There are reports that clang-based compilers create
a TIM plug-in that crashes when exporting. This seems
related to the method used to convert RGB images to
indexed when choosing TIM textures with palettes on export.
This patch switches to using gimp-image-convert-indexed
instead, to prevent the format mismatch crash on initial export.
Previously, paths from Photoshop TIFF files were appended via
gimp_image_insert_path(..., -1), which caused the displayed order to be
reversed. This change preserves the original ordering while keeping the
'Working Path' as the last element.
When loading layer metadata from TIFF 'ImageSourceData' Tag, don't assume
'Layr' is the first 8BIM block. Iterate over 8BIM/MIB8 blocks, skip non
'Layr' blocks, and rewind 4 bytes before calling read_layer_block() so it
can read the length field as expected. Limit mask_layer_len to the
selected block (including padding).
Multichannel PSD images reuse their first channel as the
main grayscale "layer". Our PSD plug-in did not take this
into account, resulting in the channels being off-by-one and
mislabeled.
This patch prevents chn_a[0].data from being freed after
it is used to load the layer, and then resets the counts so that
it is reused as the first imported channel.
968cf06a only loaded the rectangle area that the
selection was contained in, rather than the actual
channel data. This patch extended the code to
also read in the PSP_CHANNEL_BLOCK data, add
it to the selection GeglBuffer, and then shift it over
into the correct location.
Resolves#16076
As reported by chamal, it is possible to craft a
Jeff's Image Format image with header values that
are larger than the file size. This can lead to buffer
overflows when loading the data. This patch adds
bounding checks based on the size of the stream.
Resolves#16075
As noted by chamal, it is possible to cause a buffer overflow
in a crafted SFW file. This patch adds bounds checks to prevent
this from occurring.
Resolves#16058
Per mzfr's observations, this patch adds more
safeguards to PVR import. Memory for data and pixels
is allocated and checked rather than using arrays.
Twiddled patterns are increased to 2048 and we
verify the dimensions are in that range before trying
to access. If users share an image that is larger than
that, we can increase this limit further.
Resolves#16056
Per mzfr, we should check if the cursor exceeds the
icon total size in icns_slurp () (per OSX icons) as we
do already in icns_decompress ().
Additionally, we were not deleting the temp_image created
to load each icon, and in fact we were making an unnecessary
blank temp_image before receiving the one from the PNG &
JPEG2000 procedures. This patch fixes both problems.
Per mzfr, we should dynamically allocate memory
for the PAA plug-in pixel data rather than rely on the image
being small enough for an array to store its information.
Resolves#16052
Per mzfr, the pixel array for 4bpp TIM textures needs to
be allocated twice as large since each byte in the file
stores two pixel indexes when opened.
Resolves#16051
As reported by mzfr, it is possible to crash the FITS plug-in
if a large enough image is read in. This patch implements their
suggestions of using g_try_malloc () over malloc () (and checking
if it returns NULL), as well as verifying the width & height are
within GIMP's image range.
Resolves#5553
As noted by Massimo, in the Sparkle plug-in there is an
extra gegl_buffer_iterator_add () that is not used in the following
gegl_buffer_iterator_next (iter) loop. Since this adds dest_buffer
which is also written to in the loop in the fspike () functions,
it can cause data to be overwritten. This patch removes the
unneeded extra function call.
It is long-time unmaintained on our repo, with no issues being fixed. Now that
32-bit binaries are not distributed, we can safely move to unmaintained section.
If the user chooses to make a new image when
running the Tile plug-in, the color profile is not
carried over. This can result in the tiled image
looking different. This patch adds calls to
gimp_image_get_color_profile () and
gimp_image_set_color_profile () to ensure the
profile is carried over.
Some JPEGs contain large Photoshop path metadata split across multiple APP13 markers. Collect all APP13 payloads and skip the repeated "Photoshop 3.0\0" identifier for subsequent segments so the metadata can be parsed as a single stream.
Resolves#15969
It is possible to set the number of color components
in the JPEG 2000 file separate from the color space,
and OpenJPEG reports that value as-is. This can result
in a buffer overflow if the num_components variable is
larger than the number of channels in the color space.
