File gimp-CVE_2022-30067.patch of Package gimp.24398

Overview Repositories Revisions Requests Users Attributes Meta

File gimp-CVE_2022-30067.patch of Package gimp.24398

From 8cd6d05232795ac31076013db1c6be3dc67e8e09 Mon Sep 17 00:00:00 2001
From: Jacob Boerema <jgboerema@gmail.com>
Date: Fri, 29 Apr 2022 16:40:32 -0400
Subject: [PATCH] app: fix #8120 GIMP 2.10.30 crashed when allocate large
 memory

GIMP could crash if the information regarding old path properties read
from XCF was incorrect. It did not check if xcf_old_path succeeded and
kept trying to load more paths even if the last one failed to load.

Instead we now stop loading paths as soon as that function fails.
In case we have a failure here we also try to skip to the next property
based on the size of the path property, in hopes that the only problem
was this property.

(cherry picked from commit 4f99f1fcfd892ead19831b5adcd38a99d71214b6)
---
 app/xcf/xcf-load.c | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/app/xcf/xcf-load.c b/app/xcf/xcf-load.c
index 5543e57af7..1a1a460f0e 100644
--- a/app/xcf/xcf-load.c
+++ b/app/xcf/xcf-load.c
@@ -1060,7 +1060,12 @@ xcf_load_image_props (XcfInfo   *info,
           break;
 
         case PROP_PATHS:
-          xcf_load_old_paths (info, image);
+          {
+            goffset base = info->cp;
+
+            if (! xcf_load_old_paths (info, image))
+              xcf_seek_pos (info, base + prop_size, NULL);
+          }
           break;
 
         case PROP_USER_UNIT:
@@ -2747,8 +2752,11 @@ xcf_load_old_paths (XcfInfo   *info,
   xcf_read_int32 (info, &last_selected_row, 1);
   xcf_read_int32 (info, &num_paths,         1);
 
+  GIMP_LOG (XCF, "Number of old paths: %u", num_paths);
+
   while (num_paths-- > 0)
-    xcf_load_old_path (info, image);
+    if (! xcf_load_old_path (info, image))
+      return FALSE;
 
   active_vectors =
     GIMP_VECTORS (gimp_container_get_child_by_index (gimp_image_get_vectors (image),
@@ -2799,7 +2807,7 @@ xcf_load_old_path (XcfInfo   *info,
     }
   else if (version != 1)
     {
-      g_printerr ("Unknown path type. Possibly corrupt XCF file");
+      g_printerr ("Unknown path type (version: %u). Possibly corrupt XCF file.\n", version);
 
       return FALSE;
     }
-- 
2.36.1

Places

File gimp-CVE_2022-30067.patch of Package gimp.24398

Places