diff -up gimp-2.2.13/plug-ins/common/psd.c.psd-validate-size-values gimp-2.2.13/plug-ins/common/psd.c --- gimp-2.2.13/plug-ins/common/psd.c.psd-validate-size-values 2007-09-10 15:57:33.000000000 +0200 +++ gimp-2.2.13/plug-ins/common/psd.c 2007-09-10 15:57:33.000000000 +0200 @@ -954,6 +954,19 @@ do_layer_record(FILE *fd, guint32 *offse layer->width = right - left; layer->height = bottom - top; + if ((layer->height > GIMP_MAX_IMAGE_SIZE) || + (layer->width > GIMP_MAX_IMAGE_SIZE)) + { + g_message ("Input file has a larger layer size than GIMP can handle."); + gimp_quit (); + } + + if (layer->height && layer->width > (G_MAXUINT / layer->height)) + { + g_message ("Input file has a larger layer size than GIMP can handle."); + gimp_quit (); + } + IFDBG printf("\t\t\t\tLayer extents: (%d,%d) -> (%d,%d)\n", left,top,right,bottom); @@ -1070,6 +1083,19 @@ do_layer_record(FILE *fd, guint32 *offse layer->lm_width = right - left; layer->lm_height = bottom - top; + if ((layer->lm_height > GIMP_MAX_IMAGE_SIZE) || + (layer->lm_width > GIMP_MAX_IMAGE_SIZE)) + { + g_message ("Input file has a larger layer mask size than GIMP can handle."); + gimp_quit (); + } + + if (layer->height && layer->lm_width > (G_MAXUINT / layer->lm_height)) + { + g_message ("Input file has a larger layer mask size than GIMP can handle."); + gimp_quit (); + } + getglong(fd, "lmask data throw"); (*offset) += 4; @@ -2816,6 +2842,13 @@ read_whole_file(FILE * fd, const gchar * gimp_quit (); } + if (PSDheader.rows && PSDheader.columns > (G_MAXUINT / PSDheader.rows)) + { + g_message ("'%s' has a larger image size than GIMP can handle.", + gimp_filename_to_utf8 (filename)); + gimp_quit (); + } + PSDheader.bpp = getgshort(fd, "depth"); PSDheader.mode = getgshort(fd, "mode"); diff -U0 gimp-2.2.13/ChangeLog.psd-validate-size-values gimp-2.2.13/ChangeLog --- gimp-2.2.13/ChangeLog.psd-validate-size-values 2007-09-10 15:57:33.000000000 +0200 +++ gimp-2.2.13/ChangeLog 2007-09-10 15:57:33.000000000 +0200 @@ -0,0 +1,7 @@ +2007-07-06 Sven Neumann <sven@gimp.org> + + Merged from trunk (patch written by Mukund): + + * plug-ins/common/psd.c: validate size values read from files + before using them to allocate memory. +