Overview

File gimp-CVE-2022-32990.patch of Package gimp.25277

diff -urp gimp-2.10.12.orig/app/core/gimpchannel.c gimp-2.10.12/app/core/gimpchannel.c
--- gimp-2.10.12.orig/app/core/gimpchannel.c	2019-06-12 11:43:38.000000000 -0500
+++ gimp-2.10.12/app/core/gimpchannel.c	2022-07-27 11:14:35.581310209 -0500
@@ -1878,7 +1878,7 @@ gimp_channel_boundary (GimpChannel
 gboolean
 gimp_channel_is_empty (GimpChannel *channel)
 {
-  g_return_val_if_fail (GIMP_IS_CHANNEL (channel), FALSE);
+  g_return_val_if_fail (GIMP_IS_CHANNEL (channel), TRUE);
 
   return GIMP_CHANNEL_GET_CLASS (channel)->is_empty (channel);
 }
diff -urp gimp-2.10.12.orig/app/xcf/xcf-load.c gimp-2.10.12/app/xcf/xcf-load.c
--- gimp-2.10.12.orig/app/xcf/xcf-load.c	2019-06-12 11:43:38.000000000 -0500
+++ gimp-2.10.12/app/xcf/xcf-load.c	2022-07-27 11:15:52.849718137 -0500
@@ -170,10 +170,19 @@ xcf_load_image (Gimp     *gimp,
   xcf_read_int32 (info, (guint32 *) &width, 1);
   xcf_read_int32 (info, (guint32 *) &height, 1);
   xcf_read_int32 (info, (guint32 *) &image_type, 1);
-  if (image_type < GIMP_RGB || image_type > GIMP_INDEXED ||
-      width <= 0 || height <= 0)
+  if (image_type < GIMP_RGB || image_type > GIMP_INDEXED)
     goto hard_error;
 
+  /* Be lenient with corrupt image dimensions.
+   * Hopefully layer dimensions will be valid. */
+  if (width <= 0 || height <= 0 ||
+      width > GIMP_MAX_IMAGE_SIZE || height > GIMP_MAX_IMAGE_SIZE)
+    {
+      GIMP_LOG (XCF, "Invalid image size %d x %d, setting to 1x1.", width, height);
+      width  = 1;
+      height = 1;
+    }
+
   if (info->file_version >= 4)
     {
       gint p;
@@ -457,6 +466,13 @@ xcf_load_image (Gimp     *gimp,
        */
       saved_pos = info->cp;
 
+      if (offset < saved_pos)
+        {
+          GIMP_LOG (XCF, "Invalid layer offset: %" G_GOFFSET_FORMAT
+                    " at offset: %" G_GOFFSET_FORMAT, offset, saved_pos);
+          goto error;
+        }
+
       /* seek to the layer offset */
       if (! xcf_seek_pos (info, offset, NULL))
         goto error;
@@ -541,6 +557,13 @@ xcf_load_image (Gimp     *gimp,
        */
       saved_pos = info->cp;
 
+      if (offset < saved_pos)
+        {
+          GIMP_LOG (XCF, "Invalid channel offset: %" G_GOFFSET_FORMAT
+                    " at offset: % "G_GOFFSET_FORMAT, offset, saved_pos);
+          goto error;
+        }
+
       /* seek to the channel offset */
       if (! xcf_seek_pos (info, offset, NULL))
         goto error;
@@ -1668,6 +1691,7 @@ xcf_load_layer (XcfInfo    *info,
   const Babl        *format;
   gboolean           is_fs_drawable;
   gchar             *name;
+  goffset            cur_offset;
 
   /* check and see if this is the drawable the floating selection
    *  is attached to. if it is then we'll do the attachment in our caller.
@@ -1719,7 +1743,8 @@ xcf_load_layer (XcfInfo    *info,
       return NULL;
     }
 
-  if (width <= 0 || height <= 0)
+  if (width <= 0 || height <= 0 ||
+      width > GIMP_MAX_IMAGE_SIZE || height > GIMP_MAX_IMAGE_SIZE)
     return NULL;
 
   /* do not use gimp_image_get_layer_format() because it might
@@ -1763,6 +1788,7 @@ xcf_load_layer (XcfInfo    *info,
     }
 
   /* read the hierarchy and layer mask offsets */
+  cur_offset = info->cp;
   xcf_read_offset (info, &hierarchy_offset,  1);
   xcf_read_offset (info, &layer_mask_offset, 1);
 
@@ -1772,6 +1798,11 @@ xcf_load_layer (XcfInfo    *info,
    */
   if (! gimp_viewable_get_children (GIMP_VIEWABLE (layer)))
     {
+      if (hierarchy_offset < cur_offset)
+        {
+          GIMP_LOG (XCF, "Invalid layer hierarchy offset!");
+          goto error;
+        }
       if (! xcf_seek_pos (info, hierarchy_offset, NULL))
         goto error;
 
@@ -1795,6 +1826,11 @@ xcf_load_layer (XcfInfo    *info,
   /* read in the layer mask */
   if (layer_mask_offset != 0)
     {
+      if (layer_mask_offset < cur_offset)
+        {
+          GIMP_LOG (XCF, "Invalid layer mask offset!");
+          goto error;
+        }
       if (! xcf_seek_pos (info, layer_mask_offset, NULL))
         goto error;
 
@@ -1841,6 +1877,7 @@ xcf_load_channel (XcfInfo   *info,
   gboolean     is_fs_drawable;
   gchar       *name;
   GimpRGB      color = { 0.0, 0.0, 0.0, GIMP_OPACITY_OPAQUE };
+  goffset      cur_offset;
 
   /* check and see if this is the drawable the floating selection
    *  is attached to. if it is then we'll do the attachment in our caller.
@@ -1850,10 +1887,16 @@ xcf_load_channel (XcfInfo   *info,
   /* read in the layer width, height and name */
   xcf_read_int32 (info, (guint32 *) &width,  1);
   xcf_read_int32 (info, (guint32 *) &height, 1);
-  if (width <= 0 || height <= 0)
-    return NULL;
+  if (width <= 0 || height <= 0 ||
+      width > GIMP_MAX_IMAGE_SIZE || height > GIMP_MAX_IMAGE_SIZE)
+    {
+      GIMP_LOG (XCF, "Invalid channel size %d x %d.", width, height);
+      return NULL;
+    }
 
   xcf_read_string (info, &name, 1);
+  GIMP_LOG (XCF, "Channel width=%d, height=%d, name='%s'",
+            width, height, name);
 
   /* create a new channel */
   channel = gimp_channel_new (image, width, height, name, &color);
@@ -1867,9 +1910,16 @@ xcf_load_channel (XcfInfo   *info,
 
   xcf_progress_update (info);
 
-  /* read the hierarchy and layer mask offsets */
+  /* read the hierarchy offset */
+  cur_offset = info->cp;
   xcf_read_offset (info, &hierarchy_offset, 1);
 
+  if (hierarchy_offset < cur_offset)
+    {
+      GIMP_LOG (XCF, "Invalid hierarchy offset!");
+      goto error;
+    }
+
   /* read in the hierarchy */
   if (! xcf_seek_pos (info, hierarchy_offset, NULL))
     goto error;
@@ -1905,6 +1955,7 @@ xcf_load_layer_mask (XcfInfo   *info,
   gboolean       is_fs_drawable;
   gchar         *name;
   GimpRGB        color = { 0.0, 0.0, 0.0, GIMP_OPACITY_OPAQUE };
+  goffset        cur_offset;
 
   /* check and see if this is the drawable the floating selection
    *  is attached to. if it is then we'll do the attachment in our caller.
@@ -1914,10 +1965,16 @@ xcf_load_layer_mask (XcfInfo   *info,
   /* read in the layer width, height and name */
   xcf_read_int32 (info, (guint32 *) &width,  1);
   xcf_read_int32 (info, (guint32 *) &height, 1);
-  if (width <= 0 || height <= 0)
-    return NULL;
+  if (width <= 0 || height <= 0 ||
+      width > GIMP_MAX_IMAGE_SIZE || height > GIMP_MAX_IMAGE_SIZE)
+    {
+      GIMP_LOG (XCF, "Invalid layer mask size %d x %d.", width, height);
+      return NULL;
+    }
 
   xcf_read_string (info, &name, 1);
+  GIMP_LOG (XCF, "Layer mask width=%d, height=%d, name='%s'",
+            width, height, name);
 
   /* create a new layer mask */
   layer_mask = gimp_layer_mask_new (image, width, height, name, &color);
@@ -1932,9 +1989,16 @@ xcf_load_layer_mask (XcfInfo   *info,
 
   xcf_progress_update (info);
 
-  /* read the hierarchy and layer mask offsets */
+  /* read the hierarchy offset */
+  cur_offset = info->cp;
   xcf_read_offset (info, &hierarchy_offset, 1);
 
+  if (hierarchy_offset < cur_offset)
+    {
+      GIMP_LOG (XCF, "Invalid hierarchy offset!");
+      goto error;
+    }
+
   /* read in the hierarchy */
   if (! xcf_seek_pos (info, hierarchy_offset, NULL))
     goto error;
@@ -1965,6 +2029,7 @@ xcf_load_buffer (XcfInfo    *info,
   gint        width;
   gint        height;
   gint        bpp;
+  goffset     cur_offset;
 
   format = gegl_buffer_get_format (buffer);
 
@@ -1980,8 +2045,15 @@ xcf_load_buffer (XcfInfo    *info,
       bpp    != babl_format_get_bytes_per_pixel (format))
     return FALSE;
 
+  cur_offset = info->cp;
   xcf_read_offset (info, &offset, 1); /* top level */
 
+  if (offset < cur_offset)
+    {
+      GIMP_LOG (XCF, "Invalid buffer offset!");
+      return FALSE;
+    }
+
   /* seek to the level offset */
   if (! xcf_seek_pos (info, offset, NULL))
     return FALSE;
openSUSE Build Service is sponsored by
Places