plug-ins: Add overflow checks for ICO loading

As pointed out by Dhiraj, it is possible to set width and height values in the ICO header that will overflow a 32 bit integer when loaded in. This patch adds checks using g_size_check_mul () and g_try_new () to catch these overflows and prevent them from crashing the plug-in.
2026-01-12 12:17:00 +00:00 · 2026-01-12 12:17:00 +00:00 · 058ada8f3f
commit 058ada8f3f
parent 88813b0c12
1 changed files with 12 additions and 2 deletions
--- a/plug-ins/file-ico/ico-load.c
+++ b/plug-ins/file-ico/ico-load.c
@ -430,6 +430,7 @@ ico_read_icon (FILE    *fp,
               gint    *height)
 {
  IcoFileDataHeader   data;
+  gsize               data_size;
  gint                length;
  gint                x, y, w, h;
  guchar             *xor_map, *and_map;
@ -479,7 +480,9 @@ ico_read_icon (FILE    *fp,
      return FALSE;
    }

-  if (data.width * data.height * 2 > maxsize)
+  if (! g_size_checked_mul (&data_size, data.width, data.height) ||
+      ! g_size_checked_mul (&data_size, data_size, 2)            ||
+      data_size > maxsize)
    {
      D(("skipping image: too large\n"));
      return FALSE;
@ -749,7 +752,14 @@ ico_load_image (GFile        *file,
  image = gimp_image_new (max_width, max_height, GIMP_RGB);

  maxsize = max_width * max_height * 4;
-  buf = g_new (guchar, max_width * max_height * 4);
+  buf     = g_try_new (guchar, maxsize);
+  if (! buf)
+    {
+      g_free (info);
+      fclose (fp);
+      return NULL;
+    }
+
  for (i = 0; i < icon_count; i++)
    {
      GimpLayer *layer;