procyberian/gimp
2
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/gimp.git synced 2025-07-04 01:43:24 +00:00
Code Issues 1 Projects 1 Releases Packages Wiki Activity Actions

app/xcf: fix #12980 protection against invalid xcf offset

Browse source
This commit is contained in:
Jacob Boerema 2025-02-26 20:30:05 +00:00
parent 63e6065197
commit eae1d5f9b6
2 changed files with 43 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

49
app/xcf/xcf-load.c
View file

@ -604,7 +604,12 @@ xcf_load_image (Gimp *gimp,
GList *item_path = NULL; GList *item_path = NULL;
/* read in the offset of the next layer */ /* read in the offset of the next layer */
xcf_read_offset (info, &offset, 1); if (xcf_read_offset (info, &offset, 1) < info->bytes_per_offset)
{
GIMP_LOG (XCF, "Failed to read layer offset"
" at offset: %" G_GOFFSET_FORMAT, info->cp);
break;
}
/* if the offset is 0 then we are at the end /* if the offset is 0 then we are at the end
* of the layer list. * of the layer list.
@ -751,7 +756,12 @@ xcf_load_image (Gimp *gimp,
GimpChannel *channel; GimpChannel *channel;
/* read in the offset of the next channel */ /* read in the offset of the next channel */
xcf_read_offset (info, &offset, 1); if (xcf_read_offset (info, &offset, 1) < info->bytes_per_offset)
{
GIMP_LOG (XCF, "Failed to read channel offset"
" at offset: %" G_GOFFSET_FORMAT, info->cp);
break;
}
/* if the offset is 0 then we are at the end /* if the offset is 0 then we are at the end
* of the channel list. * of the channel list.
@ -831,7 +841,12 @@ xcf_load_image (Gimp *gimp,
GimpPath *vectors; GimpPath *vectors;
/* read in the offset of the next path */ /* read in the offset of the next path */
xcf_read_offset (info, &offset, 1); if (xcf_read_offset (info, &offset, 1) < info->bytes_per_offset)
{
GIMP_LOG (XCF, "Failed to read path offset"
" at offset: %" G_GOFFSET_FORMAT, info->cp);
break;
}
/* if the offset is 0 then we are at the end /* if the offset is 0 then we are at the end
* of the path list. * of the path list.
@ -3280,7 +3295,12 @@ xcf_load_layer (XcfInfo *info,
goto error; goto error;
/* read in the offset of the next effect */ /* read in the offset of the next effect */
xcf_read_offset (info, &effects_offset, 1); if (xcf_read_offset (info, &effects_offset, 1) < info->bytes_per_offset)
{
GIMP_LOG (XCF, "Failed to read effects offset"
" at offset: %" G_GOFFSET_FORMAT, info->cp);
break;
}
} }
if (filter_count > 0) if (filter_count > 0)
@ -3893,7 +3913,12 @@ xcf_load_level (XcfInfo *info,
* if it is '0', then this tile level is empty * if it is '0', then this tile level is empty
* and we can simply return. * and we can simply return.
*/ */
xcf_read_offset (info, &offset, 1); if (xcf_read_offset (info, &offset, 1) < info->bytes_per_offset)
{
GIMP_LOG (XCF, "Failed to read tile offset"
" at offset: %" G_GOFFSET_FORMAT, info->cp);
return FALSE;
}
if (offset == 0) if (offset == 0)
return TRUE; return TRUE;
@ -3923,7 +3948,12 @@ xcf_load_level (XcfInfo *info,
/* read in the offset of the next tile so we can calculate the amount /* read in the offset of the next tile so we can calculate the amount
* of data needed for this tile * of data needed for this tile
*/ */
xcf_read_offset (info, &offset2, 1); if (xcf_read_offset (info, &offset2, 1) < info->bytes_per_offset)
{
GIMP_LOG (XCF, "Failed to read tile offset"
" at offset: %" G_GOFFSET_FORMAT, info->cp);
return FALSE;
}
/* if the offset is 0 then we need to read in the maximum possible /* if the offset is 0 then we need to read in the maximum possible
* allowing for negative compression * allowing for negative compression
@ -3992,7 +4022,12 @@ xcf_load_level (XcfInfo *info,
return FALSE; return FALSE;
/* read in the offset of the next tile */ /* read in the offset of the next tile */
xcf_read_offset (info, &offset, 1); if (xcf_read_offset (info, &offset, 1) < info->bytes_per_offset)
{
GIMP_LOG (XCF, "Failed to read tile offset"
" at offset: %" G_GOFFSET_FORMAT, info->cp);
return FALSE;
}
} }
if (offset != 0) if (offset != 0)

1
app/xcf/xcf-read.c
View file

@ -123,6 +123,7 @@ xcf_read_offset (XcfInfo *info,
{ {
guint total = 0; guint total = 0;
*data = 0;
if (count > 0) if (count > 0)
{ {
if (info->bytes_per_offset == 4) if (info->bytes_per_offset == 4)