dnrops
/
gimp
mirror of https://github.com/GNOME/gimp.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

PCX: Avoid segmentation fault with invalid file. 

If a PCX file contains a bytesperline entry which is too small, it is
possible to trigger an out of boundary read, which can lead to a
segmentation fault.

The bytesperline validation is incomplete. While checking if enough
bytes per line exist, the integer truncation during the division must be
taken into account.

An example would be a 1x1 PCX file with a bpp of 1 (monochrome). The
current check allows a bytesperline field of 0, which in turn would lead
to a 0 byte allocation in load_1. Yet, the code would access index 0.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
This commit is contained in:
Tobias Stoeckmann 2017-04-06 21:37:50 +02:00 committed by Jehan
parent 5255d91032
commit 10f12bdcbd
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
plug-ins/common/file-pcx.c
View File

@ -409,7 +409,7 @@ load_image (const gchar *filename,
fclose (fd);
return -1;
}
if (bytesperline < (width * pcx_header.bpp) / 8)
if (bytesperline < ((width * pcx_header.bpp + 7) / 8))
{
g_message (_("Invalid number of bytes per line in PCX header"));
fclose (fd);