From c57f9dcf1934a9ab0cd67650f2dea18cb0902270 Mon Sep 17 00:00:00 2001 From: Jehan Date: Thu, 21 Dec 2017 12:25:32 +0100 Subject: Bug 790784 - (CVE-2017-17784) heap overread in gbr parser / load_image. We were assuming the input name was well formed, hence was nul-terminated. As any data coming from external input, this has to be thorougly checked. Similar to commit 06d24a79af94837d615d0024916bb95a01bf3c59 but adapted to older gimp-2-8 code. --- plug-ins/common/file-gbr.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/plug-ins/common/file-gbr.c b/plug-ins/common/file-gbr.c index b028100..d3f01d9 100644 --- a/plug-ins/common/file-gbr.c +++ b/plug-ins/common/file-gbr.c @@ -443,7 +443,8 @@ load_image (const gchar *filename, { gchar *temp = g_new (gchar, bn_size); - if ((read (fd, temp, bn_size)) < bn_size) + if ((read (fd, temp, bn_size)) < bn_size || + temp[bn_size - 1] != '\0') { g_set_error (error, G_FILE_ERROR, G_FILE_ERROR_FAILED, _("Error in GIMP brush file '%s'"), -- cgit v0.12