1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
|
From: Alx Sa <cmyk.student@gmail.com>
Date: Sat, 28 Oct 2023 21:44:51 +0000
Subject: plug-ins: Additional fixes for DDS Import
Origin: https://gitlab.gnome.org/GNOME/gimp/-/commit/9dda8139e4d07e3a273436eda993fef32555edbe
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-44441
Bug-Debian: https://bugs.debian.org/1055984
@Wormnest noted remaining regressions after 8faad92e.
The second fread() only runs if the DDSD_PITCH flag is set,
so the error handling check should also be conditional.
Additionally, the ZDI-CAN-22093 exploit no longer runs but
still could cause a plug-in crash. This patch adds an additional
check to ensure the buffer size was within bounds.
---
plug-ins/file-dds/ddsread.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/plug-ins/file-dds/ddsread.c b/plug-ins/file-dds/ddsread.c
index 74368d04e41a..dcb4449a9f97 100644
--- a/plug-ins/file-dds/ddsread.c
+++ b/plug-ins/file-dds/ddsread.c
@@ -928,6 +928,7 @@ load_layer (FILE *fp,
current_position = ftell (fp);
fseek (fp, 0L, SEEK_END);
file_size = ftell (fp);
+ fseek (fp, 0, SEEK_SET);
fseek (fp, current_position, SEEK_SET);
if (width < 1) width = 1;
@@ -1033,7 +1034,8 @@ load_layer (FILE *fp,
size *= 16;
}
- if (size > (file_size - current_position))
+ if (size > (file_size - current_position) ||
+ size > hdr->pitch_or_linsize)
{
g_message ("Requested data exceeds size of file.\n");
return 0;
@@ -1078,7 +1080,9 @@ load_layer (FILE *fp,
}
current_position = ftell (fp);
- if ((width * d->bpp) > (file_size - current_position))
+ if ((hdr->flags & DDSD_PITCH) &&
+ ((width * d->bpp) > (file_size - current_position) ||
+ (width * d->bpp) > hdr->pitch_or_linsize))
{
g_message ("Requested data exceeds size of file.\n");
return 0;
--
2.42.0
|
