The C language only promotes data values up to (un)signed int,
which is 32 bit, if no larger data type is used within the
calculation. Having a multiplication of two gint variables,
even if the expected target variable is of type gsize (64 bit),
leads to a possible integer overflow.
This bug can be triggered in gimp_temp_buf_new, which is used
to allocate memory for given supplied dimensions and bytes per
pixel. If triggered, less memory than needed is allocated and
therefore allows out of boundary accesses, either resulting in
possible code execution or information leakage.
While at it, make sure that the supplied format can actually be
resolved to a bytes per pixel value. If not, return NULL.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Change gimp_pixbuf_create_buffer() to copy the pixels if a linear
buffer cannot be created. Add functions that convert between
GimpTempBuf and GdkPixbuf. Fix users of gimp_pixbuf_create_buffer()
to make the least possible copies. Patch modified by Mitch.
