File gimp-2.3.10-CVE-2006-4519.patch of Package gimp-2.3.14

Overview Repositories Revisions Requests Users Attributes Meta

File gimp-2.3.10-CVE-2006-4519.patch of Package gimp-2.3.14

--- gimp-2.3.10/plug-ins/common/dicom.c
+++ gimp-2.3.10/plug-ins/common/dicom.c
@@ -48,7 +48,7 @@
 /* Declare local data types */
 typedef struct _DicomInfo
 {
-  gint       width, height;	 /* The size of the image                  */
+  guint      width, height;	 /* The size of the image                  */
   gint       maxval;		 /* For 16 and 24 bit image files, the max
 				    value which we need to normalize to    */
   gint       samples_per_pixel;  /* Number of image planes (0 for pbm)     */
@@ -280,8 +280,8 @@ load_image (const gchar *filename)
   FILE           *DICOM;
   gchar           buf[500];    /* buffer for random things like scanning */
   DicomInfo      *dicominfo;
-  gint            width             = 0;
-  gint            height            = 0;
+  guint           width             = 0;
+  guint           height            = 0;
   gint            samples_per_pixel = 0;
   gint            bpp               = 0;
   guint8         *pix_buf           = NULL;
@@ -409,6 +409,15 @@ load_image (const gchar *filename)
       if (tag == 0xFFFEE000)
 	continue;
 
+      /* Even for pixel data, we don't handle very large element
+         lengths */
+
+      if (element_length >= (G_MAXUINT - 6))
+        {
+          g_error ("'%s' seems to have an incorrect value field length.",
+                     gimp_filename_to_utf8 (filename));
+        }
+
       /* Read contents. Allocate a bit more to make room for casts to int
        below. */
       value = g_new0 (guint8, element_length + 4);
@@ -469,6 +478,12 @@ load_image (const gchar *filename)
         }
     }
 
+  if ((width > GIMP_MAX_IMAGE_SIZE) || (height > GIMP_MAX_IMAGE_SIZE))
+    {
+      g_error ("'%s' has a larger image size than GIMP can handle.",
+                 gimp_filename_to_utf8 (filename));
+    }
+
   dicominfo->width  = width;
   dicominfo->height = height;
   dicominfo->bpp    = bpp;
--- gimp-2.3.10/plug-ins/common/pnm.c
+++ gimp-2.3.10/plug-ins/common/pnm.c
@@ -534,6 +534,8 @@ load_image (const gchar *filename)
   pnminfo->xres = g_ascii_isdigit(*buf) ? atoi (buf) : 0;
   CHECK_FOR_ERROR (pnminfo->xres <= 0, pnminfo->jmpbuf,
                    _("Invalid X resolution."));
+  CHECK_FOR_ERROR (pnminfo->xres > GIMP_MAX_IMAGE_SIZE, pnminfo->jmpbuf,
+                   _("Image width is larger than GIMP can handle."));
 
   pnmscanner_gettoken (scan, buf, BUFLEN);
   CHECK_FOR_ERROR (pnmscanner_eof (scan), pnminfo->jmpbuf,
@@ -541,6 +543,8 @@ load_image (const gchar *filename)
   pnminfo->yres = g_ascii_isdigit (*buf) ? atoi (buf) : 0;
   CHECK_FOR_ERROR (pnminfo->yres <= 0, pnminfo->jmpbuf,
                    _("Invalid Y resolution."));
+  CHECK_FOR_ERROR (pnminfo->yres > GIMP_MAX_IMAGE_SIZE, pnminfo->jmpbuf,
+                   _("Image height is larger than GIMP can handle."));
 
   if (pnminfo->np != 0)         /* pbm's don't have a maxval field */
     {
@@ -601,6 +605,7 @@ pnm_load_ascii (PNMScanner   *scan,
   gchar   buf[BUFLEN];
 
   np = (info->np) ? (info->np) : 1;
+  /* No overflow as long as gimp_tile_height() < 2730 = 2^(31 - 18) / 3 */
   data = g_new (guchar, gimp_tile_height () * info->xres * np);
 
