From ac0f5a1ebada5cd8df1c8e6e52332cfdd4adcb02 Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Sun, 7 Apr 2024 20:30:23 +0200
Subject: Adding debian version 2.10.34-1+deb12u2.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 .../plug-ins-Additional-fixes-for-DDS-Import.patch | 53 ++++++++++++++++++++++
 1 file changed, 53 insertions(+)
 create mode 100644 debian/patches/plug-ins-Additional-fixes-for-DDS-Import.patch

(limited to 'debian/patches/plug-ins-Additional-fixes-for-DDS-Import.patch')

diff --git a/debian/patches/plug-ins-Additional-fixes-for-DDS-Import.patch b/debian/patches/plug-ins-Additional-fixes-for-DDS-Import.patch
new file mode 100644
index 0000000..b0b45cc
--- /dev/null
+++ b/debian/patches/plug-ins-Additional-fixes-for-DDS-Import.patch
@@ -0,0 +1,53 @@
+From: Alx Sa <cmyk.student@gmail.com>
+Date: Sat, 28 Oct 2023 21:44:51 +0000
+Subject: plug-ins: Additional fixes for DDS Import
+Origin: https://gitlab.gnome.org/GNOME/gimp/-/commit/9dda8139e4d07e3a273436eda993fef32555edbe
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-44441
+Bug-Debian: https://bugs.debian.org/1055984
+
+@Wormnest noted remaining regressions after 8faad92e.
+The second fread() only runs if the DDSD_PITCH flag is set,
+so the error handling check should also be conditional.
+Additionally, the ZDI-CAN-22093 exploit no longer runs but
+still could cause a plug-in crash. This patch adds an additional
+check to ensure the buffer size was within bounds.
+---
+ plug-ins/file-dds/ddsread.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/plug-ins/file-dds/ddsread.c b/plug-ins/file-dds/ddsread.c
+index 74368d04e41a..dcb4449a9f97 100644
+--- a/plug-ins/file-dds/ddsread.c
++++ b/plug-ins/file-dds/ddsread.c
+@@ -928,6 +928,7 @@ load_layer (FILE            *fp,
+   current_position = ftell (fp);
+   fseek (fp, 0L, SEEK_END);
+   file_size = ftell (fp);
++  fseek (fp, 0, SEEK_SET);
+   fseek (fp, current_position, SEEK_SET);
+ 
+   if (width < 1) width = 1;
+@@ -1033,7 +1034,8 @@ load_layer (FILE            *fp,
+         size *= 16;
+     }
+ 
+-  if (size > (file_size - current_position))
++  if (size > (file_size - current_position) ||
++      size > hdr->pitch_or_linsize)
+     {
+       g_message ("Requested data exceeds size of file.\n");
+       return 0;
+@@ -1078,7 +1080,9 @@ load_layer (FILE            *fp,
+             }
+ 
+           current_position = ftell (fp);
+-          if ((width * d->bpp) > (file_size - current_position))
++          if ((hdr->flags & DDSD_PITCH)                          &&
++              ((width * d->bpp) > (file_size - current_position) ||
++               (width * d->bpp) > hdr->pitch_or_linsize))
+             {
+               g_message ("Requested data exceeds size of file.\n");
+               return 0;
+-- 
+2.42.0
+
-- 
cgit v1.2.3