mirror of https://github.com/GNOME/gimp.git
plug-ins: Fix DDS vulnerability (ZDI-CAN-22093)
Resolves #10069 Currently, the DDS header information for the width, height, and bytes per scan line are read in and assumed to be correct. As these values are used for memory allocation and reading, it would be good to verify they do not exceed the file size. This patch adds a condition after the header is read in to verify those values. If they exceed the file size (mins an offset), the file is not read in and an error message is shown.
This commit is contained in:
parent
0b307a3a1a
commit
6ad54ca3a3
|
@ -124,6 +124,7 @@ read_dds (GFile *file,
|
||||||
guint l = 0;
|
guint l = 0;
|
||||||
guchar *pixels;
|
guchar *pixels;
|
||||||
FILE *fp;
|
FILE *fp;
|
||||||
|
gsize file_size;
|
||||||
dds_header_t hdr;
|
dds_header_t hdr;
|
||||||
dds_header_dx10_t dx10hdr;
|
dds_header_dx10_t dx10hdr;
|
||||||
dds_load_info_t d;
|
dds_load_info_t d;
|
||||||
|
@ -157,6 +158,10 @@ read_dds (GFile *file,
|
||||||
return GIMP_PDB_EXECUTION_ERROR;
|
return GIMP_PDB_EXECUTION_ERROR;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
fseek (fp, 0L, SEEK_END);
|
||||||
|
file_size = ftell (fp);
|
||||||
|
fseek (fp, 0, SEEK_SET);
|
||||||
|
|
||||||
gimp_progress_init_printf ("Loading %s:", gimp_file_get_utf8_name (file));
|
gimp_progress_init_printf ("Loading %s:", gimp_file_get_utf8_name (file));
|
||||||
|
|
||||||
/* read header */
|
/* read header */
|
||||||
|
@ -207,6 +212,17 @@ read_dds (GFile *file,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* verify header information is accurate */
|
||||||
|
if (hdr.depth < 1 ||
|
||||||
|
(hdr.pitch_or_linsize > (file_size - sizeof (hdr))) ||
|
||||||
|
(((guint64) hdr.height * hdr.width * hdr.depth) > (file_size - sizeof (hdr))))
|
||||||
|
{
|
||||||
|
fclose (fp);
|
||||||
|
g_set_error (error, G_FILE_ERROR, g_file_error_from_errno (errno),
|
||||||
|
_("Invalid or corrupted DDS header"));
|
||||||
|
return GIMP_PDB_EXECUTION_ERROR;
|
||||||
|
}
|
||||||
|
|
||||||
if (hdr.pixelfmt.flags & DDPF_FOURCC)
|
if (hdr.pixelfmt.flags & DDPF_FOURCC)
|
||||||
{
|
{
|
||||||
/* fourcc is dXt* or rXgb */
|
/* fourcc is dXt* or rXgb */
|
||||||
|
|
Loading…
Reference in New Issue