[gimp] Bug 788870 - Abr corrupted files crashing GIMP when saved...

From: Michael Natterer <mitch src gnome org>
To: commits-list gnome org
Cc:
Subject: [gimp] Bug 788870 - Abr corrupted files crashing GIMP when saved...
Date: Tue, 2 Jan 2018 12:07:08 +0000 (UTC)

commit 31a6796fa862e89f1658d3bd0d001434350b7ed2
Author: Massimo Valentini <mvalentini src gnome org>
Date:   Tue Jan 2 10:58:25 2018 +0100

    Bug 788870 - Abr corrupted files crashing GIMP when saved...
    
    ...in brushes user directory
    
    Consider 8bim section size unsigned, to avoid seeking backward when a
    malicious brush includes an 8bim section unknown to GIMP.
    
    This avoids the possibility to start an infinite loop on GIMP start.
    
    Found just a water drop in the ocean, GIMP is still not secure.
    
    Mitch: Added more sanity checks on the Abr's width/height/bytes so now
    all brushes in the zip attached to the bug are properly rejected
    instead of crashing GIMP.

 app/core/gimpbrush-load.c |   21 ++++++++++++++++-----
 1 files changed, 16 insertions(+), 5 deletions(-)
---
diff --git a/app/core/gimpbrush-load.c b/app/core/gimpbrush-load.c
index 8059888..225e1f9 100644
--- a/app/core/gimpbrush-load.c
+++ b/app/core/gimpbrush-load.c
@@ -639,7 +639,18 @@ gimp_brush_load_abr_brush_v12 (GDataInputStream  *input,
                   abr_sampled_brush_hdr.bounds_long[1]); /* right - left */
         bytes  = abr_sampled_brush_hdr.depth >> 3;
 
-        /* g_print("width %i  height %i\n", width, height); */
+        /* g_print ("width %i  height %i  bytes %i\n", width, height, bytes); */
+
+        if (width  < 1 || width  > 10000 ||
+            height < 1 || height > 10000 ||
+            bytes  < 1 || bytes  > 1     ||
+            G_MAXSIZE / width / height / bytes < 1)
+          {
+            g_set_error (error, GIMP_DATA_ERROR, GIMP_DATA_ERROR_READ,
+                         _("Fatal parse error in brush file: "
+                           "Brush dimensions out of range."));
+            break;
+          }
 
         abr_sampled_brush_hdr.wide = height > 16384;
 
@@ -956,10 +967,10 @@ abr_reach_8bim_section (GDataInputStream  *input,
 {
   while (TRUE)
     {
-      gchar  tag[4];
-      gchar  tagname[5];
-      gint32 section_size;
-      gsize  bytes_read;
+      gchar   tag[4];
+      gchar   tagname[5];
+      guint32 section_size;
+      gsize   bytes_read;
 
       if (! g_input_stream_read_all (G_INPUT_STREAM (input),
                                      tag, 4,

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]