Debian Patches
Status for gimp/2.10.34-1+deb12u3
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| CVE-2025-2761.patch | [PATCH] plug-ins: Fix ZDI-CAN-25100 for FLI plug-in Resolves #13073 This patch adds a check to make sure we're not writing beyond the bounds of the "pos" array. This is the same check that we do earlier when writing pos[xc++], but it was left off of the last write command. Since "n" will be 0 if we get to the end of the array, it prevents us from writing beyond that. |
Alx Sa <cmyk.student@gmail.com> | no | 2025-03-10 | ||
| CVE-2025-48797-1.patch | commit 8d309dd0385fdd298520b69148542375f56ef977 tga: always convert colour-mapped images to RGBA if image claims to contain alpha If the colourmap contains more than 256 items AND has alpha, it should always be promoted to RGBA. Therefore we move the "if (info->alphaBits)" check into the first if clause, to avoid accidentally demoting to RGB in this scenario. Other parts of the tga parser assume that the destination array is RGBA when alphaBits is not zero. For example, upsample() will always write 4 bytes per pixel when alpha is set - (even if we only allocated 3 because we thought we should use RGB). Erronously allocating only 3 bytes makes it easy to induce a heap-buffer-overflow write, see ASAN output below. (apply_colormap makes the same assumption and would probably do the same thing, but upsample is the first location that we'd hit this issue.) ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61700002ae00 at pc 0x000000563d97 bp 0x7ffde8677890 sp 0x7ffde8677888 WRITE of size 1 at 0x61700002ae00 thread T0 #0 0x563d96 in upsample /home/ahunt/git/gimp/plug-ins/common/file-tga.c:830:15 #1 0x560b59 in ReadImage /home/ahunt/git/gimp/plug-ins/common/file-tga.c #2 0x55f4ee in load_image /home/ahunt/git/gimp/plug-ins/common/file-tga.c:647:11 #3 0x5652ab in LLVMFuzzerTestOneInput /home/ahunt/git/gimp/plug-ins/common/file-tga_fuzzer.c:69:17 #4 0x461624 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15 #5 0x460b2a in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:505:3 #6 0x462847 in fuzzer::Fuzzer::MutateAndTestOne() /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:745:19 #7 0x4633d5 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:883:5 #8 0x451686 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:906:6 #9 0x47b662 in main /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #10 0x7fd894a94349 in __libc_start_main (/lib64/libc.so.6+0x24349) #11 0x424a39 in _start /home/abuild/rpmbuild/BUILD/glibc-2.26/csu/../sysdeps/x86_64/start.S:120 0x61700002ae00 is located 0 bytes to the right of 768-byte region [0x61700002ab00,0x61700002ae00) allocated by thread T0 here: #0 0x52ca8d in malloc /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3 #1 0x7fd895b14cf2 in g_malloc /home/ahunt/git/glib/_build/../glib/gmem.c:106:13 #2 0x55fce9 in ReadImage /home/ahunt/git/gimp/plug-ins/common/file-tga.c:1039:26 #3 0x55f4ee in load_image /home/ahunt/git/gimp/plug-ins/common/file-tga.c:647:11 #4 0x5652ab in LLVMFuzzerTestOneInput /home/ahunt/git/gimp/plug-ins/common/file-tga_fuzzer.c:69:17 #5 0x461624 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15 #6 0x460b2a in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:505:3 #7 0x462847 in fuzzer::Fuzzer::MutateAndTestOne() /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:745:19 #8 0x4633d5 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:883:5 #9 0x451686 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:906:6 #10 0x47b662 in main /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #11 0x7fd894a94349 in __libc_start_main (/lib64/libc.so.6+0x24349) SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ahunt/git/gimp/plug-ins/common/file-tga.c:830:15 in upsample Shadow bytes around the buggy address: 