55 lines
1.9 KiB
Diff
55 lines
1.9 KiB
Diff
|
From 6d7aa0fd52d4d48e09e3c2fb3fb39b55cd35e0ea Mon Sep 17 00:00:00 2001
|
||
|
From: Alx Sa <cmyk.student@gmail.com>
|
||
|
Date: Sat, 28 Oct 2023 21:44:51 +0000
|
||
|
Subject: [PATCH 3/3] plug-ins: Additional fixes for DDS Import
|
||
|
|
||
|
@Wormnest noted remaining regressions after 8faad92e.
|
||
|
The second fread() only runs if the DDSD_PITCH flag is set,
|
||
|
so the error handling check should also be conditional.
|
||
|
Additionally, the ZDI-CAN-22093 exploit no longer runs but
|
||
|
still could cause a plug-in crash. This patch adds an additional
|
||
|
check to ensure the buffer size was within bounds.
|
||
|
|
||
|
Modified-by: Alex Burmashev <alexander.burmashev@oracle.com>
|
||
|
Signed-off-by: Alex Burmashev <alexander.burmashev@oracle.com>
|
||
|
---
|
||
|
plug-ins/file-dds/ddsread.c | 8 ++++++--
|
||
|
1 file changed, 6 insertions(+), 2 deletions(-)
|
||
|
|
||
|
diff --git a/plug-ins/file-dds/ddsread.c b/plug-ins/file-dds/ddsread.c
|
||
|
index b19d32e..21eeb56 100644
|
||
|
--- a/plug-ins/file-dds/ddsread.c
|
||
|
+++ b/plug-ins/file-dds/ddsread.c
|
||
|
@@ -1005,6 +1005,7 @@ load_layer (FILE *fp,
|
||
|
current_position = ftell (fp);
|
||
|
fseek (fp, 0L, SEEK_END);
|
||
|
file_size = ftell (fp);
|
||
|
+ fseek (fp, 0, SEEK_SET);
|
||
|
fseek (fp, current_position, SEEK_SET);
|
||
|
|
||
|
if (width < 1) width = 1;
|
||
|
@@ -1103,7 +1104,8 @@ load_layer (FILE *fp,
|
||
|
size *= 16;
|
||
|
}
|
||
|
|
||
|
- if (size > (file_size - current_position))
|
||
|
+ if (size > (file_size - current_position) ||
|
||
|
+ size > hdr->pitch_or_linsize)
|
||
|
{
|
||
|
g_message ("Requested data exceeds size of file.\n");
|
||
|
return 0;
|
||
|
@@ -1149,7 +1151,9 @@ load_layer (FILE *fp,
|
||
|
}
|
||
|
|
||
|
current_position = ftell (fp);
|
||
|
- if ((width * d->bpp) > (file_size - current_position))
|
||
|
+ if ((hdr->flags & DDSD_PITCH) &&
|
||
|
+ ((width * d->bpp) > (file_size - current_position) ||
|
||
|
+ (width * d->bpp) > hdr->pitch_or_linsize))
|
||
|
{
|
||
|
g_message ("Requested data exceeds size of file.\n");
|
||
|
return 0;
|
||
|
--
|
||
|
2.39.3
|
||
|
|