plug-ins: Add bounds checks to JIF loading

Resolves #16076 As reported by chamal, it is possible to craft a Jeff's Image Format image with header values that are larger than the file size. This can lead to buffer overflows when loading the data. This patch adds bounding checks based on the size of the stream.
2026-03-21 17:33:39 +00:00 · 2026-03-21 17:33:39 +00:00 · 51f1de8844
commit 51f1de8844
parent 9db6c35ac5
1 changed files with 24 additions and 3 deletions
--- a/plug-ins/common/file-gif-load.c
+++ b/plug-ins/common/file-gif-load.c
@ -1520,6 +1520,7 @@ ReadJeffsImage (FILE       *fd,
  guchar    block[255];
  guchar   *compressed;
  guchar   *indexes;
+  guint     data_size;
  guint     count = 0;
  guint     pos   = 0;
  guint     mask  = 0;
@ -1533,8 +1534,18 @@ ReadJeffsImage (FILE       *fd,
        mask |= 1 << i;
    }

-  compressed = g_malloc (len * height);
-  indexes    = g_malloc (len * height);
+  data_size  = len * height;
+  compressed = g_try_malloc (data_size * 255);
+  indexes    = g_try_malloc (data_size);
+
+  if (compressed == NULL ||
+      indexes    == NULL)
+    {
+      read_error (_("image data"), *image, error);
+      g_free (compressed);
+      g_free (indexes);
+      return FALSE;
+    }

  /* Image data is stored as a zlib stream, arbitrarily broken
   * in chunks of 255 bytes or less. We read in the chunk size,
@ -1561,7 +1572,17 @@ ReadJeffsImage (FILE       *fd,
        }

      for (gint i = 0; i < block_size; i++)
-        compressed[i + count] = block[i];
+        {
+          if ((i + count) >= (data_size * 255))
+            {
+              read_error (_("image data"), *image, error);
+              g_free (compressed);
+              g_free (indexes);
+              return FALSE;
+            }
+
+          compressed[i + count] = block[i];
+        }

      count += block_size;
    }