summaryrefslogtreecommitdiffstats
path: root/debian/patches/plug-ins-Fix-vulnerabilities-in-file-psp.patch
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--debian/patches/plug-ins-Fix-vulnerabilities-in-file-psp.patch49
1 files changed, 49 insertions, 0 deletions
diff --git a/debian/patches/plug-ins-Fix-vulnerabilities-in-file-psp.patch b/debian/patches/plug-ins-Fix-vulnerabilities-in-file-psp.patch
new file mode 100644
index 0000000..3f32a28
--- /dev/null
+++ b/debian/patches/plug-ins-Fix-vulnerabilities-in-file-psp.patch
@@ -0,0 +1,49 @@
+From: Alx Sa <cmyk.student@gmail.com>
+Date: Sat, 23 Sep 2023 20:40:18 +0000
+Subject: plug-ins: Fix vulnerabilities in file-psp
+Origin: https://gitlab.gnome.org/GNOME/gimp/-/commit/ef12c0a90752a06d4c465a768d052b07f5e8a8a0
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-44444
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-44443
+Bug-Debian: https://bugs.debian.org/1055984
+
+Backports commits e1bfd871 and 96f536a3
+from master
+---
+ plug-ins/common/file-psp.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+diff --git a/plug-ins/common/file-psp.c b/plug-ins/common/file-psp.c
+index c0f3480641c2..6a6b93d0cde7 100644
+--- a/plug-ins/common/file-psp.c
++++ b/plug-ins/common/file-psp.c
+@@ -1128,8 +1128,17 @@ read_color_block (FILE *f,
+ }
+
+ color_palette_entries = GUINT32_FROM_LE (entry_count);
++ /* TODO: GIMP currently only supports a maximum of 256 colors
++ * in an indexed image. If this changes, we can change this check */
++ if (color_palette_entries > 256)
++ {
++ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
++ _("Error: Unsupported palette size"));
++ return -1;
++ }
++
+ /* psp color palette entries are stored as RGBA so 4 bytes per entry
+- where the fourth bytes is always zero */
++ * where the fourth bytes is always zero */
+ pal_size = color_palette_entries * 4;
+ color_palette = g_malloc (pal_size);
+ if (fread (color_palette, pal_size, 1, f) < 1)
+@@ -1498,7 +1507,7 @@ read_channel_data (FILE *f,
+ else
+ endq = q + line_width * height;
+
+- buf = g_malloc (127);
++ buf = g_malloc (128);
+ while (q < endq)
+ {
+ fread (&runcount, 1, 1, f);
+--
+2.42.0
+