[gimp] app: avoid use-after-free when loading an XCF with corrupted layers

From: Ell <ell src gnome org>
To: commits-list gnome org
Cc:
Subject: [gimp] app: avoid use-after-free when loading an XCF with corrupted layers
Date: Fri, 21 Feb 2020 10:04:48 +0000 (UTC)

commit d53e701daaf43ccd51e6b07d526e918851a84350
Author: Ell <ell_se yahoo com>
Date:   Fri Feb 21 11:49:49 2020 +0200

    app: avoid use-after-free when loading an XCF with corrupted layers
    
    When dropping a corrupted layer while loading an XCF, make sure to
    clear the corresponding XcfInfo fields that point to it, so that
    it's not erroneously used later, as we now continue loading the
    image even after corrupted layers are encountered.
    
    See, for example, issue #4643, for a corrputed XCF file affected by
    this.

 app/xcf/xcf-load.c | 27 ++++++++++++++++++++++++++-
 1 file changed, 26 insertions(+), 1 deletion(-)
---
diff --git a/app/xcf/xcf-load.c b/app/xcf/xcf-load.c
index 5f609e2d04..69f616bee0 100644
--- a/app/xcf/xcf-load.c
+++ b/app/xcf/xcf-load.c
@@ -2032,7 +2032,17 @@ xcf_load_layer (XcfInfo    *info,
   return layer;
 
  error:
+  if (info->active_layer == layer)
+    info->active_layer = NULL;
+
+  if (info->floating_sel == layer)
+    info->floating_sel = NULL;
+
+  if (info->floating_sel_drawable == GIMP_DRAWABLE (layer))
+    info->floating_sel_drawable = NULL;
+
   g_object_unref (layer);
+
   return NULL;
 }
 
@@ -2094,7 +2104,15 @@ xcf_load_channel (XcfInfo   *info,
  error:
   /* don't unref the selection of a partially loaded XCF */
   if (channel != gimp_image_get_mask (image))
-    g_object_unref (channel);
+    {
+      if (info->active_channel == channel)
+        info->active_channel = NULL;
+
+      if (info->floating_sel_drawable == GIMP_DRAWABLE (channel))
+        info->floating_sel_drawable = NULL;
+
+      g_object_unref (channel);
+    }
 
   return NULL;
 }
@@ -2158,7 +2176,14 @@ xcf_load_layer_mask (XcfInfo   *info,
   return layer_mask;
 
  error:
+  if (info->active_channel == GIMP_CHANNEL (layer_mask))
+    info->active_channel = NULL;
+
+  if (info->floating_sel_drawable == GIMP_DRAWABLE (layer_mask))
+    info->floating_sel_drawable = NULL;
+
   g_object_unref (layer_mask);
+
   return NULL;
 }

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]