Issue #4605 - Invalid abr brush crashes GIMP

When loading ABR brushes, error out on negative scan-line lengths, instead of trying to allocate a huge buffer. This entire code could use a whole lot more unsignedness, but this should cover the crash.
2020-02-11 17:44:43 +02:00
parent 782e209a33
commit 52cb2edd9e
1 changed files with 1 additions and 1 deletions
--- a/app/core/gimpbrush-load.c
+++ b/app/core/gimpbrush-load.c
@ -1131,7 +1131,7 @@ abr_rle_decode (GDataInputStream  *input,
  for (i = 0; i < height; i++)
    {
      cscanline_len[i] = abr_read_short (input, error);
-      if (error && *error)
+      if ((error && *error) || cscanline_len[i] <= 0)
        goto err;
    }