1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
|
From: Jacob Boerema <jgboerema@gmail.com>
Date: Wed, 3 Sep 2025 18:37:26 -0400
Subject: plug-ins: fix ZDI-CAN-27823
Origin: https://gitlab.gnome.org/GNOME/gimp/-/commit/5c3e2122d53869599d77ef0f1bdece117b24fd7c
Bug: https://gitlab.gnome.org/GNOME/gimp/-/issues/14814
Bug-Debian: https://bugs.debian.org/1119661
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-10934
GIMP XWD File Parsing Heap-based Buffer Overflow Remote Code Execution
Vulnerability.
Check offset in colormap is valid before writing to it.
Closes #14814
(cherry picked from commit 4eb106f2bff2d9b8e518aa455a884c6f38d70c6a)
---
plug-ins/common/file-xwd.c | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
diff --git a/plug-ins/common/file-xwd.c b/plug-ins/common/file-xwd.c
index 8d013397be69..c4c41e5bea7e 100644
--- a/plug-ins/common/file-xwd.c
+++ b/plug-ins/common/file-xwd.c
@@ -1683,9 +1683,20 @@ load_xwd_f2_d16_b16 (GFile *file,
greenval = (green * 255) / maxgreen;
for (blue = 0; blue <= maxblue; blue++)
{
+ guint32 offset = ((red << redshift) + (green << greenshift) +
+ (blue << blueshift)) * 3;
+
+ if (offset+2 >= maxval)
+ {
+ g_set_error (error, GIMP_PLUG_IN_ERROR, 0,
+ _("Invalid colormap offset. Possibly corrupt image."));
+ g_free (data);
+ g_free (ColorMap);
+ g_object_unref (buffer);
+ return NULL;
+ }
blueval = (blue * 255) / maxblue;
- cm = ColorMap + ((red << redshift) + (green << greenshift)
- + (blue << blueshift)) * 3;
+ cm = ColorMap + offset;
*(cm++) = redval;
*(cm++) = greenval;
*cm = blueval;
--
2.51.0
|
