diff options
Diffstat (limited to 'debian/patches/plug-ins-Fix-vulnerabilities-in-file-psp.patch')
| -rw-r--r-- | debian/patches/plug-ins-Fix-vulnerabilities-in-file-psp.patch | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/debian/patches/plug-ins-Fix-vulnerabilities-in-file-psp.patch b/debian/patches/plug-ins-Fix-vulnerabilities-in-file-psp.patch new file mode 100644 index 0000000..3f32a28 --- /dev/null +++ b/debian/patches/plug-ins-Fix-vulnerabilities-in-file-psp.patch @@ -0,0 +1,49 @@ +From: Alx Sa <cmyk.student@gmail.com> +Date: Sat, 23 Sep 2023 20:40:18 +0000 +Subject: plug-ins: Fix vulnerabilities in file-psp +Origin: https://gitlab.gnome.org/GNOME/gimp/-/commit/ef12c0a90752a06d4c465a768d052b07f5e8a8a0 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-44444 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-44443 +Bug-Debian: https://bugs.debian.org/1055984 + +Backports commits e1bfd871 and 96f536a3 +from master +--- + plug-ins/common/file-psp.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/plug-ins/common/file-psp.c b/plug-ins/common/file-psp.c +index c0f3480641c2..6a6b93d0cde7 100644 +--- a/plug-ins/common/file-psp.c ++++ b/plug-ins/common/file-psp.c +@@ -1128,8 +1128,17 @@ read_color_block (FILE *f, + } + + color_palette_entries = GUINT32_FROM_LE (entry_count); ++ /* TODO: GIMP currently only supports a maximum of 256 colors ++ * in an indexed image. If this changes, we can change this check */ ++ if (color_palette_entries > 256) ++ { ++ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, ++ _("Error: Unsupported palette size")); ++ return -1; ++ } ++ + /* psp color palette entries are stored as RGBA so 4 bytes per entry +- where the fourth bytes is always zero */ ++ * where the fourth bytes is always zero */ + pal_size = color_palette_entries * 4; + color_palette = g_malloc (pal_size); + if (fread (color_palette, pal_size, 1, f) < 1) +@@ -1498,7 +1507,7 @@ read_channel_data (FILE *f, + else + endq = q + line_width * height; + +- buf = g_malloc (127); ++ buf = g_malloc (128); + while (q < endq) + { + fread (&runcount, 1, 1, f); +-- +2.42.0 + |