Since commit d0ae244fe8, which
connects GimpChannel instances to their buffer's "changed" signal,
the XCF loading code that steals a channel's buffer when converting
it to a selection mask (which happens when loading an XCF with a
saved selection mask) is unsafe, since fails to perform the
necessary cleanup and setup of the buffer in the old and new
channel objects, respectively.
Perform the buffer transfer using the new
gimp_drawable_steal_buffer(), which does the same thing in a safe
manner.
which is just a #define to g_assert for now, but can now easily be
turned into something that does some nicer debugging using our new
stack trace infrastructure. This commit also reverts all constructed()
functions to use assert again.
When loading tile data, avoid copying the data into the GEGL
buffer when the tile is empty (i.e., all its bytes are 0), so that
GEGL doesn't allocate memory for it unnecessarily.
It was always supposed to be like that, but simply forgotten.
Fortunately, big-endian machines are almost extinct...
The new code is triggered with XCF version >= 12, but we will start
using that only after code review.
this commit changes just those which make no difference to
functionality: property and object member defaults that get overridden
anyway, return values of g_return_val_if_fail(), some other stuff.
When loading tiles from an XCF, reject tiles whose on-disk size is
greater than 1.5 times the size of an uncompressed tile -- a limit
that is already present for the last tile in the buffer. This
should allow for the possibility of negative compression, while
restricting placing a realistic limit.
Currently, no limit is placed on the on-disk tile data size. When
loading RLE- and zlib-compressed tiles, a buffer large enough to
hold the entire on-disk tile data, up to 2GB, is allocated on the
stack, and the data is read into it. If the file is smaller than
the reported tile data size, the area of the buffer past the end
of the file is not touched. This allows a malicious XCF to write
up to 2GB of arbitrary data, at an arbitrary offset, up to 2GB,
below the stack.
Note that a similar issue had existed for earlier versions of GIMP
(see commit d7a9e6079d), however,
since prior to 2.9 the tile data buffer was allocated on the heap,
the potential risk is far smaller.
The layer blend space, composite space, and composite mode
properties have a special AUTO value, which may map to different
concrete values based on the layer mode. Make sure we can change
this mapping in the future, without affecting existing XCFs (saved
after this commit), by encoding these properties as follows:
When saving an XCF, if the property has a concrete (non-AUTO)
value, which is always positive, encode it as is. If the property
is AUTO, which is always 0, encode it as the negative of the value
it actually maps to at the time of saving (note that in some cases
AUTO may map to AUTO, in which case it's encoded as 0).
When loading an XCF, if the encoded property (stored in the file)
is nonnegative, use it as is. Otherwise, compare the negative of
the encoded property to the value AUTO maps to at the time of
loading. If the values are equal, set the property to AUTO;
otherwise, use the concrete value (i.e., the negative of the value
stored in the XCF).
Note that XCFs saved prior to this commit still load fine, it's
simply that if we change the AUTO mapping in the future, all their
AUTO properties will keep being loaded as AUTO, even if the
resulting concrete values will have changed.
We were still saving channel colors in 8 bit, this additionally
saves/loads the color as float values. Still save the old PROP_COLOR
for compatibility.
Both in the GimpImage API and in the GUI. The toggle in the save
dialog now controls ZLIB compression directly. Changed the various
info labels accordingly. Ditch the XCF parasite that saved the XCF
compat mode.
Enable 64 bit file offsets in XCF files, starting with newly added XCF
version 11.
We use at least version 11 if:
- we would use the previous version 10 (essentially skipping 10)
- the in-memory size of the image is larger than 4 Gig
Change the xcf_read_foo() functions to take the XcfInfo* instead of
a GInputStream*, and make them advance the info->cp offset by
themselves. Makes xcf-load.c a lot more readable.
Step one, without changing anything in the saved XCFs yet:
Abstract reading and writing of file offsets away into their own
xcf_read_offset() and xcf_write_offset() functions, which take
"goffset" instead of "guint32". Also change xcf_seek_pos() to take a
goffset argument.
