[gimp/gimp-2-8] Bug 789610: invalid gbr brush crashing GIMP

[Jehan Pagès <jehanp src gnome org>]

commit 4d4a8cf70fc938426e51cc3b1385b255db22400d
Author: Massimo Valentini <mvalentini src gnome org>
Date:   Wed Nov 1 13:50:05 2017 +0100

    Bug 789610: invalid gbr brush crashing GIMP
    
    (cherry picked from commit 657a754f98eb9a67d8dcbc8c05a3e3a66fbee44f)

 app/core/gimpbrush-load.c  |    8 +++++++-
 plug-ins/common/file-gbr.c |    6 ++++++
 2 files changed, 13 insertions(+), 1 deletions(-)
---
diff --git a/app/core/gimpbrush-load.c b/app/core/gimpbrush-load.c
index f76c35a..682be89 100644
--- a/app/core/gimpbrush-load.c
+++ b/app/core/gimpbrush-load.c
@@ -161,7 +161,7 @@ gimp_brush_load_brush (GimpContext  *context,
                        GError      **error)
 {
   GimpBrush   *brush;
-  gint         bn_size;
+  gsize        bn_size;
   BrushHeader  header;
   gchar       *name = NULL;
   guchar      *pixmap;
@@ -260,6 +260,12 @@ gimp_brush_load_brush (GimpContext  *context,
       return NULL;
     }
 
+  if (header.header_size < sizeof (BrushHeader))
+    {
+      g_message (_("Unsupported brush format"));
+      return NULL;
+    }
+
   /*  Read in the brush name  */
   if ((bn_size = (header.header_size - sizeof (header))))
     {
diff --git a/plug-ins/common/file-gbr.c b/plug-ins/common/file-gbr.c
index d3f01d9..a70f291 100644
--- a/plug-ins/common/file-gbr.c
+++ b/plug-ins/common/file-gbr.c
@@ -413,6 +413,12 @@ load_image (const gchar  *filename,
       /* And we need to rewind the handle, 4 due spacing and 4 due magic */
       lseek (fd, -8, SEEK_CUR);
       bh.header_size += 8;
+      if (bh.header_size < sizeof (BrushHeader))
+        {
+          g_message (_("Unsupported brush format"));
+          g_object_unref (input);
+          return -1;
+        }
       break;
 
     case 3: /*  cinepaint brush  */