rpms/gimp
7
0
Fork 0
Code Issues Pull Requests Releases Activity
5a848b7509
gimp/SOURCES/gimp-2.10.36-CVE-2023-44441-0001-plug-ins-Fix-DDS-vulnerability-ZDI-CAN-22093.patch
eabdullin 5a848b7509 import OL gimp-2.99.8-4.el9_3
2024-02-09 07:51:19 +00:00

64 lines
2.1 KiB
Diff
Raw Blame History

From 1e67a41b5171ab6c852d2b82ad3f3c23393d6326 Mon Sep 17 00:00:00 2001
From: Alx Sa <cmyk.student@gmail.com>
Date: Wed, 7 Feb 2024 12:45:17 +0000
Subject: [PATCH 1/3] plug-ins: Fix DDS vulnerability (ZDI-CAN-22093)
Resolves #10069
Currently, the DDS header information for the width, height, and bytes per scan line
are read in and assumed to be correct. As these values are used for memory allocation
and reading, it would be good to verify they do not exceed the file size.
This patch adds a condition after the header is read in to verify those values. If they exceed
the file size (mins an offset), the file is not read in and an error message is shown.
Modified-by: Alex Burmashev <alexander.burmashev@oracle.com>
Signed-off-by: Alex Burmashev <alexander.burmashev@oracle.com>
---
plug-ins/file-dds/ddsread.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/plug-ins/file-dds/ddsread.c b/plug-ins/file-dds/ddsread.c
index 72102d0..add4ba5 100644
--- a/plug-ins/file-dds/ddsread.c
+++ b/plug-ins/file-dds/ddsread.c
@@ -124,6 +124,7 @@ read_dds (GFile *file,
guint l = 0;
guchar *pixels;
FILE *fp;
+ gsize file_size;
dds_header_t hdr;
dds_header_dx10_t dx10hdr;
dds_load_info_t d;
@@ -157,6 +158,10 @@ read_dds (GFile *file,
return GIMP_PDB_EXECUTION_ERROR;
}
+ fseek (fp, 0L, SEEK_END);
+ file_size = ftell (fp);
+ fseek (fp, 0, SEEK_SET);
+
gimp_progress_init_printf ("Loading %s:", gimp_file_get_utf8_name (file));
/* read header */
@@ -207,6 +212,16 @@ read_dds (GFile *file,
}
}
+ /* verify header information is accurate */
+ if (hdr.depth < 1 ||
+ (hdr.pitch_or_linsize > (file_size - sizeof (hdr))) ||
+ (((guint64) hdr.height * hdr.width * hdr.depth) > (file_size - sizeof (hdr))))
+ {
+ fclose (fp);
+ g_message ("Invalid or corrupted DDS header\n");
+ return GIMP_PDB_EXECUTION_ERROR;
+ }
+
if (hdr.pixelfmt.flags & DDPF_FOURCC)
{
/* fourcc is dXt* or rXgb */
--
2.39.3
Reference in New Issue View Git Blame Copy Permalink