Overview

File 0e68b747.patch of Package gegl

From 0e68b7471dabf2800d780819c19bd5e6462f565f Mon Sep 17 00:00:00 2001
From: Jacob Boerema <jgboerema@gmail.com>
Date: Thu, 4 Sep 2025 13:36:56 -0400
Subject: [PATCH] rgbe: fix #430 zdi-can-27803

HDR File Parsing Heap-based Buffer Overflow Remote Code Execution
Vulnerability.

Now checks if linesize isn't larger than size allocated and returns
FALSE with a warning if it is.
---
 libs/rgbe/rgbe.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/libs/rgbe/rgbe.c b/libs/rgbe/rgbe.c
index eedde2660..9ef8fb520 100644
--- a/libs/rgbe/rgbe.c
+++ b/libs/rgbe/rgbe.c
@@ -624,6 +624,7 @@ rgbe_read_new_rle (const rgbe_file *file,
 {
   const guint8 *data;
   guint16       linesize;
+  guint32       max_size;
   guint         i;
   guint         component;
   gfloat       *pixoffset[RGBE_NUM_RGBE] =
@@ -646,6 +647,14 @@ rgbe_read_new_rle (const rgbe_file *file,
   data     = (guint8 *)g_mapped_file_get_contents (file->file) + *cursor;
   g_return_val_if_fail (data[OFFSET_R] == 2 && data[OFFSET_G] == 2, FALSE);
   linesize = (data[OFFSET_B] << 8) | data[OFFSET_E];
+  max_size = file->header.x_axis.size * file->header.y_axis.size * RGBE_NUM_RGBE;
+
+  if (RGBE_NUM_RGBE * linesize > max_size)
+    {
+      g_warning ("Invalid linesize %u is larger than maximum %u\n",
+                 RGBE_NUM_RGBE * linesize, max_size);
+      return FALSE;
+    }
 
   data += RGBE_NUM_RGBE;
 
-- 
GitLab
openSUSE Build Service is sponsored by
Places