0x0c2e7fffd570: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2e7fffd580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2e7fffd590: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2e7fffd5a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2e7fffd5b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c2e7fffd5c0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2e7fffd5d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2e7fffd5e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2e7fffd5f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2e7fffd600: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2e7fffd610: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==12179==ABORTING ( crash-f65fd5404bff32c1d9d10ee049d9c98d02bbbdc2 ) (cherry picked from commit 49755f085a6fcc9c692b14e67856e91a79245688) diff --git a/plug-ins/common/file-tga.c b/plug-ins/common/file-tga.c index e833c60cd9..d70991020a 100644 |
Andrzej Hunt <andrzej@ahunt.org> | no | 2024-07-16 | ||
| CVE-2025-48797-2.patch | commit 97f8c2e468cffce70c6772e74cbff8eda4e8c180 tga: check for valid color ID in apply_colormap A malformed colourmapped tga file could specify color IDs that are not contained in the colourmap. Therefore we add some bounds checking to ensure that we only use entries that actually exist. We could completely give up on such files, but it's just as easy to fall back to the first colour in the map in this case. However we can only fall back to the first colour in the map IF the colourmap contains at least one entry. Therefore we add an up-front check to verify that colourmapped images actually do contain at least one entry. Without this bounds-checking, it's possible to induce a heap-buffer-overflow read in apply-colormap(), see ASAN output below: ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61900002257c at pc 0x000000564f99 bp 0x7ffe65fdb040 sp 0x7ffe65fdb038 READ of size 1 at 0x61900002257c thread T0 #0 0x564f98 in apply_colormap /home/ahunt/git/gimp/plug-ins/common/file-tga.c:901:23 #1 0x56411a in read_line /home/ahunt/git/gimp/plug-ins/common/file-tga.c:975:7 #2 0x560648 in ReadImage /home/ahunt/git/gimp/plug-ins/common/file-tga.c:1202:15 #3 0x55f4ee in load_image /home/ahunt/git/gimp/plug-ins/common/file-tga.c:647:11 #4 0x5653ab in LLVMFuzzerTestOneInput /home/ahunt/git/gimp/plug-ins/common/file-tga_fuzzer.c:69:17 #5 0x461624 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15 #6 0x460b2a in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:505:3 #7 0x462847 in fuzzer::Fuzzer::MutateAndTestOne() /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:745:19 #8 0x4633d5 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:883:5 #9 0x451686 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:906:6 #10 0x47b662 in main /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #11 0x7fe76a5dc349 in __libc_start_main (/lib64/libc.so.6+0x24349) #12 0x424a39 in _start /home/abuild/rpmbuild/BUILD/glibc-2.26/csu/../sysdeps/x86_64/start.S:120 0x61900002257c is located 0 bytes to the right of 1020-byte region [0x619000022180,0x61900002257c) allocated by thread T0 here: #0 0x52ca8d in malloc /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3 #1 0x7fe76b65ccf2 in g_malloc /home/ahunt/git/glib/_build/../glib/gmem.c:106:13 #2 0x55fdc6 in ReadImage /home/ahunt/git/gimp/plug-ins/common/file-tga.c:1049:26 #3 0x55f4ee in load_image /home/ahunt/git/gimp/plug-ins/common/file-tga.c:647:11 #4 0x5653ab in LLVMFuzzerTestOneInput /home/ahunt/git/gimp/plug-ins/common/file-tga_fuzzer.c:69:17 #5 0x461624 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15 #6 0x460b2a in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:505:3 #7 0x462847 in fuzzer::Fuzzer::MutateAndTestOne() /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:745:19 #8 0x4633d5 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:883:5 #9 0x451686 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:906:6 #10 0x47b662 in main /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #11 0x7fe76a5dc349 in __libc_start_main (/lib64/libc.so.6+0x24349) SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ahunt/git/gimp/plug-ins/common/file-tga.c:901:23 in apply_colormap Shadow bytes around the buggy address: 