mirror of
https://gitlab.gnome.org/GNOME/gimp.git
synced 2025-07-03 09:23:24 +00:00
548bc3a46d
As reported by Seungho Kim our despeckle filter doesn't check for integer overflow when allocating buffers, nor do we check for failed allocations. A potential integer overflow vulnerability exists in the GIMP "Despeckle" plug-in. The issue occurs due to unchecked multiplication of image dimensions (width, height) and bytes-per-pixel (img_bpp), which can result in allocating insufficient memory and subsequently performing out-of-bounds writes. This could lead to heap corruption and potential denial-of-service (DoS) or arbitrary code execution in certain scenarios. Vulnerability Details •width and height are of type guint (signed 32-bit int). •Multiplying width * height * img_bpp can result in a value exceeding the bounds of gsize. •g_new() does not perform overflow protection; if the size wraps around, less memory than needed will be allocated. •Subsequent pixel processing loops write beyond the allocated memory region (src, dst). Proof of Concept (PoC) Open a specially crafted image with very large dimensions (e.g., 70,000 x 70,000 pixels) and apply the Despeckle filter. GIMP may crash due to heap corruption, or undefined behavior may occur. We applied the suggested changes and in addition adjusted the despeckle function to be able to set error messages, and check for NULL allocations. |
||
|---|---|---|
| .. | ||
| common | ||
| file-bmp | ||
| file-dds | ||
| file-exr | ||
| file-faxg3 | ||
| file-fits | ||
| file-fli | ||
| file-icns | ||
| file-ico | ||
| file-jpeg | ||
| file-psd | ||
| file-raw | ||
| file-sgi | ||
| file-tiff | ||
| file-webp | ||
| flame | ||
| fractal-explorer | ||
| gfig | ||
| gimpressionist | ||
| gradient-flare | ||
| help | ||
| help-browser | ||
| ifs-compose | ||
| imagemap | ||
| lighting | ||
| map-object | ||
| metadata | ||
| pagecurl | ||
| python | ||
| screenshot | ||
| script-fu | ||
| selection-to-path | ||
| twain | ||
| meson.build | ||