tga.c
index a3333c2..ad09679 100644
--- a/plug-ins/common/file-tga.c
+++ b/plug-ins/common/file-tga.c
@@ -564,12 +564,16 @@ load_image (const gchar  *filename,
           }
         break;
       case TGA_TYPE_COLOR:
-        if (info.bpp != 15 && info.bpp != 16 &&
-            info.bpp != 24 && info.bpp != 32)
+        if ((info.bpp != 15 && info.bpp != 16 &&
+             info.bpp != 24 && info.bpp != 32)      ||
+            ((info.bpp == 15 || info.bpp == 24) &&
+             info.alphaBits != 0)                   ||
+            (info.bpp == 16 && info.alphaBits != 1) ||
+            (info.bpp == 32 && info.alphaBits != 8))
           {
-            g_message ("Unhandled sub-format in '%s' (type = %u, bpp = %u)",
+            g_message ("Unhandled sub-format in '%s' (type = %u, bpp = %u, alpha = %u)",
                        gimp_filename_to_utf8 (filename),
-                       info.imageType, info.bpp);
+                       info.imageType, info.bpp, info.alphaBits);
             return -1;
           }
         break;