File: plug-ins-fix-ZDI-CAN-27878.patch

package info (click to toggle)
gimp 3.0.4-6.2
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 210,548 kB
  • sloc: ansic: 842,405; lisp: 10,761; python: 10,318; cpp: 7,238; perl: 4,355; sh: 1,043; xml: 963; yacc: 609; lex: 348; javascript: 150; makefile: 43
file content (62 lines) | stat: -rw-r--r-- 1,970 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
From: Jacob Boerema <jgboerema@gmail.com>
Date: Wed, 3 Sep 2025 15:25:55 -0400
Subject: plug-ins: fix ZDI-CAN-27878
Origin: https://gitlab.gnome.org/GNOME/gimp/-/commit/fb31ddf32298bb2f0f09b3ccc53464b8693a050e
Bug-Debian: https://bugs.debian.org/1116460
Bug: https://gitlab.gnome.org/GNOME/gimp/-/issues/14812
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-10923

GIMP WBMP File Parsing Integer Overflow Remote Code Execution
Vulnerability

We recently fixed one instance of not upgrading the size, but forgot
the other. Fix that here by casting to (gsize). While we're at it,
also add a warning, when reading more data fails unexpectedly.

Closes #14812
---
 plug-ins/common/file-wbmp.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/plug-ins/common/file-wbmp.c b/plug-ins/common/file-wbmp.c
index a19b0f9728f9..f37450118f96 100644
--- a/plug-ins/common/file-wbmp.c
+++ b/plug-ins/common/file-wbmp.c
@@ -456,6 +456,7 @@ read_image (FILE    *fd,
   GeglBuffer  *buffer;
   guchar      *dest, *temp;
   gint         i, cur_progress, max_progress;
+  size_t       n_read;
 
   /* Make a new image in GIMP */
   if ((width < 0) || (width > GIMP_MAX_IMAGE_SIZE))
@@ -480,14 +481,14 @@ read_image (FILE    *fd,
 
   gimp_image_insert_layer (image, layer, NULL, 0);
 
-  dest = g_malloc0 (width * height);
+  dest = g_malloc0 ((gsize) width * height);
 
   ypos = 0;
 
   cur_progress = 0;
   max_progress = height;
 
-  while (ReadOK (fd, &v, 1))
+  while ((n_read = ReadOK (fd, &v, 1)) != 0)
     {
       for (i = 1; (i <= 8) && (xpos < width); i++, xpos++)
         {
@@ -512,6 +513,9 @@ read_image (FILE    *fd,
         break;
     }
 
+  if (n_read == 0)
+      g_warning (_("Read failure at position %u. Possibly corrupt image."), ypos * width + xpos);
+
   buffer = gimp_drawable_get_buffer (GIMP_DRAWABLE (layer));
 
   gegl_buffer_set (buffer, GEGL_RECTANGLE (0, 0, width, height), 0, NULL, dest,
-- 
2.51.0