[gimp/gimp-2-10] xcf: fix #6138 Stack Overflow when saving xcf.

From: Jacob Boerema <jboerema src gnome org>
To: commits-list gnome org
Cc:
Subject: [gimp/gimp-2-10] xcf: fix #6138 Stack Overflow when saving xcf.
Date: Thu, 21 Jan 2021 16:48:22 +0000 (UTC)

commit 89809cf55a1d0ca5a78f683e9f2402abbe28e00d
Author: Jacob Boerema <jgboerema gmail com>
Date:   Wed Jan 20 14:56:45 2021 -0500

    xcf: fix #6138 Stack Overflow when saving xcf.
    
    Although I haven't been able to reproduce it, it is apparently
    possible to get a Stack Overflow when loading xcf files with
    presumably very large dimensions on Windows. From what
    I'm reading Windows normally has a smaller stack size than
    Linux, probably why it hasn't surfaced there.
    
    Instead of allocating on the stack let's do a g_malloc0
    combined with g_free.
    
    (cherry picked from commit 6b65998bf7a54304852dde0221b8f04ebb245a0a)

 app/xcf/xcf-save.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)
---
diff --git a/app/xcf/xcf-save.c b/app/xcf/xcf-save.c
index ee5cdcf706..a1c4f71066 100644
--- a/app/xcf/xcf-save.c
+++ b/app/xcf/xcf-save.c
@@ -1629,9 +1629,10 @@ xcf_save_level (XcfInfo     *info,
   /* allocate an offset table so we don't have to seek back after each
    * tile, see bug #686862. allocate ntiles + 1 slots because a zero
    * offset indicates the offset table's end.
+   * Do not use g_alloca since it may cause Stack Overflow on
+   * large images, see issue #6138.
    */
-  offset_table = g_alloca ((ntiles + 1) * sizeof (goffset));
-  memset (offset_table, 0, (ntiles + 1) * sizeof (goffset));
+  offset_table = g_malloc0 ((ntiles + 1) * sizeof (goffset));
   next_offset = offset_table;
 
   /* 'saved_pos' is the offset of the tile offset table  */
@@ -1671,6 +1672,7 @@ xcf_save_level (XcfInfo     *info,
           break;
         case COMPRESS_FRACTAL:
           g_warning ("xcf: fractal compression unimplemented");
+          g_free (offset_table);
           return FALSE;
         }
 
@@ -1681,6 +1683,7 @@ xcf_save_level (XcfInfo     *info,
         {
           g_message ("xcf: invalid tile data length: %" G_GOFFSET_FORMAT,
                      info->cp - offset);
+          g_free (offset_table);
           return FALSE;
         }
 
@@ -1695,6 +1698,8 @@ xcf_save_level (XcfInfo     *info,
   /* seek to the end of the file */
   xcf_check_error (xcf_seek_pos (info, offset, error));
 
+  g_free (offset_table);
+
   return TRUE;
 }

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]