   /* Buffer reads to increase performance */
--- gimp-2.3.10/plug-ins/common/psd.c
+++ gimp-2.3.10/plug-ins/common/psd.c
@@ -416,7 +416,8 @@ static void   xfread_interlaced            (FILE    *fd,
                                             long     len,
                                             gchar   *why,
                                             gint     step);
-static void   read_whole_file              (FILE    *fd);
+static void read_whole_file                (FILE *fd,
+                                            const gchar *name);
 static void   reshuffle_cmap               (guchar  *map256);
 static gchar *getpascalstring              (FILE    *fd,
                                             gchar   *why);
@@ -1885,7 +1886,7 @@ load_image (const gchar *name)
   gimp_progress_init_printf (_("Opening '%s'"),
                              gimp_filename_to_utf8 (name));
 
-  read_whole_file (fd);
+  read_whole_file (fd, name);
 
   if (psd_image.num_layers > 0) /* PS3-style */
     {
@@ -2934,7 +2935,7 @@ xfread_interlaced (FILE   *fd,
 }
 
 static void
-read_whole_file (FILE *fd)
+read_whole_file (FILE *fd, const gchar *filename)
 {
     guint16 w;
     gint32  pos;
@@ -2944,9 +2945,30 @@ read_whole_file (FILE *fd)
     xfread (fd, &PSDheader.signature, 4, "signature");
     PSDheader.version  = getgint16 (fd, "version");
     xfread (fd, &dummy, 6, "reserved");
+
     PSDheader.channels = getgint16 (fd, "channels");
+
+    /* Photoshop CS (version 8) supports a maximum of 56 channels */
+
+    if (PSDheader.channels > 56)
+      {
+        g_error ("'%s' has more channels than GIMP can handle.",
+                 gimp_filename_to_utf8 (filename));
+      }
+
     PSDheader.rows     = getgint32 (fd, "rows");
     PSDheader.columns  = getgint32 (fd, "columns");
+
+    /* Photoshop CS (version 8) supports 300000 x 300000, but this
+       is currently larger than GIMP_MAX_IMAGE_SIZE */
+
+    if ((PSDheader.rows > GIMP_MAX_IMAGE_SIZE) ||
+        (PSDheader.columns > GIMP_MAX_IMAGE_SIZE))
+      {
+        g_error ("'%s' has a larger image size than GIMP can handle.",
+                 gimp_filename_to_utf8 (filename));
+      }
+
     PSDheader.bpp      = getgint16 (fd, "depth");
     PSDheader.mode     = getgint16 (fd, "mode");
 
--- gimp-2.3.10/plug-ins/common/psp.c
+++ gimp-2.3.10/plug-ins/common/psp.c
@@ -1149,6 +1149,16 @@ read_layer_block (FILE     *f,
       width = saved_image_rect[2] - saved_image_rect[0];
       height = saved_image_rect[3] - saved_image_rect[1];
 
+      if ((width < 0) || (width > GIMP_MAX_IMAGE_SIZE)       /* w <= 2^18 */
+          || (height < 0) || (height > GIMP_MAX_IMAGE_SIZE)  /* h <= 2^18 */
+          || ((width / 256) * (height / 256) >= 8192))       /* w * h < 2^29 */
+        {
+          g_message ("Invalid layer dimensions: %dx%d", width, height);
+          fclose (f);
+          gimp_image_delete (image_ID);
+          return -1;
+        }
+
       IFDBG(2) g_message
 	("layer: %s %dx%d (%dx%d) @%d,%d opacity %d blend_mode %s "
 	 "%d bitmaps %d channels",
--- gimp-2.3.10/plug-ins/common/sunras.c
+++ gimp-2.3.10/plug-ins/common/sunras.c
@@ -429,6 +429,38 @@ load_image (const gchar *filename)
 	     *4 + sunhdr.l_ras_maplength, SEEK_SET);
     }
 
