dnrops
/
gimp
mirror of https://github.com/GNOME/gimp.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

plug-ins: Fix PSP vulnerability (ZDI-CAN-22096) 

Resolves #10072.

The current PSP palette loading code does not check if
the file's palette entry count value is below the limit
(G_MAXUNIT32 / 4 due to each color being 4 bytes long).
This patch adds this check and stops loading if the count
is larger than GIMP currently supports.
This commit is contained in:
Alx Sa 2023-09-23 02:41:57 +00:00
parent e1bfd87195
commit 96f536a335
1 changed files with 10 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
plug-ins/common/file-psp.c
View File

@ -1279,8 +1279,17 @@ read_color_block (FILE *f,
}
color_palette_entries = GUINT32_FROM_LE (entry_count);
/* TODO: GIMP currently only supports a maximum of 256 colors
* in an indexed image. If this changes, we can change this check */
if (color_palette_entries > 256)
{
g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
_("Error: Unsupported palette size"));
return -1;
}
/* psp color palette entries are stored as RGBA so 4 bytes per entry
where the fourth bytes is always zero */
* where the fourth bytes is always zero */
pal_size = color_palette_entries * 4;
color_palette = g_malloc (pal_size);
if (fread (color_palette, pal_size, 1, f) < 1)