1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
|
From: Alx Sa <cmyk.student@gmail.com>
Date: Sun, 1 Oct 2023 17:54:08 +0000
Subject: plug-ins: Fix DDS vulnerability (ZDI-CAN-22093)
Origin: https://gitlab.gnome.org/GNOME/gimp/-/commit/7db71cd0b6e36c454aa0d2d3efeec7e636db4dbc
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-44441
Bug-Debian: https://bugs.debian.org/1055984
Resolves #10069
Currently, the DDS header information for the width, height, and bytes per scan line
are read in and assumed to be correct. As these values are used for memory allocation
and reading, it would be good to verify they do not exceed the file size.
This patch adds a condition after the header is read in to verify those values. If they exceed
the file size (mins an offset), the file is not read in and an error message is shown.
---
plug-ins/file-dds/ddsread.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/plug-ins/file-dds/ddsread.c b/plug-ins/file-dds/ddsread.c
index a8eb8b8ad9f3..98e122de8aff 100644
--- a/plug-ins/file-dds/ddsread.c
+++ b/plug-ins/file-dds/ddsread.c
@@ -109,6 +109,7 @@ read_dds (gchar *filename,
guchar *pixels;
gchar *tmp;
FILE *fp;
+ gsize file_size;
dds_header_t hdr;
dds_header_dx10_t dx10hdr;
dds_load_info_t d;
@@ -130,6 +131,10 @@ read_dds (gchar *filename,
return GIMP_PDB_EXECUTION_ERROR;
}
+ fseek (fp, 0L, SEEK_END);
+ file_size = ftell (fp);
+ fseek (fp, 0, SEEK_SET);
+
if (strrchr (filename, '/'))
tmp = g_strdup_printf ("Loading %s:", strrchr (filename, '/') + 1);
else
@@ -186,6 +191,16 @@ read_dds (gchar *filename,
}
}
+ /* verify header information is accurate */
+ if (hdr.depth < 1 ||
+ (hdr.pitch_or_linsize > (file_size - sizeof (hdr))) ||
+ (((guint64) hdr.height * hdr.width * hdr.depth) > (file_size - sizeof (hdr))))
+ {
+ fclose (fp);
+ g_message ("Invalid or corrupted DDS header\n");
+ return GIMP_PDB_EXECUTION_ERROR;
+ }
+
if (hdr.pixelfmt.flags & DDPF_FOURCC)
{
/* fourcc is dXt* or rXgb */
--
2.42.0
|