0x0c327fffc450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fffc460: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fffc470: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fffc480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fffc490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c327fffc4a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[04] 0x0c327fffc4b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fffc4c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fffc4d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fffc4e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fffc4f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==16309==ABORTING ( crash-f70628d4df7a65babc8e57d890425771a1d67e06 ) (cherry picked from commit 723d383e57e8f599c4a44ab8541ea6902e29579e) diff --git a/plug-ins/common/file-tga.c b/plug-ins/common/file-tga.c index d70991020a..27251644fa 100644 |
Andrzej Hunt <andrzej@ahunt.org> | no | 2024-07-16 | ||
| CVE-2025-48797-3.patch | commit d7f0829ae995ca7ca9c64851a1ed03b11702ef1c tga: don't copy more bytes than necessary We are trying to copy all bytes in the current row, which is the width times the number of bytes per pixel (stored in info->bytes), not width times bits per pixel. Copying too much data allows certain inputs to induce a heap-buffer-buffer overflow read, and probably also a write, see ASAN output below: ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d000008088 at pc 0x00000052be17 bp 0x7ffd8bbe8e20 sp 0x7ffd8bbe85e8 READ of size 16448 at 0x61d000008088 thread T0 #0 0x52be16 in __asan_memcpy /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3 #1 0x5641ca in read_line /home/ahunt/git/gimp/plug-ins/common/file-tga.c:982:7 #2 0x560218 in ReadImage /home/ahunt/git/gimp/plug-ins/common/file-tga.c:1147:15 #3 0x55f526 in load_image /home/ahunt/git/gimp/plug-ins/common/file-tga.c:646:11 #4 0x56519b in LLVMFuzzerTestOneInput /home/ahunt/git/gimp/plug-ins/common/file-tga_fuzzer.c:69:17 #5 0x461624 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15 #6 0x460b2a in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:505:3 #7 0x462ec4 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:814:7 #8 0x4630d9 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:845:3 #9 0x451686 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:906:6 #10 0x47b662 in main /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #11 0x7fdbd277c349 in __libc_start_main (/lib64/libc.so.6+0x24349) #12 0x424a39 in _start /home/abuild/rpmbuild/BUILD/glibc-2.26/csu/../sysdeps/x86_64/start.S:120 0x61d000008088 is located 0 bytes to the right of 2056-byte region [0x61d000007880,0x61d000008088) allocated by thread T0 here: #0 0x52ca8d in malloc /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3 #1 0x7fdbd37fccf2 in g_malloc /home/ahunt/git/glib/_build/../glib/gmem.c:106:13 #2 0x56009b in ReadImage /home/ahunt/git/gimp/plug-ins/common/file-tga.c:1134:10 #3 0x55f526 in load_image /home/ahunt/git/gimp/plug-ins/common/file-tga.c:646:11 #4 0x56519b in LLVMFuzzerTestOneInput /home/ahunt/git/gimp/plug-ins/common/file-tga_fuzzer.c:69:17 #5 0x461624 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15 #6 0x460b2a in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:505:3 #7 0x462ec4 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:814:7 #8 0x4630d9 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:845:3 #9 0x451686 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:906:6 #10 0x47b662 in main /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #11 0x7fdbd277c349 in __libc_start_main (/lib64/libc.so.6+0x24349) SUMMARY: AddressSanitizer: heap-buffer-overflow /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3 in __asan_memcpy Shadow bytes around the buggy address: 0x0c3a7fff8fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3a7fff8fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3a7fff8fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3a7fff8ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3a7fff9000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c3a7fff9010: 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3a7fff9020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3a7fff9030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3a7fff9040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3a7fff9050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c3a7fff9060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==26560==ABORTING crash-4b13aca1db7bb795a815431b86cc20284f3aa6da (cherry picked from commit 2ba35e5b3d43d881b0623f47b8068d9ee19d1d70) diff --git a/plug-ins/common/file-tga.c b/plug-ins/common/file-tga.c index 27251644fa..1e31f1f126 100644 |
