callisto-debian/gimp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
callisto/bookworm
gimp/debian/patches/plug-ins-Additional-fixes-for-DDS-Import.patch
Salvatore Bonaccorso 27ecc73732 Import Debian changes 2.10.34-1+deb12u1 
gimp (2.10.34-1+deb12u1) bookworm-security; urgency=high
.
  * Non-maintainer upload by the Security Team.
  * plug-ins: Fix vulnerabilities in file-psp (CVE-2023-44443, CVE-2023-44444)
    (Closes: #1055984)
  * plug-ins: Fix vulnerability in file-psd (CVE-2023-44442)
    (Closes: #1055984)
  * plug-ins: Fix DDS vulnerability (ZDI-CAN-22093) (CVE-2023-44441)
    (Closes: #1055984)
  * plug-ins: Fix DDS import regression
  * plug-ins: Additional fixes for DDS Import
2025-06-06 17:29:58 -04:00

54 lines
2.0 KiB
Diff
Raw Permalink Blame History

From: Alx Sa <cmyk.student@gmail.com>
Date: Sat, 28 Oct 2023 21:44:51 +0000
Subject: plug-ins: Additional fixes for DDS Import
Origin: https://gitlab.gnome.org/GNOME/gimp/-/commit/9dda8139e4d07e3a273436eda993fef32555edbe
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-44441
Bug-Debian: https://bugs.debian.org/1055984
@Wormnest noted remaining regressions after 8faad92e.
The second fread() only runs if the DDSD_PITCH flag is set,
so the error handling check should also be conditional.
Additionally, the ZDI-CAN-22093 exploit no longer runs but
still could cause a plug-in crash. This patch adds an additional
check to ensure the buffer size was within bounds.
---
plug-ins/file-dds/ddsread.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/plug-ins/file-dds/ddsread.c b/plug-ins/file-dds/ddsread.c
index 74368d04e41a..dcb4449a9f97 100644
--- a/plug-ins/file-dds/ddsread.c
+++ b/plug-ins/file-dds/ddsread.c
@@ -928,6 +928,7 @@ load_layer (FILE *fp,
current_position = ftell (fp);
fseek (fp, 0L, SEEK_END);
file_size = ftell (fp);
+ fseek (fp, 0, SEEK_SET);
fseek (fp, current_position, SEEK_SET);
if (width < 1) width = 1;
@@ -1033,7 +1034,8 @@ load_layer (FILE *fp,
size *= 16;
}
- if (size > (file_size - current_position))
+ if (size > (file_size - current_position) ||
+ size > hdr->pitch_or_linsize)
{
g_message ("Requested data exceeds size of file.\n");
return 0;
@@ -1078,7 +1080,9 @@ load_layer (FILE *fp,
}
current_position = ftell (fp);
- if ((width * d->bpp) > (file_size - current_position))
+ if ((hdr->flags & DDSD_PITCH) &&
+ ((width * d->bpp) > (file_size - current_position) ||
+ (width * d->bpp) > hdr->pitch_or_linsize))
{
g_message ("Requested data exceeds size of file.\n");
return 0;
--
2.42.0
Reference in New Issue View Git Blame Copy Permalink