From: Alx Sa Date: Sat, 28 Oct 2023 21:44:51 +0000 Subject: plug-ins: Additional fixes for DDS Import Origin: https://gitlab.gnome.org/GNOME/gimp/-/commit/9dda8139e4d07e3a273436eda993fef32555edbe Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-44441 Bug-Debian: https://bugs.debian.org/1055984 @Wormnest noted remaining regressions after 8faad92e. The second fread() only runs if the DDSD_PITCH flag is set, so the error handling check should also be conditional. Additionally, the ZDI-CAN-22093 exploit no longer runs but still could cause a plug-in crash. This patch adds an additional check to ensure the buffer size was within bounds. --- plug-ins/file-dds/ddsread.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/plug-ins/file-dds/ddsread.c b/plug-ins/file-dds/ddsread.c index 74368d04e41a..dcb4449a9f97 100644 --- a/plug-ins/file-dds/ddsread.c +++ b/plug-ins/file-dds/ddsread.c @@ -928,6 +928,7 @@ load_layer (FILE *fp, current_position = ftell (fp); fseek (fp, 0L, SEEK_END); file_size = ftell (fp); + fseek (fp, 0, SEEK_SET); fseek (fp, current_position, SEEK_SET); if (width < 1) width = 1; @@ -1033,7 +1034,8 @@ load_layer (FILE *fp, size *= 16; } - if (size > (file_size - current_position)) + if (size > (file_size - current_position) || + size > hdr->pitch_or_linsize) { g_message ("Requested data exceeds size of file.\n"); return 0; @@ -1078,7 +1080,9 @@ load_layer (FILE *fp, } current_position = ftell (fp); - if ((width * d->bpp) > (file_size - current_position)) + if ((hdr->flags & DDSD_PITCH) && + ((width * d->bpp) > (file_size - current_position) || + (width * d->bpp) > hdr->pitch_or_linsize)) { g_message ("Requested data exceeds size of file.\n"); return 0; -- 2.42.0