Andrzej Hunt <andrzej@ahunt.org> | no | 2024-07-16 | ||
| 01_hurd_ftbfs.patch | Define PATH_MAX to fix build on the Hurd. | Svante Signell <svante.signell@telia.com> | yes | 2018-04-01 | ||
| 02_hurd_ftbfs.patch | qbist: Define PATH_MAX on Hurd | Svante Signell <svante.signell@gmail.com> | yes | debian | 2019-08-06 | |
| plug-ins-Fix-vulnerabilities-in-file-psp.patch | plug-ins: Fix vulnerabilities in file-psp Backports commits e1bfd871 and 96f536a3 from master |
Alx Sa <cmyk.student@gmail.com> | no | debian | https://gitlab.gnome.org/GNOME/gimp/-/commit/ef12c0a90752a06d4c465a768d052b07f5e8a8a0 | 2023-09-23 |
| plug-ins-Fix-vulnerability-in-file-psd.patch | plug-ins: Fix vulnerability in file-psd Resolves #10101. This patch adds a missing break statement after an error condition is detected to prevent the code from continuing afterwards. |
Alx Sa <cmyk.student@gmail.com> | no | debian | https://gitlab.gnome.org/GNOME/gimp/-/commit/985c0a20e18b5b3b8a48ee9cb12287b1d5732d3d | 2023-09-29 |
| CVE-2025-48797-4.patch | commit ffb7cad1a402377927bc2dc62dad324ae03cec92 plug-ins, tga: don't crash when generating a huge amount of messages A follow-up to the previous commits, that address the tga issues from issue #11822. On Windows, when using the error console for messages, a huge amount of error messages, that can be generated with special fuzzed images, like crash-f65fd5404bff32c1d9d10ee049d9c98d02bbbdc2.tga from the above mentioned issue, can cause GIMP to crash. Although this is most likely caused in the error console or its dependencies, we should not let it cause problems here until that is fixed. There is also no real need to generate a huge amount of similar repeated error messages, so let's limit it to 10 per read line of input. (cherry picked from commit 1f062867172d5c68b858a6efa3011686aa32bb38) diff --git a/plug-ins/common/file-tga.c b/plug-ins/common/file-tga.c index 1e31f1f126..46dacc788c 100644 |
Jacob Boerema <jgboerema@gmail.com> | no | 2024-07-19 | ||
| CVE-2025-48798-1.patch | commit ebf0b569a63f15b5dc7532f16936104af1e09f02 xcf: don't use potentially dangling pointer in xcf_load_layer_mask layer_mask points to the original mask created by xcf_load_layer_mask. We copy this pointer into channel, and xcf_load_channel_props can overwrite this pointer and free the original mask. If this happens, layer_mask points to the now-freed original mask, and should not be used. Therefore we need to change later parts of xcf_load_layer_mask to use channel instead of layer_mask. Additionally, we add a block and move layer_mask into this block to guarantee that layer_mask cannot be used after it has potentially been freed. Adjustments by Jacob Boerema: Follow GIMP's code style regarding variables, comment style and position of braces See also ASAN output below: ==5247==ERROR: AddressSanitizer: heap-use-after-free on address 0x615000010fd0 at pc 0x7f4e2dbbf31b bp 0x7ffca8a95cd0 sp 0x7ffca8a95cc8 READ of size 8 at 0x615000010fd0 thread T0 #0 0x7f4e2dbbf31a in g_type_check_instance_cast /home/ahunt/git/glib/_build/../gobject/gtype.c:4117:26 #1 0xb200fe in xcf_load_layer_mask /home/ahunt/git/gimp/app/xcf/xcf-load.c:2305:52 #2 0xb18eea in xcf_load_layer /home/ahunt/git/gimp/app/xcf/xcf-load.c:2133:20 #3 0xb13d91 in xcf_load_image /home/ahunt/git/gimp/app/xcf/xcf-load.c:499:15 #4 0xb11deb in xcf_load_stream /home/ahunt/git/gimp/app/xcf/xcf.c:305:19 #5 0x619dfd in LLVMFuzzerTestOneInput /home/ahunt/git/gimp/app/fuzzers/xcf_fuzzer.c:50:17 #6 0x51d364 