Change all file offset variables in xcf-load.c, xcf-write.c and struct
XcfInfo to goffset, and add new member "bytes_per_offset" to XcfInfo,
which is currently always 4.
Largely based on a patch by Ell, with the enum type renamed and
various small changes. Adds another axis of configurability to the
existing layer mode madness, and is WIP too.
with proper value names. Mark most values as _BROKEN because they use
weird alpha compositing that has to die. Move GimpLayerModeEffects to
libgimpbase, deprecate it, and set it as compat enum for GimpLayerMode.
Add the GimpLayerModeEffects values as compat constants to script-fu
and pygimp.
which can be used to load/save XCF from/to arbitrars streams. Use the
new functions from the load/save procedure invokers.
This commit also fixes a leaked open file ans input stream for each
loaded XCF.
...XCF channel and layer properties
The properties PROP_ACTIVE_LAYER, PROP_FLOATING_SELECTION,
PROP_ACTIVE_CHANNEL saves the current object pointer the @info
structure. Others like PROP_SELECTION (for channel) and
PROP_GROUP_ITEM (for layer) will delete the current object and create
a new object, leaving the pointers in @info invalid (dangling).
Therefore, if a property from the first type will come before the
second, the result will be an UaF in the last lines of xcf_load_image
(when it actually using the pointers from @info).
I wasn't able to exploit this bug because that
g_object_instance->c_class gets cleared by the last g_object_unref and
GIMP_IS_{LAYER,CHANNEL} detects that and return FALSE.
Don't skip the first 10 bytes. That code was there to skip the magic
"GIMP_XMP_1" of the old "gimp-metadata" parasite. Instead, properly
check for that magic in xcf_load_image() and pass only the actual XMP
to gimp_metadata_set_from_xmp(). Also remove the +10 hack in file-exr.
With gimp_guide_custom_new(), you can create a custom guide with a different
style on canvas (other pattern/color/width). A custom guide won't be saved
and could be used, for instance, for specific GEGL op guiding.
Add new XCF property FLOAT_OPACITY and always save both the old 8-bit
and the new float opacity of layers and channels. Float opacity is
saved after the 8-bit one so when loading, it overwrites the limited
8-bit value with the proper precision. Do not increase the XCF version
number because old GIMP versions will simply skip the unknown
FLOAT_OPACITY and keep using the 8-bit value.
- gimp-image-set-filename PDB wrapper: implement the same there in
a few lines
- xcf-load.c: use gimp_image_set_file() instead, and get rid of the
last use of filename in xcf/ in favor of GFile
The possible failure of `g_file_replace()` was overlooked, as well as
the error which may have been created and could be useful information
for the developers.
The "filename" parameter must be in UTF-8 and in URI format (for
instance file://path for local files, and not just a path).
Cf. `g_file_new_for_uri()` documentation:
@uri: a UTF-8 string containing a URI
GIMP's OVERLAY mode was identical to SOFTLIGHT. This commit fixes the
issue and introduces a NEW_OVERLAY mode and enum value.
- change gimp:overlay-mode to be a real (svg-ish) overlay mode
- when compositing, map OVERLAY to gimp:softlight-mode
- when compisiting, map NEW_OVERLAY to gimp:overlay-mode
- bump the XCF version when NEW_OVERLAY is used
- map OVERLAY to SOFTLIGHT when loading and saving XCF
- map OVERLAY to softlight in all PDB setters
- map OVERLAY to softlight when deserializing a GimpContext
- change all paint mode menus to show an entry for NEW_OVERLAY
instead of OVERLAY
- change PSP, PSD and OpenRaster to use NEW_OVERLAY
These changes should (redundantly) make sure that no OVERLAY enum
value is used in the core any longer because it gets mapped to
SOFTLIGHT at all entry points, with the downside of introducing a
setter/getter asymmetry when OVERLAY was set in a PDB api.
