summaryrefslogtreecommitdiff
path: root/graphics/gimp/patches/patch-ad
diff options
context:
space:
mode:
Diffstat (limited to 'graphics/gimp/patches/patch-ad')
-rw-r--r--graphics/gimp/patches/patch-ad33
1 files changed, 33 insertions, 0 deletions
diff --git a/graphics/gimp/patches/patch-ad b/graphics/gimp/patches/patch-ad
new file mode 100644
index 00000000000..e3783a601ec
--- /dev/null
+++ b/graphics/gimp/patches/patch-ad
@@ -0,0 +1,33 @@
+$NetBSD: patch-ad,v 1.6 2009/11/13 17:29:51 drochner Exp $
+
+--- plug-ins/file-bmp/bmp-read.c.orig 2009-08-03 22:17:25.000000000 +0200
++++ plug-ins/file-bmp/bmp-read.c
+@@ -424,7 +424,8 @@ ReadBMP (const gchar *name,
+ return -1;
+ }
+
+- if (Bitmap_Head.biWidth < 0)
++ if (Bitmap_Head.biWidth < 0 ||
++ ABS (Bitmap_Head.biHeight) < 0)
+ {
+ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
+ _("'%s' is not a valid BMP file"),
+@@ -448,6 +449,18 @@ ReadBMP (const gchar *name,
+ return -1;
+ }
+
++ /* protect against integer overflows caused by malicious BMPs */
++
++ if (((guint64) Bitmap_Head.biWidth) * Bitmap_Head.biBitCnt > G_MAXINT32 ||
++ ((guint64) Bitmap_Head.biWidth) * ABS (Bitmap_Head.biHeight) > G_MAXINT32 ||
++ ((guint64) Bitmap_Head.biWidth) * ABS (Bitmap_Head.biHeight) * 4 > G_MAXINT32)
++ {
++ g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
++ _("'%s' is not a valid BMP file"),
++ gimp_filename_to_utf8 (filename));
++ return -1;
++ }
++
+ /* Windows and OS/2 declare filler so that rows are a multiple of
+ * word length (32 bits == 4 bytes)
+ */
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-20 07:33:54 +0000