procyberian/gimp
2
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/gimp.git synced 2025-07-03 01:13:24 +00:00
Code Issues 1 Projects 1 Releases Packages Wiki Activity Actions

plug-ins/dds: fix #12790 for 32-bit

Browse source 
On 32-bit systems the computed linear size can overflow, causing a
crash.
Use a function that checks for overflow when multiplying and return
an error if that fails.
As extra security also update the loop to compute the base offset after
each line of data, and convert to gsize first when computing the
size for g_malloc and memset.
This commit is contained in:
Jacob Boerema 2025-06-12 13:23:59 -04:00
parent 693a6c5938
commit c17b324910
1 changed files with 16 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

20
plug-ins/file-dds/ddsread.c
View file

@ -391,7 +391,15 @@ read_dds (GFile *file,
load_info.pitch *= 16;
}
load_info.linear_size = MAX (1, (hdr.height + 3) >> 2) * load_info.pitch;
if (! g_size_checked_mul (&load_info.linear_size,
MAX (1, (hdr.height + 3) >> 2),
load_info.pitch))
{
fclose (fp);
g_set_error (error, GIMP_PLUG_IN_ERROR, 0,
_("Image size is too big to handle."));
return GIMP_PDB_EXECUTION_ERROR;
}
if (load_info.linear_size != hdr.pitch_or_linsize)
{
@ -1433,18 +1441,22 @@ load_layer (FILE *fp,
{
guchar *dst;
dst = g_malloc (width * height * load_info->gimp_bpp);
memset (dst, 0, width * height * load_info->gimp_bpp);
dst = g_malloc ((gsize) width * height * load_info->gimp_bpp);
memset (dst, 0, (gsize) width * height * load_info->gimp_bpp);
/* Initialize alpha to all 1s instead of all 0s */
if (load_info->gimp_bpp == 4)
{
guchar *dst_line;
dst_line = dst;
for (y = 0; y < height; ++y)
{
for (x = 0; x < width; ++x)
{
dst[y * (width * 4) + (x * 4) + 3] = 255;
dst_line[(x * 4) + 3] = 255;
}
dst_line += width * 4;
}
}