diff options
Diffstat (limited to '')
-rw-r--r-- | debian/patches/plug-ins-Additional-fixes-for-DDS-Import.patch | 53 |
1 files changed, 53 insertions, 0 deletions
diff --git a/debian/patches/plug-ins-Additional-fixes-for-DDS-Import.patch b/debian/patches/plug-ins-Additional-fixes-for-DDS-Import.patch new file mode 100644 index 0000000..b0b45cc --- /dev/null +++ b/debian/patches/plug-ins-Additional-fixes-for-DDS-Import.patch @@ -0,0 +1,53 @@ +From: Alx Sa <cmyk.student@gmail.com> +Date: Sat, 28 Oct 2023 21:44:51 +0000 +Subject: plug-ins: Additional fixes for DDS Import +Origin: https://gitlab.gnome.org/GNOME/gimp/-/commit/9dda8139e4d07e3a273436eda993fef32555edbe +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-44441 +Bug-Debian: https://bugs.debian.org/1055984 + +@Wormnest noted remaining regressions after 8faad92e. +The second fread() only runs if the DDSD_PITCH flag is set, +so the error handling check should also be conditional. +Additionally, the ZDI-CAN-22093 exploit no longer runs but +still could cause a plug-in crash. This patch adds an additional +check to ensure the buffer size was within bounds. +--- + plug-ins/file-dds/ddsread.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/plug-ins/file-dds/ddsread.c b/plug-ins/file-dds/ddsread.c +index 74368d04e41a..dcb4449a9f97 100644 +--- a/plug-ins/file-dds/ddsread.c ++++ b/plug-ins/file-dds/ddsread.c +@@ -928,6 +928,7 @@ load_layer (FILE *fp, + current_position = ftell (fp); + fseek (fp, 0L, SEEK_END); + file_size = ftell (fp); ++ fseek (fp, 0, SEEK_SET); + fseek (fp, current_position, SEEK_SET); + + if (width < 1) width = 1; +@@ -1033,7 +1034,8 @@ load_layer (FILE *fp, + size *= 16; + } + +- if (size > (file_size - current_position)) ++ if (size > (file_size - current_position) || ++ size > hdr->pitch_or_linsize) + { + g_message ("Requested data exceeds size of file.\n"); + return 0; +@@ -1078,7 +1080,9 @@ load_layer (FILE *fp, + } + + current_position = ftell (fp); +- if ((width * d->bpp) > (file_size - current_position)) ++ if ((hdr->flags & DDSD_PITCH) && ++ ((width * d->bpp) > (file_size - current_position) || ++ (width * d->bpp) > hdr->pitch_or_linsize)) + { + g_message ("Requested data exceeds size of file.\n"); + return 0; +-- +2.42.0 + |