[gimp] Bug 789610: invalid gbr brush crashing GIMP

[Jehan Pagès <jehanp src gnome org>]

commit 657a754f98eb9a67d8dcbc8c05a3e3a66fbee44f
Author: Massimo Valentini <mvalentini src gnome org>
Date:   Wed Nov 1 13:50:05 2017 +0100

    Bug 789610: invalid gbr brush crashing GIMP

 app/core/gimpbrush-load.c  |    8 +++++++-
 plug-ins/common/file-gbr.c |    6 ++++++
 2 files changed, 13 insertions(+), 1 deletions(-)
---
diff --git a/app/core/gimpbrush-load.c b/app/core/gimpbrush-load.c
index b17585b..3939253 100644
--- a/app/core/gimpbrush-load.c
+++ b/app/core/gimpbrush-load.c
@@ -135,7 +135,7 @@ gimp_brush_load_brush (GimpContext   *context,
                        GError       **error)
 {
   GimpBrush   *brush;
-  gint         bn_size;
+  gsize        bn_size;
   BrushHeader  header;
   gchar       *name = NULL;
   guchar      *pixmap;
@@ -226,6 +226,12 @@ gimp_brush_load_brush (GimpContext   *context,
       return NULL;
     }
 
+  if (header.header_size < sizeof (BrushHeader))
+    {
+      g_message (_("Unsupported brush format"));
+      return NULL;
+    }
+
   /*  Read in the brush name  */
   if ((bn_size = (header.header_size - sizeof (header))))
     {
diff --git a/plug-ins/common/file-gbr.c b/plug-ins/common/file-gbr.c
index 585e74a..90c840b 100644
--- a/plug-ins/common/file-gbr.c
+++ b/plug-ins/common/file-gbr.c
@@ -406,6 +406,12 @@ load_image (GFile   *file,
       /* Version 1 didn't have a magic number and had no spacing  */
       bh.spacing = 25;
       bh.header_size += 8;
+      if (bh.header_size < sizeof (BrushHeader))
+        {
+          g_message (_("Unsupported brush format"));
+          g_object_unref (input);
+          return -1;
+        }
       break;
 
     case 2: