blob: 17bebe9e5fe8f80bf8421a3221196ec92449eaad (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
|
From 32ae0f83e5748299641cceaabe3f80f1b3afd03e Mon Sep 17 00:00:00 2001
From: Nils Philippsen <nils@redhat.com>
Date: Thu, 14 Nov 2013 13:29:01 +0000
Subject: file-xwd: sanity check colormap size (CVE-2013-1913)
---
diff --git a/plug-ins/common/file-xwd.c b/plug-ins/common/file-xwd.c
index c8e1a6e..343129a 100644
--- a/plug-ins/common/file-xwd.c
+++ b/plug-ins/common/file-xwd.c
@@ -466,6 +466,17 @@ load_image (const gchar *filename,
/* Position to start of XWDColor structures */
fseek (ifp, (long)xwdhdr.l_header_size, SEEK_SET);
+ /* Guard against insanely huge color maps -- gimp_image_set_colormap() only
+ * accepts colormaps with 0..256 colors anyway. */
+ if (xwdhdr.l_colormap_entries > 256)
+ {
+ g_message (_("'%s':\nIllegal number of colormap entries: %ld"),
+ gimp_filename_to_utf8 (filename),
+ (long)xwdhdr.l_colormap_entries);
+ fclose (ifp);
+ return -1;
+ }
+
if (xwdhdr.l_colormap_entries > 0)
{
xwdcolmap = g_new (L_XWDCOLOR, xwdhdr.l_colormap_entries);
--
cgit v0.9.2
|
