GNOME Bugzilla – Bug 603995
PCX plugin doesn't sanitize input to avoid allocation overflows.
Last modified: 2009-12-09 15:40:13 UTC
Created attachment 149267 [details] [review] Proposed patch: ensure that too high input data doesn't overflow allocation calculations Depending on the image type (b/w, indexed, grayscale, RGB), the PCX plugin tries to allocate memory depending on width and height stored in the file header. It doesn't check whether calculating the amount of memory to allocate would overflow the target type (gsize). At least in the case of RGB, the amount of memory needed can be overflowed as it is calculated as "width * height * 3". Both width and height are unsigned 16bit values kept in signed 32bit variables -- if both are G_MAXUINT16, the result of this calculation would overflow 32bit types (like gsize on x86 32bit machines).
Review of attachment 149267 [details] [review]: There is a typo in the message (should be "too") and if a width can be too high :) (I think I'd prefer "big", not sure. Otherwise the patch looks fine, please commit.
The best would be to try not to introduce a new string, but use one that is already in the po-plugins message domain. But that can be done as an extra step and it is only really needed in the gimp-2-6 branch.
Hmm, I can't find a suitable message in po-plug-ins... I would change the text to "Image dimensions too large: width %d x height %d" in master, but what should I do in gimp-2-6?
Created attachment 149328 [details] [review] Proposed fix: sanitize input data (amended)
If there is no suitable string, then we need to introduce a new one.
I think in the case of gimp-2-6, it is acceptable if the error message is not translated right away (it should only be ever visible in unusual circumstances). If you agree, I would commit the fix.
Review of attachment 149328 [details] [review]: Looks good. Please commit.
Review of attachment 149328 [details] [review]: committed as ed7f48be05d2