1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
|
From 23f685931e5f000dd033a45c60c1e60d7f78caf4 Mon Sep 17 00:00:00 2001
From: Nils Philippsen <nils@redhat.com>
Date: Tue, 26 Nov 2013 09:49:42 +0000
Subject: file-xwd: sanity check # of colors and map entries (CVE-2013-1978)
The number of colors in an image shouldn't be higher than the number of
colormap entries. Additionally, consolidate post error cleanup in
load_image().
---
diff --git a/plug-ins/common/file-xwd.c b/plug-ins/common/file-xwd.c
index 343129a..4df9ce8 100644
--- a/plug-ins/common/file-xwd.c
+++ b/plug-ins/common/file-xwd.c
@@ -429,9 +429,9 @@ static gint32
load_image (const gchar *filename,
GError **error)
{
- FILE *ifp;
+ FILE *ifp = NULL;
gint depth, bpp;
- gint32 image_ID;
+ gint32 image_ID = -1;
L_XWDFILEHEADER xwdhdr;
L_XWDCOLOR *xwdcolmap = NULL;
@@ -441,7 +441,7 @@ load_image (const gchar *filename,
g_set_error (error, G_FILE_ERROR, g_file_error_from_errno (errno),
_("Could not open '%s' for reading: %s"),
gimp_filename_to_utf8 (filename), g_strerror (errno));
- return -1;
+ goto out;
}
read_xwd_header (ifp, &xwdhdr);
@@ -450,8 +450,7 @@ load_image (const gchar *filename,
g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
_("Could not read XWD header from '%s'"),
gimp_filename_to_utf8 (filename));
- fclose (ifp);
- return -1;
+ goto out;
}
#ifdef XWD_COL_WAIT_DEBUG
@@ -473,12 +472,18 @@ load_image (const gchar *filename,
g_message (_("'%s':\nIllegal number of colormap entries: %ld"),
gimp_filename_to_utf8 (filename),
(long)xwdhdr.l_colormap_entries);
- fclose (ifp);
- return -1;
+ goto out;
}
if (xwdhdr.l_colormap_entries > 0)
{
+ if (xwdhdr.l_colormap_entries < xwdhdr.l_ncolors)
+ {
+ g_message (_("'%s':\nNumber of colormap entries < number of colors"),
+ gimp_filename_to_utf8 (filename));
+ goto out;
+ }
+
xwdcolmap = g_new (L_XWDCOLOR, xwdhdr.l_colormap_entries);
read_xwd_cols (ifp, &xwdhdr, xwdcolmap);
@@ -498,9 +503,7 @@ load_image (const gchar *filename,
if (xwdhdr.l_file_version != 7)
{
g_message (_("Can't read color entries"));
- g_free (xwdcolmap);
- fclose (ifp);
- return (-1);
+ goto out;
}
}
@@ -508,9 +511,7 @@ load_image (const gchar *filename,
{
g_message (_("'%s':\nNo image width specified"),
gimp_filename_to_utf8 (filename));
- g_free (xwdcolmap);
- fclose (ifp);
- return (-1);
+ goto out;
}
if (xwdhdr.l_pixmap_width > GIMP_MAX_IMAGE_SIZE
@@ -518,27 +519,21 @@ load_image (const gchar *filename,
{
g_message (_("'%s':\nImage width is larger than GIMP can handle"),
gimp_filename_to_utf8 (filename));
- g_free (xwdcolmap);
- fclose (ifp);
- return (-1);
+ goto out;
}
if (xwdhdr.l_pixmap_height <= 0)
{
g_message (_("'%s':\nNo image height specified"),
gimp_filename_to_utf8 (filename));
- g_free (xwdcolmap);
- fclose (ifp);
- return (-1);
+ goto out;
}
if (xwdhdr.l_pixmap_height > GIMP_MAX_IMAGE_SIZE)
{
g_message (_("'%s':\nImage height is larger than GIMP can handle"),
gimp_filename_to_utf8 (filename));
- g_free (xwdcolmap);
- fclose (ifp);
- return (-1);
+ goto out;
}
gimp_progress_init_printf (_("Opening '%s'"),
@@ -591,11 +586,6 @@ load_image (const gchar *filename,
}
gimp_progress_update (1.0);
- fclose (ifp);
-
- if (xwdcolmap)
- g_free (xwdcolmap);
-
if (image_ID == -1 && ! (error && *error))
g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED,
_("XWD-file %s has format %d, depth %d and bits per pixel %d. "
@@ -603,6 +593,17 @@ load_image (const gchar *filename,
gimp_filename_to_utf8 (filename),
(gint) xwdhdr.l_pixmap_format, depth, bpp);
+out:
+ if (ifp)
+ {
+ fclose (ifp);
+ }
+
+ if (xwdcolmap)
+ {
+ g_free (xwdcolmap);
+ }
+
return image_ID;
}
--
cgit v0.9.2
|