dallasgroot/Gimp
dallasgroot/Gimp
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

plug-ins: ZDI-CAN-26752 mitigation

Browse source 
Resolves #13910
Since ICO can store PNGs, it's possible to create an
icon that's much larger than the stated image size and
cause a buffer overflow.
This patch adds a check to make sure the width * height * 4
calculation does not overflow in addition to making sure it
doesn't exceed the maximum allowed size for that icon.
This commit is contained in:
Alx Sa 2025-05-03 14:13:46 +00:00
parent ec03ef1a41
commit c855d1df60
1 changed files with 5 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
plug-ins/file-ico/ico-load.c
View file

@ -299,7 +299,11 @@ ico_read_png (FILE *fp,
png_read_info (png_ptr, info);
png_get_IHDR (png_ptr, info, &w, &h, &bit_depth, &color_type,
NULL, NULL, NULL);
if (w*h*4 > maxsize)
/* Check for overflow */
if ((w * h * 4) < w ||
(w * h * 4) < h ||
(w * h * 4) < (w * h) ||
(w * h * 4) > maxsize)
{
png_destroy_read_struct (&png_ptr, &info, NULL);
return FALSE;