plug-ins: fix ZDI-CAN-27878
GIMP WBMP File Parsing Integer Overflow Remote Code Execution Vulnerability We recently fixed one instance of not upgrading the size, but forgot the other. Fix that here by casting to (gsize). While we're at it, also add a warning, when reading more data fails unexpectedly. Closes #14812
This commit is contained in:
Jacob Boerema
parent
0f309f9a8d
commit
fb31ddf322
1 changed files with 6 additions and 2 deletions
|
|
@ -456,6 +456,7 @@ read_image (FILE *fd,
|
|||
GeglBuffer *buffer;
|
||||
guchar *dest, *temp;
|
||||
gint i, cur_progress, max_progress;
|
||||
size_t n_read;
|
||||
|
||||
/* Make a new image in GIMP */
|
||||
if ((width < 0) || (width > GIMP_MAX_IMAGE_SIZE))
|
||||
|
|
@ -480,14 +481,14 @@ read_image (FILE *fd,
|
|||
|
||||
gimp_image_insert_layer (image, layer, NULL, 0);
|
||||
|
||||
dest = g_malloc0 (width * height);
|
||||
dest = g_malloc0 ((gsize) width * height);
|
||||
|
||||
ypos = 0;
|
||||
|
||||
cur_progress = 0;
|
||||
max_progress = height;
|
||||
|
||||
while (ReadOK (fd, &v, 1))
|
||||
while ((n_read = ReadOK (fd, &v, 1)) != 0)
|
||||
{
|
||||
for (i = 1; (i <= 8) && (xpos < width); i++, xpos++)
|
||||
{
|
||||
|
|
@ -512,6 +513,9 @@ read_image (FILE *fd,
|
|||
break;
|
||||
}
|
||||
|
||||
if (n_read == 0)
|
||||
g_warning (_("Read failure at position %u. Possibly corrupt image."), ypos * width + xpos);
|
||||
|
||||
buffer = gimp_drawable_get_buffer (GIMP_DRAWABLE (layer));
|
||||
|
||||
gegl_buffer_set (buffer, GEGL_RECTANGLE (0, 0, width, height), 0, NULL, dest,
|
||||
|
|
|
|||
Loading…
Reference in a new issue