From: Alx Sa <cmyk.student@gmail.com>
Date: Sat, 28 Oct 2023 21:44:51 +0000
Subject: plug-ins: Additional fixes for DDS Import
Origin: https://gitlab.gnome.org/GNOME/gimp/-/commit/9dda8139e4d07e3a273436eda993fef32555edbe
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-44441
Bug-Debian: https://bugs.debian.org/1055984

@Wormnest noted remaining regressions after 8faad92e.
The second fread() only runs if the DDSD_PITCH flag is set,
so the error handling check should also be conditional.
Additionally, the ZDI-CAN-22093 exploit no longer runs but
still could cause a plug-in crash. This patch adds an additional
check to ensure the buffer size was within bounds.
---
 plug-ins/file-dds/ddsread.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/plug-ins/file-dds/ddsread.c b/plug-ins/file-dds/ddsread.c
index 74368d04e41a..dcb4449a9f97 100644
--- a/plug-ins/file-dds/ddsread.c
+++ b/plug-ins/file-dds/ddsread.c
@@ -928,6 +928,7 @@ load_layer (FILE            *fp,
   current_position = ftell (fp);
   fseek (fp, 0L, SEEK_END);
   file_size = ftell (fp);
+  fseek (fp, 0, SEEK_SET);
   fseek (fp, current_position, SEEK_SET);
 
   if (width < 1) width = 1;
@@ -1033,7 +1034,8 @@ load_layer (FILE            *fp,
         size *= 16;
     }
 
-  if (size > (file_size - current_position))
+  if (size > (file_size - current_position) ||
+      size > hdr->pitch_or_linsize)
     {
       g_message ("Requested data exceeds size of file.\n");
       return 0;
@@ -1078,7 +1080,9 @@ load_layer (FILE            *fp,
             }
 
           current_position = ftell (fp);
-          if ((width * d->bpp) > (file_size - current_position))
+          if ((hdr->flags & DDSD_PITCH)                          &&
+              ((width * d->bpp) > (file_size - current_position) ||
+               (width * d->bpp) > hdr->pitch_or_linsize))
             {
               g_message ("Requested data exceeds size of file.\n");
               return 0;
-- 
2.42.0