Sophie: gimp-2:2.2.13-2.0.10.el5 src

gimp-2.2.13-2.0.10.el5.src.rpm

diff -up gimp-2.2.13/plug-ins/common/psd.c.psd-validate-size-values gimp-2.2.13/plug-ins/common/psd.c
--- gimp-2.2.13/plug-ins/common/psd.c.psd-validate-size-values	2007-09-10 15:57:33.000000000 +0200
+++ gimp-2.2.13/plug-ins/common/psd.c	2007-09-10 15:57:33.000000000 +0200
@@ -954,6 +954,19 @@ do_layer_record(FILE *fd, guint32 *offse
   layer->width = right - left;
   layer->height = bottom - top;
 
+  if ((layer->height > GIMP_MAX_IMAGE_SIZE) ||
+      (layer->width > GIMP_MAX_IMAGE_SIZE))
+    {
+      g_message ("Input file has a larger layer size than GIMP can handle.");
+      gimp_quit ();
+    }
+
+  if (layer->height && layer->width > (G_MAXUINT / layer->height))
+    {
+      g_message ("Input file has a larger layer size than GIMP can handle.");
+      gimp_quit ();
+    }
+
   IFDBG printf("\t\t\t\tLayer extents: (%d,%d) -> (%d,%d)\n",
 	       left,top,right,bottom);
 
@@ -1070,6 +1083,19 @@ do_layer_record(FILE *fd, guint32 *offse
       layer->lm_width = right - left;
       layer->lm_height = bottom - top;
 
+      if ((layer->lm_height > GIMP_MAX_IMAGE_SIZE) ||
+          (layer->lm_width > GIMP_MAX_IMAGE_SIZE))
+        {
+          g_message ("Input file has a larger layer mask size than GIMP can handle.");
+          gimp_quit ();
+        }
+
+      if (layer->height && layer->lm_width > (G_MAXUINT / layer->lm_height))
+        {
+          g_message ("Input file has a larger layer mask size than GIMP can handle.");
+          gimp_quit ();
+        }
+
       getglong(fd, "lmask data throw");
       (*offset) += 4;
 
@@ -2816,6 +2842,13 @@ read_whole_file(FILE * fd, const gchar *
         gimp_quit ();
       }
 
+    if (PSDheader.rows && PSDheader.columns > (G_MAXUINT / PSDheader.rows))
+      {
+        g_message ("'%s' has a larger image size than GIMP can handle.",
+                   gimp_filename_to_utf8 (filename));
+        gimp_quit ();
+      }
+
     PSDheader.bpp = getgshort(fd, "depth");
     PSDheader.mode = getgshort(fd, "mode");
 
diff -U0 gimp-2.2.13/ChangeLog.psd-validate-size-values gimp-2.2.13/ChangeLog
--- gimp-2.2.13/ChangeLog.psd-validate-size-values	2007-09-10 15:57:33.000000000 +0200
+++ gimp-2.2.13/ChangeLog	2007-09-10 15:57:33.000000000 +0200
@@ -0,0 +1,7 @@
+2007-07-06  Sven Neumann  <sven@gimp.org>
+
+	Merged from trunk (patch written by Mukund):
+
+	* plug-ins/common/psd.c: validate size values read from files
+	before using them to allocate memory.
+