dallasgroot/Gimp
dallasgroot/Gimp
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Gimp/plug-ins/common
History
Jacob Boerema 548bc3a46d plug-ins: CWE-190: Integer Overflow or Wraparound in Despeckle 
As reported by Seungho Kim our despeckle filter doesn't check for
integer overflow when allocating buffers, nor do we check for failed
allocations.

A potential integer overflow vulnerability exists in the GIMP
"Despeckle" plug-in. The issue occurs due to unchecked multiplication
of image dimensions (width, height) and bytes-per-pixel (img_bpp),
which can result in allocating insufficient memory and subsequently
performing out-of-bounds writes. This could lead to heap corruption and
potential denial-of-service (DoS) or arbitrary code execution in
certain scenarios.

Vulnerability Details
•width and height are of type guint (signed 32-bit int).
•Multiplying width * height * img_bpp can result in a value exceeding
the bounds of gsize.
•g_new() does not perform overflow protection; if the size wraps around,
less memory than needed will be allocated.
•Subsequent pixel processing loops write beyond the allocated memory
region (src, dst).

Proof of Concept (PoC)
Open a specially crafted image with very large dimensions (e.g.,
70,000 x 70,000 pixels) and apply the Despeckle filter. GIMP may crash
due to heap corruption, or undefined behavior may occur.

We applied the suggested changes and in addition adjusted the despeckle
function to be able to set error messages, and check for NULL
allocations.
2025-05-07 14:50:11 -04:00
..
align-layers.c extensions, libgimp, plug-ins: remove n_drawables arg from GimpImageProcedure's… 2024-10-28 22:08:45 +01:00
animation-optimize.c Fix spelling errors found with codespell 2025-01-04 15:11:03 +00:00
animation-play.c extensions, libgimp, plug-ins: remove n_drawables arg from GimpImageProcedure's… 2024-10-28 22:08:45 +01:00
blinds.c extensions, libgimp, plug-ins: remove n_drawables arg from GimpImageProcedure's… 2024-10-28 22:08:45 +01:00
border-average.c extensions, libgimp, plug-ins: remove n_drawables arg from GimpImageProcedure's… 2024-10-28 22:08:45 +01:00
busy-dialog.c plug-ins: Port argument macros to functions 2024-06-13 23:17:48 +00:00
checkerboard.c extensions, libgimp, plug-ins: remove n_drawables arg from GimpImageProcedure's… 2024-10-28 22:08:45 +01:00
cml-explorer.c Issue #12045: no defaults for plugin args of type File. 2025-01-22 17:53:21 +01:00
colormap-remap.c extensions, libgimp, plug-ins: remove n_drawables arg from GimpImageProcedure's… 2024-10-28 22:08:45 +01:00
compose.c plug-ins: Include filters when composing 2025-01-01 21:26:09 -05:00
contrast-retinex.c extensions, libgimp, plug-ins: remove n_drawables arg from GimpImageProcedure's… 2024-10-28 22:08:45 +01:00
crop-zealous.c extensions, libgimp, plug-ins: remove n_drawables arg from GimpImageProcedure's… 2024-10-28 22:08:45 +01:00
curve-bend.c app, libgimp*, pdb, plug-ins: rename various public API name s/float/double/. 2024-11-02 15:00:03 +01:00
decompose.c extensions, libgimp, plug-ins: remove n_drawables arg from GimpImageProcedure's… 2024-10-28 22:08:45 +01:00
depth-merge.c extensions, libgimp, plug-ins: remove n_drawables arg from GimpImageProcedure's… 2024-10-28 22:08:45 +01:00
despeckle.c plug-ins: CWE-190: Integer Overflow or Wraparound in Despeckle 2025-05-07 14:50:11 -04:00
destripe.c extensions, libgimp, plug-ins: remove n_drawables arg from GimpImageProcedure's… 2024-10-28 22:08:45 +01:00
file-aa.c app, libgimpcolor, plug-ins: move legacy luminance macros to private. 2024-11-02 00:27:02 +01:00
file-cel.c Issue #12045: no defaults for plugin args of type File. 2025-01-22 17:53:21 +01:00
file-compressor.c app, libgimp, pdb, plug-ins: improve and rename gimp_file_save_thumbnail() to… 2025-01-21 20:31:27 +01:00
file-csource.c libgimp, plug-ins: rename the various "save-*" metadata arguments… 2025-01-20 17:58:30 +01:00
file-desktop-link.c plug-ins: fix some broken macros with a massive search-and-replace. 2023-10-18 18:29:37 +02:00
file-dicom.c app, libgimp*, pdb, plug-ins: review and enhance MR !1549. 2024-08-18 22:46:47 +02:00
file-farbfeld.c app, libgimp*, pdb, plug-ins: review and enhance MR !1549. 2024-08-18 22:46:47 +02:00
file-gbr.c app, libgimp*, plug-ins: move all GimpObjectArray procedure args to GimpCoreObjectArray. 2024-10-25 23:28:42 +02:00
file-gegl.c app, libgimp*, pdb, plug-ins: review and enhance MR !1549. 2024-08-18 22:46:47 +02:00
file-gif-export.c libgimp, plug-ins: rename the various "save-*" metadata arguments… 2025-01-20 17:58:30 +01:00
file-gif-load.c plug-ins: get rid of all remaining usage of gimp_image_[gs]et_colormap(). 2024-09-23 18:20:14 +02:00
file-gih.c plug-ins: restrict GIH max dimensions to GIMP_PIXPIPE_MAXDIM 2025-02-27 03:13:25 +00:00
file-glob.c plug-ins: Port argument macros to functions 2024-06-13 23:17:48 +00:00
file-header.c plug-ins: get rid of all remaining usage of gimp_image_[gs]et_colormap(). 2024-09-23 18:20:14 +02:00
file-heif.c libgimp, plug-ins: rename the various "save-*" metadata arguments… 2025-01-20 17:58:30 +01:00
file-html-table.c plug-ins: Fix crash when exporting indexed HTML tables 2025-03-15 15:18:14 +00:00
file-iff.c plug-ins: Don't show pixel ratio warning for IFF thumbnails 2024-11-02 04:41:57 +00:00
file-jp2-load.c plug-ins: Fix crash when loading CMYK JPEG 2000 images 2025-02-19 19:00:57 +00:00
file-jpegxl.c plug-ins: simplify JXL export options 2025-01-29 14:43:33 +00:00
file-lnk.c plug-ins: Load images from .lnk shortcuts 2024-12-11 20:15:41 +00:00
file-mng.c libgimp*, plug-ins: now hide GimpParamSpecChoice struct. 2025-01-25 01:28:19 +01:00
file-pat.c app, libgimp*, plug-ins: move all GimpObjectArray procedure args to GimpCoreObjectArray. 2024-10-25 23:28:42 +02:00
file-pcx.c app, libgimp, pdb, plug-ins: layerarray PDB type is now a GimpCoreObjectArray. 2024-10-25 23:28:42 +02:00
file-pdf-export.c Fix #12344 PDF export crash w stack smash on flatpak 2024-11-24 16:24:45 +00:00
file-pdf-load.c libgimpwidgets, plug-in: Reduce height of Load PDF dialog 2025-01-25 17:27:55 +00:00
file-pix.c app, libgimp*, pdb, plug-ins: review and enhance MR !1549. 2024-08-18 22:46:47 +02:00
file-png.c libgimp, plug-ins: rename the various "save-*" metadata arguments… 2025-01-20 17:58:30 +01:00
file-pnm.c plug-ins: Add support for importing CMYK PAM files 2024-12-10 01:27:17 +00:00
file-ps.c app, libgimp, pdb, plug-ins: new GimpCoreObjectArray type and drawablearray… 2024-10-25 23:28:42 +02:00
file-psp.c plug-ins: get rid of all remaining usage of gimp_image_[gs]et_colormap(). 2024-09-23 18:20:14 +02:00
file-qoi.c plug-ins: Fix double free crash in file-qoi 2024-08-31 20:07:34 +00:00
file-raw-data.c Issue #12045: no defaults for plugin args of type File. 2025-01-22 17:53:21 +01:00
file-sunras.c plug-ins: get rid of all remaining usage of gimp_image_[gs]et_colormap(). 2024-09-23 18:20:14 +02:00
