[gimp] Bug 789612 - Prevent heap overflow in GBR parser

[Michael Natterer <mitch src gnome org>]

commit 764056e12464f195aae4221c1f4583d38ef581b1
Author: Tobias Stoeckmann <tobias stoeckmann org>
Date:   Sun Oct 29 11:16:36 2017 +0100

    Bug 789612 - Prevent heap overflow in GBR parser
    
    It is possible to trigger a heap overflow with insanely large GBR
    files with a deprecated file format on 32 bit systems.
    
    The problem is that old versions of GBR allowed an additional pattern
    after the brush data. These patterns have always 4 bytes per pixel,
    but the initial size check is performed with the bytes per pixel of
    the brush, which can be different.
    
    If the brush has 1 byte per pixel and the dimensions are sufficiently
    large, this can trigger a heap overflow with attacker-controlled
    amount and content of data.
    
    Signed-off-by: Tobias Stoeckmann <tobias stoeckmann org>

 plug-ins/common/file-gbr.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)
---
diff --git a/plug-ins/common/file-gbr.c b/plug-ins/common/file-gbr.c
index dfa25ae..92fbcfc 100644
--- a/plug-ins/common/file-gbr.c
+++ b/plug-ins/common/file-gbr.c
@@ -390,7 +390,7 @@ load_image (GFile   *file,
       (bh.height == 0) || (bh.height > GIMP_MAX_IMAGE_SIZE) ||
       ((bh.bytes != 1) && (bh.bytes != 2) && (bh.bytes != 4) &&
        (bh.bytes != 18)) ||
-      (G_MAXSIZE / bh.width / bh.height / bh.bytes < 1))
+      (G_MAXSIZE / bh.width / bh.height / MAX (4, bh.bytes) < 1))
     {
       g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
                    _("Invalid header data in '%s': width=%lu, height=%lu, "