From 34cb48d37bdd6837f9bfdd0185bd07ae2b531681 Mon Sep 17 00:00:00 2001 From: Nils Philippsen <nils@redhat.com> Date: Tue, 14 Jun 2011 16:33:38 +0200 Subject: [PATCH] patch: CVE-2009-3909,CVE-2012-3402 Squashed commit of the following: commit 540d51972d0c59d8c65e63462d9852f10d5c1fc7 Author: Nils Philippsen <nils@redhat.com> Date: Tue Jun 14 15:52:39 2011 +0200 psd: harden against integer overflow commit 01c6aa23ffbe42b66240ef1e67bf0232df45c8c9 Author: Nils Philippsen <nils@redhat.com> Date: Tue Jun 14 15:51:36 2011 +0200 psd: harden against zero channels commit 2bb507353390d78efff9737781d8516224acdeb9 Author: Nils Philippsen <nils@redhat.com> Date: Tue Jun 14 15:50:00 2011 +0200 psd: pass around filename for meaningful error messages commit ca05e4d951af9fe5b82fc43ec452b2cc2f752df1 Author: Nils Philippsen <nils@redhat.com> Date: Fri Mar 18 16:12:48 2011 +0100 Harden PSD plugin. In extract_data_and_channels(), avoid overflowing gsize type in g_malloc() call. --- plug-ins/common/psd.c | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/plug-ins/common/psd.c b/plug-ins/common/psd.c index ad7d9c6..02c5e52 100644 --- a/plug-ins/common/psd.c +++ b/plug-ins/common/psd.c @@ -396,7 +396,7 @@ static glong getglong(FILE *fd, gchar *why); static void xfread(FILE *fd, void *buf, long len, gchar *why); static void xfread_interlaced(FILE *fd, guchar *buf, long len, gchar *why, gint step); -static void read_whole_file(FILE *fd, const gchar *name); +static void read_whole_file(FILE *fd, const gchar *filename); static void reshuffle_cmap(guchar *map256); static gchar* getpascalstring(FILE *fd, gchar *why); static gchar* getstring(size_t n, FILE * fd, gchar *why); @@ -1627,7 +1627,10 @@ void extract_data_and_channels(guchar* src, gint gimpstep, gint psstep, "\tand %d auxiliary channels.\n", gimpstep, psstep-gimpstep); /* gimp doesn't like 0 width/height drawables. */ - if ((width == 0) || (height == 0)) + /* zero channels (gimpstep) also doesn't make sense. */ + /* avoid overflowing gsize type in g_malloc() below. */ + if ((width == 0) || (height == 0) || (gimpstep == 0) || + (gimpstep > G_MAXSIZE / width / height)) { IFDBG printf("(bad channel dimensions -- skipping)"); return; @@ -2810,7 +2813,7 @@ xfread_interlaced(FILE* fd, guchar* buf, long len, gchar *why, gint step) } static void -read_whole_file(FILE * fd, const gchar *filename) +read_whole_file(FILE * fd, const gchar * filename) { guint16 w; gint32 pos; @@ -2831,6 +2834,12 @@ read_whole_file(FILE * fd, const gchar *filename) gimp_filename_to_utf8 (filename)); gimp_quit (); } + if (PSDheader.channels < 1) + { + g_message ("'%s' has 0 channels, GIMP can't handle that.", + gimp_filename_to_utf8 (filename)); + gimp_quit (); + } PSDheader.rows = getglong(fd, "rows"); PSDheader.columns = getglong(fd, "columns"); @@ -2846,7 +2855,8 @@ read_whole_file(FILE * fd, const gchar *filename) gimp_quit (); } - if (PSDheader.rows && PSDheader.columns > (G_MAXUINT / PSDheader.rows)) + if (PSDheader.rows && PSDheader.channels && + PSDheader.columns > (G_MAXUINT / PSDheader.rows / PSDheader.channels)) { g_message ("'%s' has a larger image size than GIMP can handle.", gimp_filename_to_utf8 (filename)); -- 1.7.10.4