[gimp/gimp-2-8] gbr/pat: Fix out of boundary read on illegal names

From: Jehan Pagès <jehanp src gnome org>
To: commits-list gnome org
Cc:
Subject: [gimp/gimp-2-8] gbr/pat: Fix out of boundary read on illegal names
Date: Fri, 5 Jan 2018 20:18:54 +0000 (UTC)

commit 1f61eceaf0fab951f3ebab6363fcb3b531a24769
Author: Tobias Stoeckmann <tobias stoeckmann org>
Date:   Tue Oct 31 12:11:08 2017 +0100

    gbr/pat: Fix out of boundary read on illegal names
    
    The file formats GBR and PAT contain names which are supposed to be
    NUL-terminated within the files. If no such terminating NUL byte
    exists, the parsers of GBR and PAT trigger an out of boundary read
    during utf-8 conversion.
    
    Signed-off-by: Tobias Stoeckmann <tobias stoeckmann org>
    (cherry picked from commit 4fa0cd4dcf2df06e95c757f753845e9f68a33844)

 app/core/gimpbrush-load.c   |    2 +-
 app/core/gimppattern-load.c |    2 +-
 plug-ins/common/file-gbr.c  |    2 +-
 plug-ins/common/file-pat.c  |    2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)
---
diff --git a/app/core/gimpbrush-load.c b/app/core/gimpbrush-load.c
index bc67872..ea0325a 100644
--- a/app/core/gimpbrush-load.c
+++ b/app/core/gimpbrush-load.c
@@ -284,7 +284,7 @@ gimp_brush_load_brush (GimpContext  *context,
           return NULL;
         }
 
-      utf8 = gimp_any_to_utf8 (name, -1,
+      utf8 = gimp_any_to_utf8 (name, bn_size - 1,
                                _("Invalid UTF-8 string in brush file '%s'."),
                                gimp_filename_to_utf8 (filename));
       g_free (name);
diff --git a/app/core/gimppattern-load.c b/app/core/gimppattern-load.c
index 812e1c1..d5d0059 100644
--- a/app/core/gimppattern-load.c
+++ b/app/core/gimppattern-load.c
@@ -135,7 +135,7 @@ gimp_pattern_load (GimpContext  *context,
           goto error;
         }
 
-      utf8 = gimp_any_to_utf8 (name, -1,
+      utf8 = gimp_any_to_utf8 (name, bn_size - 1,
                                _("Invalid UTF-8 string in pattern file '%s'."),
                                gimp_filename_to_utf8 (filename));
       g_free (name);
diff --git a/plug-ins/common/file-gbr.c b/plug-ins/common/file-gbr.c
index bedd2be..8a6558d 100644
--- a/plug-ins/common/file-gbr.c
+++ b/plug-ins/common/file-gbr.c
@@ -461,7 +461,7 @@ load_image (const gchar  *filename,
           return -1;
         }
 
-      name = gimp_any_to_utf8 (temp, -1,
+      name = gimp_any_to_utf8 (temp, size - 1,
                                _("Invalid UTF-8 string in brush file '%s'."),
                                gimp_filename_to_utf8 (filename));
       g_free (temp);
diff --git a/plug-ins/common/file-pat.c b/plug-ins/common/file-pat.c
index 26d7e05..9664438 100644
--- a/plug-ins/common/file-pat.c
+++ b/plug-ins/common/file-pat.c
@@ -376,7 +376,7 @@ load_image (const gchar  *filename,
       return -1;
     }
 
-  name = gimp_any_to_utf8 (temp, -1,
+  name = gimp_any_to_utf8 (temp, ph.header_size - sizeof (PatternHeader) - 1,
                            _("Invalid UTF-8 string in pattern file '%s'."),
                            gimp_filename_to_utf8 (filename));
   g_free (temp);

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]