GNOME Bugzilla – Bug 604000
SGI: sanitize input
Last modified: 2009-12-09 16:20:21 UTC
The SGI plugin doesn't sanitize the xsize, ysize and zsize header fields (basically width, height and color depth). It is possible to use zero in one of these and this value will be used later on without further checks. While this may not be a security issue (it doesn't seem to crash the plugin), it should be fixed so that the user knows that something is wrong with the file instead of getting this error message: Calling error for procedure 'gimp-image-new': Procedure 'gimp-image-new' has been called with value '0' for argument 'height' (#2, type GimpInt32). This value is out of range.
Created attachment 149272 [details] [review] Proposed fix: sanitize input data
This also needs to check for GIMP_MAX_IMAGE_SIZE. Please amend the patch accordingly.
Created attachment 149434 [details] [review] Proposed fix: sanitize input data (amended)
Created attachment 149435 [details] SGI image file exhibiting the RLE decoding error
Created attachment 149437 [details] [review] Proposed fix: ensure that RLE decoding doesn't access memory beyond allocated buffers (amended) Rework the fix above using "count = MIN (ch & 127, xsize);" instead, as proposed by Simon.
Comment on attachment 149435 [details] SGI image file exhibiting the RLE decoding error wrong bug
Comment on attachment 149437 [details] [review] Proposed fix: ensure that RLE decoding doesn't access memory beyond allocated buffers (amended) wrong bug
Comment on attachment 149434 [details] [review] Proposed fix: sanitize input data (amended) un-obsolete this patch
Review of attachment 149434 [details] [review]: looks good, please commit.
Review of attachment 149434 [details] [review]: committed: daaf1d2 SGI: sanitize input data