1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
|
From: "Ryan C. Gordon" <icculus@icculus.org>
Date: Wed, 7 Feb 2018 16:29:51 -0500
Subject: xcf: check for some potential integer overflows.
Bug: https://security-tracker.debian.org/tracker/CVE-2018-3839
Origin: upstream, 2.0.3, commit:fb643e371806, commit:https://github.com/libsdl-org/SDL_image/commit/f9ad7549ad71609f6ea47c5951c7e09ad5d1a104.patch
---
IMG_xcf.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/IMG_xcf.c b/IMG_xcf.c
index 6624a50..064e641 100644
--- a/IMG_xcf.c
+++ b/IMG_xcf.c
@@ -582,6 +582,18 @@ static int do_layer_surface (SDL_Surface * surface, SDL_RWops * src, xcf_header
SDL_RWseek (src, layer->hierarchy_file_offset, RW_SEEK_SET);
hierarchy = read_xcf_hierarchy (src);
+ if (hierarchy->bpp > 4) { /* unsupported. */
+ fprintf(stderr, "Unknown Gimp image bpp (%u)\n", (unsigned int) hierarchy->bpp);
+ free_xcf_hierarchy(hierarchy);
+ return 1;
+ }
+
+ if ((hierarchy->width > 20000) || (hierarchy->height > 20000)) { /* arbitrary limit to avoid integer overflow. */
+ fprintf(stderr, "Gimp image too large (%ux%u)\n", (unsigned int) hierarchy->width, (unsigned int) hierarchy->height);
+ free_xcf_hierarchy(hierarchy);
+ return 1;
+ }
+
level = NULL;
for (i = 0; hierarchy->level_file_offsets [i]; i++) {
SDL_RWseek (src, hierarchy->level_file_offsets [i], RW_SEEK_SET);
|
