[gimp/gimp-2-10] app: avoid use-after-free when loading an XCF with corrupted layers

From: Ell <ell src gnome org>
To: commits-list gnome org
Cc:
Subject: [gimp/gimp-2-10] app: avoid use-after-free when loading an XCF with corrupted layers
Date: Fri, 21 Feb 2020 10:04:38 +0000 (UTC)

commit 42b865561d720bb632793f0d3bfc1d3315e945ed
Author: Ell <ell_se yahoo com>
Date:   Fri Feb 21 11:49:49 2020 +0200

    app: avoid use-after-free when loading an XCF with corrupted layers
    
    When dropping a corrupted layer while loading an XCF, make sure to
    clear the corresponding XcfInfo fields that point to it, so that
    it's not erroneously used later, as we now continue loading the
    image even after corrupted layers are encountered.
    
    See, for example, issue #4643, for a corrputed XCF file affected by
    this.
    
    (cherry picked from commit d53e701daaf43ccd51e6b07d526e918851a84350)

 app/xcf/xcf-load.c | 27 ++++++++++++++++++++++++++-
 1 file changed, 26 insertions(+), 1 deletion(-)
---
diff --git a/app/xcf/xcf-load.c b/app/xcf/xcf-load.c
index 06623d22cd..09c4cb71d0 100644
--- a/app/xcf/xcf-load.c
+++ b/app/xcf/xcf-load.c
@@ -2008,7 +2008,17 @@ xcf_load_layer (XcfInfo    *info,
   return layer;
 
  error:
+  if (info->active_layer == layer)
+    info->active_layer = NULL;
+
+  if (info->floating_sel == layer)
+    info->floating_sel = NULL;
+
+  if (info->floating_sel_drawable == GIMP_DRAWABLE (layer))
+    info->floating_sel_drawable = NULL;
+
   g_object_unref (layer);
+
   return NULL;
 }
 
@@ -2070,7 +2080,15 @@ xcf_load_channel (XcfInfo   *info,
  error:
   /* don't unref the selection of a partially loaded XCF */
   if (channel != gimp_image_get_mask (image))
-    g_object_unref (channel);
+    {
+      if (info->active_channel == channel)
+        info->active_channel = NULL;
+
+      if (info->floating_sel_drawable == GIMP_DRAWABLE (channel))
+        info->floating_sel_drawable = NULL;
+
+      g_object_unref (channel);
+    }
 
   return NULL;
 }
@@ -2134,7 +2152,14 @@ xcf_load_layer_mask (XcfInfo   *info,
   return layer_mask;
 
  error:
+  if (info->active_channel == GIMP_CHANNEL (layer_mask))
+    info->active_channel = NULL;
+
+  if (info->floating_sel_drawable == GIMP_DRAWABLE (layer_mask))
+    info->floating_sel_drawable = NULL;
+
   g_object_unref (layer_mask);
+
   return NULL;
 }

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]