From 16970ab4f072a296d15814b99cbe1a33b53aed90 Mon Sep 17 00:00:00 2001
From: Mukund Sivaraman <muks@mukund.org>
Date: Fri, 6 Jul 2007 08:44:21 +0000
Subject: [PATCH] validate size values read from files before using them to
 allocate memory.

2007-07-06  Mukund Sivaraman  <muks@mukund.org>

        * plug-ins/common/psd-load.c: validate size values read from files
        before using them to allocate memory.


svn path=/trunk/; revision=22883
---
 ChangeLog                  |  5 +++++
 plug-ins/common/psd-load.c | 28 ++++++++++++++++++++++++++++
 2 files changed, 33 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index 5d088da5b7..37a1e6b3a1 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2007-07-06  Mukund Sivaraman  <muks@mukund.org>
+
+	* plug-ins/common/psd-load.c: validate size values read from files
+	before using them to allocate memory.
+
 2007-07-05  Sven Neumann  <sven@gimp.org>
 
 	* plug-ins/common/displace.c: applied patch from Ulf-D. Ehlert
diff --git a/plug-ins/common/psd-load.c b/plug-ins/common/psd-load.c
index efedf0e719..902144366c 100644
--- a/plug-ins/common/psd-load.c
+++ b/plug-ins/common/psd-load.c
@@ -1047,6 +1047,17 @@ do_layer_record (FILE    *fd,
   layer->width  = right - left;
   layer->height = bottom - top;
 
+  if ((layer->height > GIMP_MAX_IMAGE_SIZE) ||
+      (layer->width > GIMP_MAX_IMAGE_SIZE))
+    {
+      g_error ("Input file has a larger layer size than GIMP can handle.");
+    }
+
+  if (layer->width > (G_MAXUINT / layer->height))
+    {
+      g_error ("Input file has a larger layer size than GIMP can handle.");
+    }
+
   IFDBG printf("\t\t\t\tLayer extents: (%d,%d) -> (%d,%d)\n",
                left,top,right,bottom);
 
@@ -1167,6 +1178,17 @@ do_layer_record (FILE    *fd,
       layer->lm_width = right - left;
       layer->lm_height = bottom - top;
 
+    if ((layer->lm_height > GIMP_MAX_IMAGE_SIZE) ||
+        (layer->lm_width > GIMP_MAX_IMAGE_SIZE))
+      {
+        g_error ("Input file has a larger layer mask size than GIMP can handle.");
+      }
+
+    if (layer->lm_width > (G_MAXUINT / layer->lm_height))
+      {
+        g_error ("Input file has a larger layer mask size than GIMP can handle.");
+      }
+
       color = getguchar(fd, "lmask color");
       flags = getguchar(fd, "lmask flags");
 
@@ -3213,6 +3235,12 @@ read_whole_file (FILE *fd, const gchar *filename)
                  gimp_filename_to_utf8 (filename));
       }
 
+    if (PSDheader.columns > (G_MAXUINT / PSDheader.rows))
+      {
+        g_error ("'%s' has a larger image size than GIMP can handle.",
+                 gimp_filename_to_utf8 (filename));
+      }
+
     PSDheader.bpp      = getgint16 (fd, "depth");
     PSDheader.mode     = getgint16 (fd, "mode");