[gimp] Issue #1731: gbr file that crashes gimp-2.10.

From: Jehan <jehanp src gnome org>
To: commits-list gnome org
Cc:
Subject: [gimp] Issue #1731: gbr file that crashes gimp-2.10.
Date: Thu, 28 Jun 2018 15:29:53 +0000 (UTC)

commit b3de0bb7a5bbb84a6851b3b5455de5d1eb271c55
Author: Jehan <jehan girinstud io>
Date:   Thu Jun 28 17:25:57 2018 +0200

    Issue #1731: gbr file that crashes gimp-2.10.
    
    GIMP_BRUSH_MAX_SIZE was already defined (as 10.000 pixels per dimension,
    which is big for a brush) in gimpbrush.h. Let's just use this to
    validate the size returned by the header.

 app/core/gimpbrush-load.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)
---
diff --git a/app/core/gimpbrush-load.c b/app/core/gimpbrush-load.c
index 7f5117f010..f0cd6df092 100644
--- a/app/core/gimpbrush-load.c
+++ b/app/core/gimpbrush-load.c
@@ -34,7 +34,6 @@
 
 #include "gimp-intl.h"
 
-
 /* stuff from abr2gbr Copyright (C) 2001 Marco Lamberto <lm sunnyspot org>  */
 /* the above is GPL  see http://the.sunnyspot.org/gimp/  */
 
@@ -189,6 +188,15 @@ gimp_brush_load_brush (GimpContext   *context,
       return NULL;
     }
 
+  if (header.width > GIMP_BRUSH_MAX_SIZE ||
+      header.height > GIMP_BRUSH_MAX_SIZE)
+    {
+      g_set_error (error, GIMP_DATA_ERROR, GIMP_DATA_ERROR_READ,
+                   _("Fatal parse error in brush file: %dx%d over max size."),
+                   header.width, header.height);
+      return NULL;
+    }
+
   switch (header.version)
     {
     case 1:

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]