This patch adds a check to make sure num_components
is within range. If it's larger, then we clamp it to the maximum
value for that color model.
The variable 'cntr' represents the index of all control points of a Photoshop path. It was declared too small, which caused problems with detailed path objects. 'num_rec' is of type 'gint16', but the number of control points is 'num_rec * 6', so 'cntr' must be able to cover that range
...when there is only one page.
The TIFF load dialog appears when either there are
multiple pages, or we need to make a decision about
how to render the alpha channel.
The "Show reduced images" was shown in both situations,
even though it is not applicable when we only have one page.
This patch modes that code inside the "if (pages->n_pages > 1)"
condition to prevent it from showing when it's not needed.
Error message:
Calling error for procedure 'gimp-image-set-selected-layers':
Procedure 'gimp-image-set-selected-layers' has been called with value '<not transformable to string>' for argument 'layers' (#2, type GimpCoreObjectArray). This value is out of range.
A buffer overflow in the PCX reader was reported.
The +1 was added in commit da217088d0
to allow loading where the images have an off by 1 value. However,
this leaves the problem that allocated buffers may be 1 byte too small.
Because we prefer to keep loading as many images as possible, we choose
not to return an error. Instead we allocate 1 extra byte for the
line buffers.
In addition to that, we add check for valid values of bpp and error
out early when invalid.
If the bytesperline value is off by more than 1, we output a warning
message and use the manually computed value instead.
Additionally add a comment that we need to fix a British English
word in a string after string freeze.
Per Jacob Boerema, the DCX loading plug-in left
behind stray images. This is because we load each
PCX image inside the DCX as a separate image and then
copy it as a layer into the first one. However, we were
not deleting the temporary image afterwards.
This patch adds a call to gimp_image_delete () to do
the clean-up work after copying the layer from the
temporary image.
Resolves#15289
This patch replaces the initial allocation of pixel_row
with a per-format allocation. This should resolve issues
where the allocation was too small for certain formats,
without requiring a large allocation for all formats regardless
of need.
Resolves#9545
When exporting a JPEG as CMYK, it is possible for the
"Save Profile" metadata option to be unchecked. This causes
the image to be saved without its CMYK profile, resulting in an
incorrect image rendering.
As this is almost never the desired case, this patch changes the
export logic to always save the profile IF the user has requested
CMYK export and a CMYK profile is attached.
Additionally, this patch fixes an issue in the export dialog where
the DCT options are shown as a radio frame instead of a combobox
as in GIMP 2.10.
Reported as ZDI-CAN-28874.
For psp images with bit depth 1 or 4 bits and small widths, it was
possible to overflow the buffer because these bit depths are stored
in multiples of 4 bytes per line.
Because these formats are converted to regular RGB, this means that for
small widths, more bytes are needed than expected when we are upscaling
to 8-bit.
To fix this, we compute the line size when depth < 8, and adjust
line width if that value is larger.
Reported as ZDI-CAN-28807
With large row and column sizes 32-bit int values are not large
enough to hold the product and thus can cause overflow.
While we are at it, we not only fix the location from the report, but
also other occurrences that could overflow.
- We change certain variables to gsize to make sure they can hold a
64-bit value.
- Other intermediate results are promoted to (gsize) to make sure that
the product is computed as gsize.
- Move some i,j variables to the loops where they are used.
Resolves#15971
It was possible to set a XPM image to have a width and/or height
that is larger than what GIMP can create an image for. In addition to
causing gimp_image_new () to fail, it can also lead to buffer overflow
when allocating space to read in the image.
This patch adds a GError parameter to parse_image (), then uses it to
pass up an error for either oversized images or buffer overflows.
Resolves#15968
It is possible to cause a buffer overflow in our ANI
loading code by setting the Name or Artist metadata
files to 0xFFFFFFFF. This patch changes our allocation
code to use g_try_new0 () instead of g_new0 (), and
verifies if it is NULL before trying to read data into it.