Get rid of most seeking by writing the tile offsets to a table in
memory, instead of directly to the file after each tile. Only seek
back after writing all tiles, in order to save the entire table at
once.
- add gimp_image_get,get_xcf_compat_mode()
- add a compat toggle to GimpFileDialog which is shown and sensitive
only for a save (not export), and if the image structure allows
to save an old version at all. The button also has a tooltip
which explains why it is sensitive and what it does
- add "gboolean xcf_compat" to file_save_dialog_save_image()
- in file_save_dialog_save_image(), call image_set_xcf_compat_mode(TRUE)
only around the call to file_save() and set it to FALSE after saving
- in xcf_save_invoker(), honor the image's XCF compat flag and save an
RLE-compressed XCF if possible
The above is very convoluted and doesn't pass the "xcf_compat" boolean
directly because we can't change the parameters of gimp-xcf-save, and
because the gimp-xcf-save might be called indirectly.
Change XCF saving to never seek past the end of the partially written
file. The only places where we still did this was when skipping the
offset tables for layers, channels, levels and tiles.
Now we write an all-zero offset table first, and then only seek around
in areas of the file that already exist. This also simplifies the code
a bit. Changed comments to make it clear what happens.
Don't use xcf_seek_end() because that seems to be broken on certain
file systems / operating systems / FUSE mounts / whatever. Instead,
seek to explicitly calculated file offsets.
Ported Massimo's patch to master and added comments --Mitch
The same commit in gimp-2-8 is a57e49b1bb
- use G_FILE_CREATE_NONE instead of 0
- don't put "Could not open <file> for writing: <error>" around the
returned error, the returned message is already verbose
Add gimp_image_get_xcf_version() and use it when saving XCFs. The
function also returns GIMP versions in integer (comparable) and string
form to be used by GUI logic that allows to save compatible files.
and g_warning() for programming errors only.
Use g_printerr() for "normal" errors which may happen in a program
lifetime (in particular corrupted XCF file errors are not necessarily
programming errors).
Our code was planning zlib and fractal compressions for eons, but would
crash against a file which would be actually using these. It means that
if we implement one of these compressions for 2.10, anyone with GIMP 2.8
(and likely earlier too) would crash when opening a legit file using the
new compressions. That's very bad.
Never use g_error() in non-fatale, expected, situations!
- change start() and set_text() to use "format" and "..." instead of
"message", allowing to format progress messages in place
- s/cancelable/cancellable/
- move "cancellable" to be the second argument of start()
and keep GIMP_ICON_TYPE_STOCK_ID as a deprecated alias. Change all
plug-ins accordingly and increase the pluginrc file version number so
it gets regenerated with "icon-name" instead of "stock-id".
when they are added to items, images or globally, from the PDF or an
XCF file. None of the validation functions does anything currently,
they simply return TRUE.
The code was technically correct previously: It wrote the uninitialized
length only as a placeholder to overwrite it later on. Yet it's better
to not confuse tools (or people) analysing the code. Besides that having
0 for the length in the file while the payload is being written may aid
debugging e.g. crashes in that code later on.
Based on original patches from Hartmut Kuhse and modified
by Michael Natterer. Changes include:
- remove libexif dependency and add a hard dependency on gexiv2
- typedef GExiv2Metadata to GimpMetadata to avoid having to
include gexiv2 globally
- add basic GimpMetadata handling functions to libgimpbase
- add image and image file specific metadata functions to libgimp,
including the exif orientation image rotate dialog
- port plug-ins to use the new APIs
- port file-tiff-save's UI to GtkBuilder
- add new plug-in "metadata" to view the image's metadata
- keep metadata around as GimpImage member in the core
- update the image's metadata on image size, resolution and precision
changes
- obsolete the old metadata parasites
- migrate the old parasites to new GimpMetadata object on XCF load
- don't include <gdk-pixbuf/gdk-pixbuf.h> in headers in app/
- instead, include it in many .c files instead of <glib-object.h>,
finally acknowledging the fact that app/ depends on gdk-pixbuf almost
globally
- fix up includes as if libgimpbase depended in GIO, which it soon will
- Add new enum GimpComponentType which contains u8, u16, u32 etc.