file-svg.c plug-ins: Use viewbox dims if needed for SVG 2025-04-04 02:09:02 +00:00
file-tga.c plug-ins: get rid of all remaining usage of gimp_image_[gs]et_colormap(). 2024-09-23 18:20:14 +02:00
file-wbmp.c plug-ins: get rid of all remaining usage of gimp_image_[gs]et_colormap(). 2024-09-23 18:20:14 +02:00
file-wmf.c plug-ins: removing a string because of an obvious typo. 2024-08-24 20:29:52 +02:00
file-xbm.c libgimp, plug-ins: rename the various "save-*" metadata arguments… 2025-01-20 17:58:30 +01:00
file-xmc.c app, libgimp*, pdb, plug-ins: review and enhance MR !1549. 2024-08-18 22:46:47 +02:00
file-xpm.c plug-ins: get rid of all remaining usage of gimp_image_[gs]et_colormap(). 2024-09-23 18:20:14 +02:00
file-xwd.c plug-ins: get rid of all remaining usage of gimp_image_[gs]et_colormap(). 2024-09-23 18:20:14 +02:00
film.c extensions, libgimp, plug-ins: remove n_drawables arg from GimpImageProcedure's… 2024-10-28 22:08:45 +01:00
gradient-map.c app, libgimp, pdb, plug-ins: gimp_gradient_get_uniform_samples() returns an array of GeglColor. 2024-11-03 13:35:16 +01:00
grid.c plug-ins: Prevent infinite signal loop in legacy grid 2025-05-06 17:57:55 +00:00
guillotine.c extensions, libgimp, plug-ins: remove n_drawables arg from GimpImageProcedure's… 2024-10-28 22:08:45 +01:00
hot.c extensions, libgimp, plug-ins: remove n_drawables arg from GimpImageProcedure's… 2024-10-28 22:08:45 +01:00
jigsaw.c extensions, libgimp, plug-ins: remove n_drawables arg from GimpImageProcedure's… 2024-10-28 22:08:45 +01:00
mail.c extensions, libgimp, plug-ins: remove n_drawables arg from GimpImageProcedure's… 2024-10-28 22:08:45 +01:00
meson.build .gitlab: Move cp-plug-in-subfolder.py to build/meson 2025-04-18 13:36:31 -03:00
nl-filter.c extensions, libgimp, plug-ins: remove n_drawables arg from GimpImageProcedure's… 2024-10-28 22:08:45 +01:00
plugin-browser.c plug-ins: fix calling gimp-plug-ins-query. 2024-10-25 23:28:42 +02:00
procedure-browser.c plug-ins: Port argument macros to functions 2024-06-13 23:17:48 +00:00
qbist.c extensions, libgimp, plug-ins: remove n_drawables arg from GimpImageProcedure's… 2024-10-28 22:08:45 +01:00
sample-colorize.c Fix spelling errors found with codespell 2025-01-04 15:11:03 +00:00
smooth-palette.c plug-ins: Fix color format for Smooth Palette... 2024-11-14 11:33:14 +00:00
sparkle.c extensions, libgimp, plug-ins: remove n_drawables arg from GimpImageProcedure's… 2024-10-28 22:08:45 +01:00
sphere-designer.c extensions, libgimp, plug-ins: remove n_drawables arg from GimpImageProcedure's… 2024-10-28 22:08:45 +01:00
tile-small.c extensions, libgimp, plug-ins: remove n_drawables arg from GimpImageProcedure's… 2024-10-28 22:08:45 +01:00
tile.c extensions, libgimp, plug-ins: remove n_drawables arg from GimpImageProcedure's… 2024-10-28 22:08:45 +01:00
unit-editor.c app, libgimpwidgets, plug-ins: add tooltip arg to gimp_help_connect(). 2024-08-24 23:29:39 +02:00
van-gogh-lic.c extensions, libgimp, plug-ins: remove n_drawables arg from GimpImageProcedure's… 2024-10-28 22:08:45 +01:00
warp.c extensions, libgimp, plug-ins: remove n_drawables arg from GimpImageProcedure's… 2024-10-28 22:08:45 +01:00
wavelet-decompose.c extensions, libgimp, plug-ins: remove n_drawables arg from GimpImageProcedure's… 2024-10-28 22:08:45 +01:00
web-browser.c plug-ins: Port argument macros to functions 2024-06-13 23:17:48 +00:00
web-page.c plug-ins: Port argument macros to functions 2024-06-13 23:17:48 +00:00