101 lines
3.2 KiB
Diff
101 lines
3.2 KiB
Diff
From bd6e7854b7b679444af685fab06dbb6559f3d720 Mon Sep 17 00:00:00 2001
|
|
From: Alx Sa <cmyk.student@gmail.com>
|
|
Date: Wed, 7 Feb 2024 12:47:12 +0000
|
|
Subject: [PATCH 2/3] plug-ins: Fix DDS import regression from 7db71cd0
|
|
|
|
@Wormnest pointed out that compressed files are likely smaller than
|
|
width * height * bps, so our check to prevent ZDI-CAN-22093
|
|
also caught valid files.
|
|
The size check is removed from load_image () and moved to load_layer ()
|
|
before the two fread() functions, as we know exactly how much we'll
|
|
try to read at that point.
|
|
(Backport of 8faad92e)
|
|
|
|
Modified-by: Alex Burmashev <alexander.burmashev@oracle.com>
|
|
Signed-off-by: Alex Burmashev <alexander.burmashev@oracle.com>
|
|
---
|
|
plug-ins/file-dds/ddsread.c | 39 +++++++++++++++++++++++++++----------
|
|
1 file changed, 29 insertions(+), 10 deletions(-)
|
|
|
|
diff --git a/plug-ins/file-dds/ddsread.c b/plug-ins/file-dds/ddsread.c
|
|
index add4ba5..b19d32e 100644
|
|
--- a/plug-ins/file-dds/ddsread.c
|
|
+++ b/plug-ins/file-dds/ddsread.c
|
|
@@ -212,16 +212,6 @@ read_dds (GFile *file,
|
|
}
|
|
}
|
|
|
|
- /* verify header information is accurate */
|
|
- if (hdr.depth < 1 ||
|
|
- (hdr.pitch_or_linsize > (file_size - sizeof (hdr))) ||
|
|
- (((guint64) hdr.height * hdr.width * hdr.depth) > (file_size - sizeof (hdr))))
|
|
- {
|
|
- fclose (fp);
|
|
- g_message ("Invalid or corrupted DDS header\n");
|
|
- return GIMP_PDB_EXECUTION_ERROR;
|
|
- }
|
|
-
|
|
if (hdr.pixelfmt.flags & DDPF_FOURCC)
|
|
{
|
|
/* fourcc is dXt* or rXgb */
|
|
@@ -332,6 +322,15 @@ read_dds (GFile *file,
|
|
precision = GIMP_PRECISION_U8_NON_LINEAR;
|
|
}
|
|
|
|
+ /* verify header information is accurate */
|
|
+ if (d.bpp < 1 ||
|
|
+ (hdr.pitch_or_linsize > (file_size - sizeof (hdr))))
|
|
+ {
|
|
+ fclose (fp);
|
|
+ g_message ("Invalid or corrupted DDS header\n");
|
|
+ return GIMP_PDB_EXECUTION_ERROR;
|
|
+ }
|
|
+
|
|
image = gimp_image_new_with_precision (hdr.width, hdr.height, type, precision);
|
|
|
|
if (! image)
|
|
@@ -1000,6 +999,13 @@ load_layer (FILE *fp,
|
|
guint size = hdr->pitch_or_linsize >> (2 * level);
|
|
guint layerw;
|
|
gint format = DDS_COMPRESS_NONE;
|
|
+ gsize file_size;
|
|
+ gsize current_position;
|
|
+
|
|
+ current_position = ftell (fp);
|
|
+ fseek (fp, 0L, SEEK_END);
|
|
+ file_size = ftell (fp);
|
|
+ fseek (fp, current_position, SEEK_SET);
|
|
|
|
if (width < 1) width = 1;
|
|
if (height < 1) height = 1;
|
|
@@ -1097,6 +1103,12 @@ load_layer (FILE *fp,
|
|
size *= 16;
|
|
}
|
|
|
|
+ if (size > (file_size - current_position))
|
|
+ {
|
|
+ g_message ("Requested data exceeds size of file.\n");
|
|
+ return 0;
|
|
+ }
|
|
+
|
|
if ((hdr->flags & DDSD_LINEARSIZE) &&
|
|
!fread (buf, size, 1, fp))
|
|
{
|
|
@@ -1136,6 +1148,13 @@ load_layer (FILE *fp,
|
|
gimp_progress_update ((double) y / (double) hdr->height);
|
|
}
|
|
|
|
+ current_position = ftell (fp);
|
|
+ if ((width * d->bpp) > (file_size - current_position))
|
|
+ {
|
|
+ g_message ("Requested data exceeds size of file.\n");
|
|
+ return 0;
|
|
+ }
|
|
+
|
|
if ((hdr->flags & DDSD_PITCH) &&
|
|
! fread (buf, width * d->bpp, 1, fp))
|
|
{
|
|
--
|
|
2.39.3
|
|
|