callisto-debian/gimp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Issue #1731: gbr file that crashes gimp-2.10.

Browse Source 
GIMP_BRUSH_MAX_SIZE was already defined (as 10.000 pixels per dimension,
which is big for a brush) in gimpbrush.h. Let's just use this to
validate the size returned by the header.

(cherry picked from commit b3de0bb7a5)
This commit is contained in:
Jehan
2018-06-28 17:25:57 +02:00
parent de5b6b2a81
commit 7eb195cdbf
1 changed files with 9 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
app/core/gimpbrush-load.c
View File

@ -34,7 +34,6 @@
#include "gimp-intl.h" #include "gimp-intl.h"
/* stuff from abr2gbr Copyright (C) 2001 Marco Lamberto <lm@sunnyspot.org> */ /* stuff from abr2gbr Copyright (C) 2001 Marco Lamberto <lm@sunnyspot.org> */
/* the above is GPL see http://the.sunnyspot.org/gimp/ */ /* the above is GPL see http://the.sunnyspot.org/gimp/ */
@ -189,6 +188,15 @@ gimp_brush_load_brush (GimpContext *context,
return NULL; return NULL;
} }
if (header.width > GIMP_BRUSH_MAX_SIZE ||
header.height > GIMP_BRUSH_MAX_SIZE)
{
g_set_error (error, GIMP_DATA_ERROR, GIMP_DATA_ERROR_READ,
_("Fatal parse error in brush file: %dx%d over max size."),
header.width, header.height);
return NULL;
}
switch (header.version) switch (header.version)
{ {
case 1: case 1: