summaryrefslogtreecommitdiffstats
path: root/debian/patches/plug-ins-Additional-fixes-for-DDS-Import.patch
diff options
context:
space:
mode:
Diffstat (limited to 'debian/patches/plug-ins-Additional-fixes-for-DDS-Import.patch')
-rw-r--r--debian/patches/plug-ins-Additional-fixes-for-DDS-Import.patch53
1 files changed, 53 insertions, 0 deletions
diff --git a/debian/patches/plug-ins-Additional-fixes-for-DDS-Import.patch b/debian/patches/plug-ins-Additional-fixes-for-DDS-Import.patch
new file mode 100644
index 0000000..b0b45cc
--- /dev/null
+++ b/debian/patches/plug-ins-Additional-fixes-for-DDS-Import.patch
@@ -0,0 +1,53 @@
+From: Alx Sa <cmyk.student@gmail.com>
+Date: Sat, 28 Oct 2023 21:44:51 +0000
+Subject: plug-ins: Additional fixes for DDS Import
+Origin: https://gitlab.gnome.org/GNOME/gimp/-/commit/9dda8139e4d07e3a273436eda993fef32555edbe
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-44441
+Bug-Debian: https://bugs.debian.org/1055984
+
+@Wormnest noted remaining regressions after 8faad92e.
+The second fread() only runs if the DDSD_PITCH flag is set,
+so the error handling check should also be conditional.
+Additionally, the ZDI-CAN-22093 exploit no longer runs but
+still could cause a plug-in crash. This patch adds an additional
+check to ensure the buffer size was within bounds.
+---
+ plug-ins/file-dds/ddsread.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/plug-ins/file-dds/ddsread.c b/plug-ins/file-dds/ddsread.c
+index 74368d04e41a..dcb4449a9f97 100644
+--- a/plug-ins/file-dds/ddsread.c
++++ b/plug-ins/file-dds/ddsread.c
+@@ -928,6 +928,7 @@ load_layer (FILE *fp,
+ current_position = ftell (fp);
+ fseek (fp, 0L, SEEK_END);
+ file_size = ftell (fp);
++ fseek (fp, 0, SEEK_SET);
+ fseek (fp, current_position, SEEK_SET);
+
+ if (width < 1) width = 1;
+@@ -1033,7 +1034,8 @@ load_layer (FILE *fp,
+ size *= 16;
+ }
+
+- if (size > (file_size - current_position))
++ if (size > (file_size - current_position) ||
++ size > hdr->pitch_or_linsize)
+ {
+ g_message ("Requested data exceeds size of file.\n");
+ return 0;
+@@ -1078,7 +1080,9 @@ load_layer (FILE *fp,
+ }
+
+ current_position = ftell (fp);
+- if ((width * d->bpp) > (file_size - current_position))
++ if ((hdr->flags & DDSD_PITCH) &&
++ ((width * d->bpp) > (file_size - current_position) ||
++ (width * d->bpp) > hdr->pitch_or_linsize))
+ {
+ g_message ("Requested data exceeds size of file.\n");
+ return 0;
+--
+2.42.0
+