From 9983251f8af0d89b8c2e777d5c9eb4f1861fc11b Mon Sep 17 00:00:00 2001
From: Martin Nordholts <martinn@src.gnome.org>
Date: Sat, 6 Sep 2008 15:10:40 +0000
Subject: [PATCH] =?UTF-8?q?Bug=20544939=20=E2=80=93=20PSD=20Plugin=20crash?=
 =?UTF-8?q?=20(maybe=20only=20PSD=20files=20created=20by=20Paintshop=20Pro?=
 =?UTF-8?q?)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* plug-ins/file-psd/psd-load.c (add_layers): Fix integer underflow
and only attempt to read channel data if there is any channel
data.

svn path=/trunk/; revision=26888
---
 ChangeLog                    |  9 +++++++++
 plug-ins/file-psd/psd-load.c | 26 +++++++++++++++++---------
 2 files changed, 26 insertions(+), 9 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 1dd07c60e4..29ffb4a14d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+2008-09-06  Martin Nordholts  <martinn@svn.gnome.org>
+
+	Bug 544939 – PSD Plugin crash (maybe only PSD files created by
+	Paintshop Pro)
+
+	* plug-ins/file-psd/psd-load.c (add_layers): Fix integer underflow
+	and only attempt to read channel data if there is any channel
+	data.
+
 2008-09-06  Martin Nordholts  <martinn@svn.gnome.org>
 
 	* plug-ins/file-psd/psd-load.c (add_layers): Also consider unknown
diff --git a/plug-ins/file-psd/psd-load.c b/plug-ins/file-psd/psd-load.c
index 3319a57b51..63a5082005 100644
--- a/plug-ins/file-psd/psd-load.c
+++ b/plug-ins/file-psd/psd-load.c
@@ -35,6 +35,10 @@
 
 #include "libgimp/stdplugins-intl.h"
 
+
+#define COMP_MODE_SIZE sizeof(guint16)
+
+
 /*  Local function prototypes  */
 static gint             read_header_block          (PSDimage     *img_a,
                                                     FILE         *f,
@@ -958,7 +962,6 @@ add_layers (const gint32  image_id,
 {
   PSDchannel          **lyr_chn;
   guchar               *pixels;
-  guint16               comp_mode;
   guint16               alpha_chn;
   guint16               user_mask_chn;
   guint16               layer_channels;
@@ -1089,16 +1092,21 @@ add_layers (const gint32  image_id,
                                 lyr_chn[cidx]->columns,
                                 lyr_chn[cidx]->rows);
 
-              if (fread (&comp_mode, 2, 1, f) < 1)
+              /* Only read channel data if there is more data than
+               * what compression method that is used
+               */
+              if (lyr_a[lidx]->chn_info[cidx].data_len > COMP_MODE_SIZE)
                 {
-                  psd_set_error (feof (f), errno, error);
-                  return -1;
-                }
-              comp_mode = GUINT16_FROM_BE (comp_mode);
-              IFDBG(3) g_debug ("Compression mode: %d", comp_mode);
+                  guint16 comp_mode;
+
+                  if (fread (&comp_mode, COMP_MODE_SIZE, 1, f) < 1)
+                    {
+                      psd_set_error (feof (f), errno, error);
+                      return -1;
+                    }
+                  comp_mode = GUINT16_FROM_BE (comp_mode);
+                  IFDBG(3) g_debug ("Compression mode: %d", comp_mode);
 
-              if (lyr_a[lidx]->chn_info[cidx].data_len - 2 > 0)
-                {
                   switch (comp_mode)
                     {
                       case PSD_COMP_RAW:        /* Planar raw data */