+  if (sunhdr.l_ras_width <= 0)
+    {
+      g_message (_("'%s':\nNo image width specified"),
+                 gimp_filename_to_utf8 (filename));
+      fclose (ifp);
+      return (-1);
+    }
+
+  if (sunhdr.l_ras_width > GIMP_MAX_IMAGE_SIZE)
+    {
+      g_message (_("'%s':\nImage width is larger than GIMP can handle"),
+                 gimp_filename_to_utf8 (filename));
+      fclose (ifp);
+      return (-1);
+    }
+
+  if (sunhdr.l_ras_height <= 0)
+    {
+      g_message (_("'%s':\nNo image height specified"),
+                 gimp_filename_to_utf8 (filename));
+      fclose (ifp);
+      return (-1);
+    }
+
+  if (sunhdr.l_ras_height > GIMP_MAX_IMAGE_SIZE)
+    {
+      g_message (_("'%s':\nImage height is larger than GIMP can handle"),
+                 gimp_filename_to_utf8 (filename));
+      fclose (ifp);
+      return (-1);
+    }
+
   gimp_progress_init_printf (_("Opening '%s'"),
                              gimp_filename_to_utf8 (filename));
 
--- gimp-2.3.10/plug-ins/common/xbm.c
+++ gimp-2.3.10/plug-ins/common/xbm.c
@@ -805,21 +805,35 @@ load_image (const gchar *filename)
       return -1;
     }
 
-  if (width == 0)
+  if (width <= 0)
     {
       g_message (_("'%s':\nNo image width specified"),
                  gimp_filename_to_utf8 (filename));
       return -1;
     }
 
-  if (height == 0)
+  if (width > GIMP_MAX_IMAGE_SIZE)
+    {
+      g_message (_("'%s':\nImage width is larger than GIMP can handle"),
+                 gimp_filename_to_utf8 (filename));
+      return -1;
+    }
+
+   if (height <= 0)
     {
       g_message (_("'%s':\nNo image height specified"),
                  gimp_filename_to_utf8 (filename));
       return -1;
     }
 
-  if (intbits == 0)
+  if (height > GIMP_MAX_IMAGE_SIZE)
+    {
+      g_message (_("'%s':\nImage height is larger than GIMP can handle"),
+                 gimp_filename_to_utf8 (filename));
+      return -1;
+    }
+
+   if (intbits == 0)
     {
       g_message (_("'%s':\nNo image data type specified"),
                  gimp_filename_to_utf8 (filename));
@@ -1063,7 +1077,7 @@ save_image (const gchar *filename,
 
 #ifdef VERBOSE
       if (verbose > 1)
-	printf ("TGA: writing %dx(%d+%d) pixel region\n",
+	printf ("XBM: writing %dx(%d+%d) pixel region\n",
 		width, i, tileheight);
 #endif
 
--- gimp-2.3.10/plug-ins/common/xwd.c
+++ gimp-2.3.10/plug-ins/common/xwd.c
@@ -470,6 +470,39 @@ load_image (const gchar *filename)
         }
     }
 
+  if (xwdhdr.l_pixmap_width <= 0)
+    {
+      g_message (_("'%s':\nNo image width specified"),
+                 gimp_filename_to_utf8 (filename));
+      fclose (ifp);
+      return (-1);
+    }
+
+  if (xwdhdr.l_pixmap_width > GIMP_MAX_IMAGE_SIZE
+      || xwdhdr.l_bytes_per_line > GIMP_MAX_IMAGE_SIZE * 3)
+    {
+      g_message (_("'%s':\nImage width is larger than GIMP can handle"),
+                 gimp_filename_to_utf8 (filename));
+      fclose (ifp);
+      return (-1);
+    }
+
+  if (xwdhdr.l_pixmap_height <= 0)
+    {
+      g_message (_("'%s':\nNo image height specified"),
+                 gimp_filename_to_utf8 (filename));
+      fclose (ifp);
+      return (-1);
+    }
+
+  if (xwdhdr.l_pixmap_height > GIMP_MAX_IMAGE_SIZE)
+    {
+      g_message (_("'%s':\nImage height is larger than GIMP can handle"),
+                 gimp_filename_to_utf8 (filename));
+      fclose (ifp);
+      return (-1);
+    }
+
   gimp_progress_init_printf (_("Opening '%s'"),
                              gimp_filename_to_utf8 (filename));

Places

File gimp-2.3.10-CVE-2006-4519.patch of Package gimp-2.3.14

Places