From 51f1de884407645df64e8ce8490e25f905fde323 Mon Sep 17 00:00:00 2001 From: Alx Sa Date: Sat, 21 Mar 2026 17:33:39 +0000 Subject: [PATCH] plug-ins: Add bounds checks to JIF loading Resolves #16076 As reported by chamal, it is possible to craft a Jeff's Image Format image with header values that are larger than the file size. This can lead to buffer overflows when loading the data. This patch adds bounding checks based on the size of the stream. --- plug-ins/common/file-gif-load.c | 27 ++++++++++++++++++++++++--- 1 file changed, 24 insertions(+), 3 deletions(-) diff --git a/plug-ins/common/file-gif-load.c b/plug-ins/common/file-gif-load.c index f71c556ff1..cdf905e464 100644 --- a/plug-ins/common/file-gif-load.c +++ b/plug-ins/common/file-gif-load.c @@ -1520,6 +1520,7 @@ ReadJeffsImage (FILE *fd, guchar block[255]; guchar *compressed; guchar *indexes; + guint data_size; guint count = 0; guint pos = 0; guint mask = 0; @@ -1533,8 +1534,18 @@ ReadJeffsImage (FILE *fd, mask |= 1 << i; } - compressed = g_malloc (len * height); - indexes = g_malloc (len * height); + data_size = len * height; + compressed = g_try_malloc (data_size * 255); + indexes = g_try_malloc (data_size); + + if (compressed == NULL || + indexes == NULL) + { + read_error (_("image data"), *image, error); + g_free (compressed); + g_free (indexes); + return FALSE; + } /* Image data is stored as a zlib stream, arbitrarily broken * in chunks of 255 bytes or less. We read in the chunk size, @@ -1561,7 +1572,17 @@ ReadJeffsImage (FILE *fd, } for (gint i = 0; i < block_size; i++) - compressed[i + count] = block[i]; + { + if ((i + count) >= (data_size * 255)) + { + read_error (_("image data"), *image, error); + g_free (compressed); + g_free (indexes); + return FALSE; + } + + compressed[i + count] = block[i]; + } count += block_size; }