[gimp] gbr/pat: Fix out of boundary read on illegal names

From: Jehan Pagès <jehanp src gnome org>
To: commits-list gnome org
Cc:
Subject: [gimp] gbr/pat: Fix out of boundary read on illegal names
Date: Thu, 21 Dec 2017 21:10:11 +0000 (UTC)

commit 4fa0cd4dcf2df06e95c757f753845e9f68a33844
Author: Tobias Stoeckmann <tobias stoeckmann org>
Date:   Tue Oct 31 12:11:08 2017 +0100

    gbr/pat: Fix out of boundary read on illegal names
    
    The file formats GBR and PAT contain names which are supposed to be
    NUL-terminated within the files. If no such terminating NUL byte
    exists, the parsers of GBR and PAT trigger an out of boundary read
    during utf-8 conversion.
    
    Signed-off-by: Tobias Stoeckmann <tobias stoeckmann org>

 app/core/gimpbrush-load.c   |    2 +-
 app/core/gimppattern-load.c |    2 +-
 plug-ins/common/file-gbr.c  |    2 +-
 plug-ins/common/file-pat.c  |    2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)
---
diff --git a/app/core/gimpbrush-load.c b/app/core/gimpbrush-load.c
index 48eacc7..8059888 100644
--- a/app/core/gimpbrush-load.c
+++ b/app/core/gimpbrush-load.c
@@ -248,7 +248,7 @@ gimp_brush_load_brush (GimpContext   *context,
           return NULL;
         }
 
-      utf8 = gimp_any_to_utf8 (name, -1,
+      utf8 = gimp_any_to_utf8 (name, bn_size - 1,
                                _("Invalid UTF-8 string in brush file '%s'."),
                                gimp_file_get_utf8_name (file));
       g_free (name);
diff --git a/app/core/gimppattern-load.c b/app/core/gimppattern-load.c
index 447bcc2..e8ca58f 100644
--- a/app/core/gimppattern-load.c
+++ b/app/core/gimppattern-load.c
@@ -119,7 +119,7 @@ gimp_pattern_load (GimpContext   *context,
           goto error;
         }
 
-      utf8 = gimp_any_to_utf8 (name, -1,
+      utf8 = gimp_any_to_utf8 (name, bn_size - 1,
                                _("Invalid UTF-8 string in pattern file '%s'."),
                                gimp_file_get_utf8_name (file));
       g_free (name);
diff --git a/plug-ins/common/file-gbr.c b/plug-ins/common/file-gbr.c
index 91fbebb..46bc59f 100644
--- a/plug-ins/common/file-gbr.c
+++ b/plug-ins/common/file-gbr.c
@@ -474,7 +474,7 @@ load_image (GFile   *file,
           return -1;
         }
 
-      name = gimp_any_to_utf8 (temp, -1,
+      name = gimp_any_to_utf8 (temp, size - 1,
                                _("Invalid UTF-8 string in brush file '%s'."),
                                g_file_get_parse_name (file));
       g_free (temp);
diff --git a/plug-ins/common/file-pat.c b/plug-ins/common/file-pat.c
index 51622ec..8e70a32 100644
--- a/plug-ins/common/file-pat.c
+++ b/plug-ins/common/file-pat.c
@@ -376,7 +376,7 @@ load_image (GFile   *file,
       return -1;
     }
 
-  name = gimp_any_to_utf8 (temp, -1,
+  name = gimp_any_to_utf8 (temp, ph.header_size - sizeof (PatternHeader) - 1,
                            _("Invalid UTF-8 string in pattern file '%s'."),
                            g_file_get_parse_name (file));
   g_free (temp);

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]