From 52cb2edd9e7cdfd376f39c35620df34cfbf75f5b Mon Sep 17 00:00:00 2001 From: Ell Date: Tue, 11 Feb 2020 17:44:43 +0200 Subject: [PATCH] Issue #4605 - Invalid abr brush crashes GIMP When loading ABR brushes, error out on negative scan-line lengths, instead of trying to allocate a huge buffer. This entire code could use a whole lot more unsignedness, but this should cover the crash. --- app/core/gimpbrush-load.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/core/gimpbrush-load.c b/app/core/gimpbrush-load.c index 8fa0f494ba..0076f0b98e 100644 --- a/app/core/gimpbrush-load.c +++ b/app/core/gimpbrush-load.c @@ -1131,7 +1131,7 @@ abr_rle_decode (GDataInputStream *input, for (i = 0; i < height; i++) { cscanline_len[i] = abr_read_short (input, error); - if (error && *error) + if ((error && *error) || cscanline_len[i] <= 0) goto err; }