43 lines
1.5 KiB
Diff
43 lines
1.5 KiB
Diff
|
From 96f536a33590bb9811da5b5639e1d6c25aaf2e01 Mon Sep 17 00:00:00 2001
|
||
|
From: Alx Sa <cmyk.student@gmail.com>
|
||
|
Date: Sat, 23 Sep 2023 02:41:57 +0000
|
||
|
Subject: [PATCH] plug-ins: Fix PSP vulnerability (ZDI-CAN-22096)
|
||
|
|
||
|
Resolves #10072.
|
||
|
|
||
|
The current PSP palette loading code does not check if
|
||
|
the file's palette entry count value is below the limit
|
||
|
(G_MAXUNIT32 / 4 due to each color being 4 bytes long).
|
||
|
This patch adds this check and stops loading if the count
|
||
|
is larger than GIMP currently supports.
|
||
|
---
|
||
|
plug-ins/common/file-psp.c | 11 ++++++++++-
|
||
|
1 file changed, 10 insertions(+), 1 deletion(-)
|
||
|
|
||
|
diff --git a/plug-ins/common/file-psp.c b/plug-ins/common/file-psp.c
|
||
|
index 582a10c300..7c9340ee2b 100644
|
||
|
--- a/plug-ins/common/file-psp.c
|
||
|
+++ b/plug-ins/common/file-psp.c
|
||
|
@@ -1279,8 +1279,17 @@ read_color_block (FILE *f,
|
||
|
}
|
||
|
|
||
|
color_palette_entries = GUINT32_FROM_LE (entry_count);
|
||
|
+ /* TODO: GIMP currently only supports a maximum of 256 colors
|
||
|
+ * in an indexed image. If this changes, we can change this check */
|
||
|
+ if (color_palette_entries > 256)
|
||
|
+ {
|
||
|
+ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
|
||
|
+ _("Error: Unsupported palette size"));
|
||
|
+ return -1;
|
||
|
+ }
|
||
|
+
|
||
|
/* psp color palette entries are stored as RGBA so 4 bytes per entry
|
||
|
- where the fourth bytes is always zero */
|
||
|
+ * where the fourth bytes is always zero */
|
||
|
pal_size = color_palette_entries * 4;
|
||
|
color_palette = g_malloc (pal_size);
|
||
|
if (fread (color_palette, pal_size, 1, f) < 1)
|
||
|
--
|
||
|
2.31.1
|
||
|
|