[gimp] Bug 789614 - Fix heap overflow in pattern handling

From: Michael Natterer <mitch src gnome org>
To: commits-list gnome org
Cc:
Subject: [gimp] Bug 789614 - Fix heap overflow in pattern handling
Date: Mon, 20 Nov 2017 22:11:17 +0000 (UTC)

commit 30d29e03f8c12fd1a66781e287cf500f722784b2
Author: Tobias Stoeckmann <tobias stoeckmann org>
Date:   Mon Nov 20 23:09:08 2017 +0100

    Bug 789614 - Fix heap overflow in pattern handling
    
    It is possible to trigger a heap overflow while opening a malicious
    pattern due to integer overflows.
    
    The validation is adopted from plugin-parser. It also takes a proper
    cast to gsize to avoid integer overflow in size calculation.

 app/core/gimppattern-load.c |   16 +++++++++++++++-
 1 files changed, 15 insertions(+), 1 deletions(-)
---
diff --git a/app/core/gimppattern-load.c b/app/core/gimppattern-load.c
index 07c1724..447bcc2 100644
--- a/app/core/gimppattern-load.c
+++ b/app/core/gimppattern-load.c
@@ -89,6 +89,20 @@ gimp_pattern_load (GimpContext   *context,
       goto error;
     }
 
+  /*  Validate dimensions  */
+  if ((header.width  == 0) || (header.width  > GIMP_MAX_IMAGE_SIZE) ||
+      (header.height == 0) || (header.height > GIMP_MAX_IMAGE_SIZE) ||
+      (G_MAXSIZE / header.width / header.height / header.bytes < 1))
+    {
+      g_set_error (error, GIMP_DATA_ERROR, GIMP_DATA_ERROR_READ,
+                   _("Invalid header data in '%s': width=%lu, height=%lu, "
+                     "bytes=%lu"), gimp_file_get_utf8_name (file),
+                   (unsigned long int)header.width,
+                   (unsigned long int)header.height,
+                   (unsigned long int)header.bytes);
+      goto error;
+    }
+
   /*  Read in the pattern name  */
   if ((bn_size = (header.header_size - sizeof (header))))
     {
@@ -131,7 +145,7 @@ gimp_pattern_load (GimpContext   *context,
     }
 
   pattern->mask = gimp_temp_buf_new (header.width, header.height, format);
-  size = header.width * header.height * header.bytes;
+  size = (gsize) header.width * header.height * header.bytes;
 
   if (! g_input_stream_read_all (input,
                                  gimp_temp_buf_get_data (pattern->mask), size,

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]