- Change GimpPrecision to be u8-linear, u8-gamma, u16-linear etc.
- Add all the needed formats to gimp-babl.c
- Bump the XCF version to 5 and make sure version 4 with the old
GimpPrecision enum values is loaded correctly
This change blows up the precision enums in "New Image" and
Image->Precision so we can test all this stuff. It is undecided what
format will be user-visible options in 2.10.
Apply and heavily modify patch from remyDev which adds "lock position"
to GimpItem, similar to "lock content". Lock position disables all
sorts of translation and transform, from the GUI and the PDB.
Cleaned up some aspects of the lock content code as well because a
second instance of similar code always shows what went wrong the first
time.
The last tile is not followed by a next tile, so we don't have an
offset to the next tile and have to guess the number of bytes to load,
using the largest possible tile. That guessing was based on a maximum
of four bytes per pixel.
In fact, it broke much more than that because the way XCF loading
replaced the image's mask prevented the image's "mask-changed" signal
from ever being emitted. Add private API gimp_image_take_mask() which
properly sets the mask and use it for image construction and the XCF
selection loading hack.
Also, make group layer type conversion much less hackish by using the
same kind of temporary states that are used for reallocating its
projection on size change.
because it would require really evil hacks to honor these properties
in the gegl projection if they were on the mask, and because they
actually belong to the layer.
Conditional jump or move depends on uninitialised value(s)
==28817== at 0x6AA386: gimp_coords_manhattan_dist (gimp/app/core/gimpcoords.c:175)
==28817== by 0x6AB428: gimp_coords_bezier_is_straight (gimp/app/core/gimpcoords-interpolate.c:213)
==28817== by 0x67663B: gimp_bezier_stroke_segment_nearest_point_get (gimp/app/vectors/gimpbezierstroke.c:676)
==28817== by 0x676C86: gimp_bezier_stroke_nearest_point_get (gimp/app/vectors/gimpbezierstroke.c:631)
==28817== by 0x4D79E3: gimp_draw_tool_on_vectors_curve (gimp/app/tools/gimpdrawtool.c:1175)
==28817== by 0x4D7CD5: gimp_draw_tool_on_vectors (gimp/app/tools/gimpdrawtool.c:1242)
==28817== by 0x511CE7: gimp_vector_tool_oper_update (gimp/app/tools/gimpvectortool.c:989)
==28817== by 0x50B059: gimp_tool_oper_update (gimp/app/tools/gimptool.c:970)
==28817== by 0x546F3C: gimp_display_shell_canvas_tool_events (gimp/app/display/gimpdisplayshell-tool-events.c:401)
==28817== by 0x52A42E2: _gtk_marshal_BOOLEAN__BOXED (gtk-2-24/gtk/gtkmarshalers.c:86)
Steps to reproduce:
G_SLICE=always-malloc valgrind gimp-2.7 app/tests/*/*.xcf
B (Activate Path tool)
Introduced two virtual functions to a GimpViewable
'set_expanded' and 'get_expanded'
and a PROP_GROUP_ITEM_FLAGS to load/save the expanded state
of layer_groups and use them.
This patch limits the string length to 16 MB. If problems occur in the
future because 16 MB is small, increase the limit by modifying
MAX_XCF_STRING_LEN.
and get rid of the brainfuck idea that app/ has to use _gimp_unit_foo()
functions, passing a gimp pointer. Instead, simply use the libgimpbase
API all over the place. Should we ever allow more than one gimp instance,
they will simply have to share one unit database.