summaryrefslogtreecommitdiffstats
path: root/debian/patches/plug-ins-Fix-DDS-import-regression-from-7db71cd0.patch
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--debian/patches/plug-ins-Fix-DDS-import-regression-from-7db71cd0.patch94
1 files changed, 94 insertions, 0 deletions
diff --git a/debian/patches/plug-ins-Fix-DDS-import-regression-from-7db71cd0.patch b/debian/patches/plug-ins-Fix-DDS-import-regression-from-7db71cd0.patch
new file mode 100644
index 0000000..85e54f5
--- /dev/null
+++ b/debian/patches/plug-ins-Fix-DDS-import-regression-from-7db71cd0.patch
@@ -0,0 +1,94 @@
+From: Alx Sa <cmyk.student@gmail.com>
+Date: Fri, 27 Oct 2023 22:04:48 +0000
+Subject: plug-ins: Fix DDS import regression from 7db71cd0
+Origin: https://gitlab.gnome.org/GNOME/gimp/-/commit/e92f279c97282a2b20dca0d923db7465f2057703
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-44441
+Bug-Debian: https://bugs.debian.org/1055984
+
+@Wormnest pointed out that compressed files are likely smaller than
+width * height * bps, so our check to prevent ZDI-CAN-22093
+also caught valid files.
+The size check is removed from load_image () and moved to load_layer ()
+before the two fread() functions, as we know exactly how much we'll
+try to read at that point.
+(Backport of 8faad92e)
+---
+ plug-ins/file-dds/ddsread.c | 39 +++++++++++++++++++++++++++----------
+ 1 file changed, 29 insertions(+), 10 deletions(-)
+
+--- a/plug-ins/file-dds/ddsread.c
++++ b/plug-ins/file-dds/ddsread.c
+@@ -189,16 +189,6 @@ read_dds (gchar *filename,
+ }
+ }
+
+- /* verify header information is accurate */
+- if (hdr.depth < 1 ||
+- (hdr.pitch_or_linsize > (file_size - sizeof (hdr))) ||
+- (((guint64) hdr.height * hdr.width * hdr.depth) > (file_size - sizeof (hdr))))
+- {
+- fclose (fp);
+- g_message ("Invalid or corrupted DDS header\n");
+- return GIMP_PDB_EXECUTION_ERROR;
+- }
+-
+ if (hdr.pixelfmt.flags & DDPF_FOURCC)
+ {
+ /* fourcc is dXt* or rXgb */
+@@ -288,6 +278,15 @@ read_dds (gchar *filename,
+ }
+ }
+
++ /* verify header information is accurate */
++ if (d.bpp < 1 ||
++ (hdr.pitch_or_linsize > (file_size - sizeof (hdr))))
++ {
++ fclose (fp);
++ g_message ("Invalid or corrupted DDS header\n");
++ return GIMP_PDB_EXECUTION_ERROR;
++ }
++
+ image = gimp_image_new (hdr.width, hdr.height, type);
+
+ if (image == -1)
+@@ -896,6 +895,13 @@ load_layer (FILE *fp,
+ unsigned int size = hdr->pitch_or_linsize >> (2 * level);
+ unsigned int layerw;
+ int format = DDS_COMPRESS_NONE;
++ gsize file_size;
++ gsize current_position;
++
++ current_position = ftell (fp);
++ fseek (fp, 0L, SEEK_END);
++ file_size = ftell (fp);
++ fseek (fp, current_position, SEEK_SET);
+
+ if (width < 1) width = 1;
+ if (height < 1) height = 1;
+@@ -993,6 +999,12 @@ load_layer (FILE *fp,
+ size *= 16;
+ }
+
++ if (size > (file_size - current_position))
++ {
++ g_message ("Requested data exceeds size of file.\n");
++ return 0;
++ }
++
+ if ((hdr->flags & DDSD_LINEARSIZE) &&
+ !fread (buf, size, 1, fp))
+ {
+@@ -1014,6 +1026,13 @@ load_layer (FILE *fp,
+ gimp_progress_update ((double)y / (double)hdr->height);
+ }
+
++ current_position = ftell (fp);
++ if ((width * d->bpp) > (file_size - current_position))
++ {
++ g_message ("Requested data exceeds size of file.\n");
++ return 0;
++ }
++
+ if ((hdr->flags & DDSD_PITCH) &&
+ !fread (buf, width * d->bpp, 1, fp))
+ {