Description: xcf: check for some potential integer overflows. Origin: upstream, https://hg.libsdl.org/SDL_image/rev/fb643e371806 --- a/IMG_xcf.c +++ b/IMG_xcf.c @@ -555,6 +555,18 @@ static int do_layer_surface (SDL_Surface * surface, SDL_RWops * src, xcf_header SDL_RWseek (src, layer->hierarchy_file_offset, RW_SEEK_SET); hierarchy = read_xcf_hierarchy (src); + if (hierarchy->bpp > 4) { /* unsupported. */ + fprintf(stderr, "Unknown Gimp image bpp (%u)\n", (unsigned int) hierarchy->bpp); + free_xcf_hierarchy(hierarchy); + return 1; + } + + if ((hierarchy->width > 20000) || (hierarchy->height > 20000)) { /* arbitrary limit to avoid integer overflow. */ + fprintf(stderr, "Gimp image too large (%ux%u)\n", (unsigned int) hierarchy->width, (unsigned int) hierarchy->height); + free_xcf_hierarchy(hierarchy); + return 1; + } + level = NULL; for (i = 0; hierarchy->level_file_offsets [i]; i++) { SDL_RWseek (src, hierarchy->level_file_offsets [i], RW_SEEK_SET);