diff options
Diffstat (limited to 'debian/patches/plug-ins-Fix-DDS-vulnerability-ZDI-CAN-22093.patch')
| -rw-r--r-- | debian/patches/plug-ins-Fix-DDS-vulnerability-ZDI-CAN-22093.patch | 62 |
1 files changed, 62 insertions, 0 deletions
diff --git a/debian/patches/plug-ins-Fix-DDS-vulnerability-ZDI-CAN-22093.patch b/debian/patches/plug-ins-Fix-DDS-vulnerability-ZDI-CAN-22093.patch new file mode 100644 index 0000000..c5ae876 --- /dev/null +++ b/debian/patches/plug-ins-Fix-DDS-vulnerability-ZDI-CAN-22093.patch @@ -0,0 +1,62 @@ +From: Alx Sa <cmyk.student@gmail.com> +Date: Sun, 1 Oct 2023 17:54:08 +0000 +Subject: plug-ins: Fix DDS vulnerability (ZDI-CAN-22093) +Origin: https://gitlab.gnome.org/GNOME/gimp/-/commit/7db71cd0b6e36c454aa0d2d3efeec7e636db4dbc +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-44441 +Bug-Debian: https://bugs.debian.org/1055984 + +Resolves #10069 + +Currently, the DDS header information for the width, height, and bytes per scan line +are read in and assumed to be correct. As these values are used for memory allocation +and reading, it would be good to verify they do not exceed the file size. + +This patch adds a condition after the header is read in to verify those values. If they exceed +the file size (mins an offset), the file is not read in and an error message is shown. +--- + plug-ins/file-dds/ddsread.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/plug-ins/file-dds/ddsread.c b/plug-ins/file-dds/ddsread.c +index a8eb8b8ad9f3..98e122de8aff 100644 +--- a/plug-ins/file-dds/ddsread.c ++++ b/plug-ins/file-dds/ddsread.c +@@ -109,6 +109,7 @@ read_dds (gchar *filename, + guchar *pixels; + gchar *tmp; + FILE *fp; ++ gsize file_size; + dds_header_t hdr; + dds_header_dx10_t dx10hdr; + dds_load_info_t d; +@@ -130,6 +131,10 @@ read_dds (gchar *filename, + return GIMP_PDB_EXECUTION_ERROR; + } + ++ fseek (fp, 0L, SEEK_END); ++ file_size = ftell (fp); ++ fseek (fp, 0, SEEK_SET); ++ + if (strrchr (filename, '/')) + tmp = g_strdup_printf ("Loading %s:", strrchr (filename, '/') + 1); + else +@@ -186,6 +191,16 @@ read_dds (gchar *filename, + } + } + ++ /* verify header information is accurate */ ++ if (hdr.depth < 1 || ++ (hdr.pitch_or_linsize > (file_size - sizeof (hdr))) || ++ (((guint64) hdr.height * hdr.width * hdr.depth) > (file_size - sizeof (hdr)))) ++ { ++ fclose (fp); ++ g_message ("Invalid or corrupted DDS header\n"); ++ return GIMP_PDB_EXECUTION_ERROR; ++ } ++ + if (hdr.pixelfmt.flags & DDPF_FOURCC) + { + /* fourcc is dXt* or rXgb */ +-- +2.42.0 + |