Sophie: gimp-2:2.2.13-2.0.10.el5 src

gimp-2.2.13-2.0.10.el5.src.rpm

--- gimp-2.2.13/plug-ins/common/pcx.c.pcx-validate-bytesperline	2007-09-17 12:58:24.560120000 -0400
+++ gimp-2.2.13/plug-ins/common/pcx.c	2007-09-17 13:29:33.079263000 -0400
@@ -327,7 +327,7 @@
   GimpDrawable *drawable;
   GimpPixelRgn pixel_rgn;
   gchar *message;
-  guint16 offset_x, offset_y;
+  guint16 offset_x, offset_y, bytesperline;
   gint32 height, width;
   gint32 image, layer;
   guchar *dest, cmap[768];
@@ -366,6 +366,7 @@
   offset_y = GUINT16_FROM_LE (pcx_header.y1);
   width = GUINT16_FROM_LE (pcx_header.x2) - offset_x + 1;
   height = GUINT16_FROM_LE (pcx_header.y2) - offset_y + 1;
+  bytesperline = GUINT16_FROM_LE (pcx_header.bytesperline);
 
   if ((width < 0) || (width > GIMP_MAX_IMAGE_SIZE))
     {
@@ -377,6 +378,11 @@
       g_message (_("Unsupported or invalid image height: %d"), height);
       return -1;
     }
+  if (bytesperline < width)
+    {
+      g_message (_("Invalid number of bytes per line in PCX header (%d < %d)"), bytesperline, width);
+      return -1;
+    }
 
   if (pcx_header.planes == 3 && pcx_header.bpp == 8)
     {
@@ -398,22 +404,19 @@
   if (pcx_header.planes == 1 && pcx_header.bpp == 1)
     {
       dest = (guchar *) g_malloc (width * height);
-      load_1 (fd, width, height, dest,
-              GUINT16_FROM_LE (pcx_header.bytesperline));
+      load_1 (fd, width, height, dest, bytesperline);
       gimp_image_set_colormap (image, mono, 2);
     }
   else if (pcx_header.planes == 4 && pcx_header.bpp == 1)
     {
       dest = (guchar *) g_malloc (width * height);
-      load_4 (fd, width, height, dest,
-              GUINT16_FROM_LE (pcx_header.bytesperline));
+      load_4 (fd, width, height, dest, bytesperline);
       gimp_image_set_colormap (image, pcx_header.colormap, 16);
     }
   else if (pcx_header.planes == 1 && pcx_header.bpp == 8)
     {
       dest = (guchar *) g_malloc (width * height);
-      load_8 (fd, width, height, dest,
-              GUINT16_FROM_LE (pcx_header.bytesperline));
+      load_8 (fd, width, height, dest, bytesperline);
       fseek (fd, -768L, SEEK_END);
       fread (cmap, 768, 1, fd);
       gimp_image_set_colormap (image, cmap, 256);
@@ -421,8 +424,7 @@
   else if (pcx_header.planes == 3 && pcx_header.bpp == 8)
     {
       dest = (guchar *) g_malloc (width * height * 3);
-      load_24 (fd, width, height, dest,
-               GUINT16_FROM_LE (pcx_header.bytesperline));
+      load_24 (fd, width, height, dest, bytesperline);
     }
   else
     {
--- gimp-2.2.13/ChangeLog.pcx-validate-bytesperline	2007-09-17 12:58:24.532145000 -0400
+++ gimp-2.2.13/ChangeLog	2007-09-17 12:59:57.828293000 -0400
@@ -0,0 +1,6 @@
+2007-09-17  Nils Philippsen  <nphilipp@redhat.com>
+
+	* plug-ins/common/pcx.c (load_image): verify that the bytesperline header
+	field (number of bytes to allocate per plane and line) isn't less than the
+	width of the image
+