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15 #7 0x506fe2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:6 #8 0x50d350 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:856:9 #9 0x5373a2 in main /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #10 0x7f4e2c84c349 in __libc_start_main (/lib64/libc.so.6+0x24349) #11 0x4e0779 in _start /home/abuild/rpmbuild/BUILD/glibc-2.26/csu/../sysdeps/x86_64/start.S:120 0x615000010fd0 is located 336 bytes inside of 504-byte region [0x615000010e80,0x615000011078) freed by thread T0 here: #0 0x5e8562 in free /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:127:3 #1 0x7f4e2d76ce08 in g_free /home/ahunt/git/glib/_build/../glib/gmem.c:199:3 #2 0x7f4e2d797a6b in g_slice_free1 /home/ahunt/git/glib/_build/../glib/gslice.c:1183:7 #3 0x7f4e2dbb7b04 in g_type_free_instance /home/ahunt/git/glib/_build/../gobject/gtype.c:2008:5 #4 0x7f4e2db8fe3a in g_object_unref /home/ahunt/git/glib/_build/../gobject/gobject.c:3604:11 #5 0xb22fff in xcf_load_channel_props /home/ahunt/git/gimp/app/xcf/xcf-load.c:1738:13 #6 0xb20037 in xcf_load_layer_mask /home/ahunt/git/gimp/app/xcf/xcf-load.c:2292:9 #7 0xb18eea in xcf_load_layer /home/ahunt/git/gimp/app/xcf/xcf-load.c:2133:20 #8 0xb13d91 in xcf_load_image /home/ahunt/git/gimp/app/xcf/xcf-load.c:499:15 #9 0xb11deb in xcf_load_stream /home/ahunt/git/gimp/app/xcf/xcf.c:305:19 #10 0x619dfd in LLVMFuzzerTestOneInput /home/ahunt/git/gimp/app/fuzzers/xcf_fuzzer.c:50:17 #11 0x51d364 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15 #12 0x506fe2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:6 #13 0x50d350 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:856:9 #14 0x5373a2 in main /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #15 0x7f4e2c84c349 in __libc_start_main (/lib64/libc.so.6+0x24349) previously allocated by thread T0 here: #0 0x5e87cd in malloc /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3 #1 0x7f4e2d76ccf2 in g_malloc /home/ahunt/git/glib/_build/../glib/gmem.c:106:13 #2 0x7f4e2d7972e0 in g_slice_alloc /home/ahunt/git/glib/_build/../glib/gslice.c:1072:11 #3 0x7f4e2d7978ae in g_slice_alloc0 /home/ahunt/git/glib/_build/../glib/gslice.c:1098:18 #4 0x7f4e2dbb6e0a in g_type_create_instance /home/ahunt/git/glib/_build/../gobject/gtype.c:1911:17 #5 0x7f4e2db9215e in g_object_new_internal /home/ahunt/git/glib/_build/../gobject/gobject.c:1945:24 #6 0x7f4e2db91d1f in g_object_new_valist /home/ahunt/git/glib/_build/../gobject/gobject.c:2288:16 #7 0x7f4e2db90e8b in g_object_new /home/ahunt/git/glib/_build/../gobject/gobject.c:1788:12 #8 0xdb69e0 in gimp_item_new /home/ahunt/git/gimp/app/core/gimpitem.c:723:10 #9 0xce11c8 in gimp_drawable_new /home/ahunt/git/gimp/app/core/gimpdrawable.c:1067:14 #10 0xddf5d8 in gimp_layer_mask_new /home/ahunt/git/gimp/app/core/gimplayermask.c:254:5 #11 0xb1ffc5 in xcf_load_layer_mask /home/ahunt/git/gimp/app/xcf/xcf-load.c:2279:31 #12 0xb18eea in xcf_load_layer /home/ahunt/git/gimp/app/xcf/xcf-load.c:2133:20 #13 0xb13d91 in xcf_load_image /home/ahunt/git/gimp/app/xcf/xcf-load.c:499:15 #14 0xb11deb in xcf_load_stream /home/ahunt/git/gimp/app/xcf/xcf.c:305:19 #15 0x619dfd in LLVMFuzzerTestOneInput /home/ahunt/git/gimp/app/fuzzers/xcf_fuzzer.c:50:17 #16 0x51d364 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15 #17 0x506fe2 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:6 #18 0x50d350 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:856:9 #19 0x5373a2 in main /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #20 0x7f4e2c84c349 in __libc_start_main (/lib64/libc.so.6+0x24349) SUMMARY: AddressSanitizer: heap-use-after-free /home/ahunt/git/glib/_build/../gobject/gtype.c:4117:26 in g_type_check_instance_cast Shadow bytes around the buggy address: 0x0c2a7fffa1a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2a7fffa1b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2a7fffa1c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2a7fffa1d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2a7fffa1e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd =>0x0c2a7fffa1f0: fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd 0x0c2a7fffa200: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa 0x0c2a7fffa210: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2a7fffa220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2a7fffa230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2a7fffa240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==5247==ABORTING ./crash-0507799c3e4291570e060f53332b58b8a96f95e5 (cherry picked from commit fe26086e16943860f3852120f546ce913a7a73ee) # Conflicts: # app/xcf/xcf-load.c diff --git a/app/xcf/xcf-load.c b/app/xcf/xcf-load.c index da196bcdb2..41e582719a 100644 |
Andrzej Hunt <andrzej@ahunt.org> | no | 2024-07-16 | ||
| CVE-2025-48798-2.patch | commit e7523ed41271e48a909011b8598d496c1be642e2 Issue #11822: fix double-free in edge cases of broken XCF. A patch was originally contributed by Andrzej Hunt in #11822 (cf. 0002-xcf-fix-channel-s-reference-counts.patch in the report). The diagnostic of the double PROP_SELECTION issue is right, but not the fix which was over-reffing, hence leaking channels and buffers, in the normal cases, just to avoid double-free in broken edge cases. The other issue is not possible though (unreffing the image's selection when encountering an error in xcf_load_channel()) because we explicitly check it it's the image mask AFAICS. I added a second test which was not double-freeing yet which deserves a bit of stderr messaging: when 2 different channels have PROP_SELECTION set. Relevant text from the commit message originally contributed by Andrzej Hunt is the following (diagnostic and ASAN output still of interest): ---------------- xcf_load_channel creates a new channel using gimp_channel_new. This channel has a floating reference (because GimpChannel is a subclass of GimpItem, and gimp_item_init uses g_object_force_floating()). Next, three different scenarios can occur: - xcf_load_channel_props does nothing, and we either return channel, OR in the error case we g_object_unref (channel) which frees channel. The returned channel is either silently dropped (in the case where it's already been set as the mask), or added to the image using gimp_image_add_channel if not (which sinks the floating reference). - xcf_load_channel_props encounters a single PROP_SELECTION. We create a selection using gimp_selection_new (which again has a floating reference), transfer ownership of the new selection to the image using gimp_image_take_mask(), free the old channel, and finally set channel to point to this new selection. Back in xcf_load_channel, IF we hit the error case, we call g_object_unref (channel), which frees the new selection - but we're still using it as the image's mask, meaning we could eventually hit a use-after-free whenever someone reads the mask. - xcf_load_channel_props encounters 2 PROP_SELECTION's. After the first PROP_SELECTION, channel is pointing to the image mask, which has reference count == 1 (as explained above). When we hit the second PROP_SELECTION: we create another new selection, followed by calling gimp_image_take_mask() again. gimp_image_take_mask() call g_object_unref() on the old mask, which frees it - but channel is still pointing to this mask. We then call g_object_unref() on channel, which is effectively a double-free. We fix this by making sure to always ref_sink whatever object is put into channel. gimp_image_take_mask also calls ref_sink, which means we'll now bump the refcount up to 2 when the channel is being used as the image's mask (and drop back to 1 if the mask is replaced, and down to 0 when channel is unref'd). See also ASAN output below from the 2x PROP_SELECTION scenario: ==6381==ERROR: AddressSanitizer: heap-use-after-free on address 0x6150000047d0 at pc 0x7fb5531ef31b bp 0x7ffe81e86cb0 sp 0x7ffe81e86ca8 READ of size 8 at 0x6150000047d0 thread T0 #0 0x7fb5531ef31a in g_type_check_instance_cast /home/ahunt/git/glib/_build/../gobject/gtype.c:4117:26 #1 0xb2346b in xcf_load_channel_props /home/ahunt/git/gimp/app/xcf/xcf-load.c:1742:41 #2 0xb1a3cc in xcf_load_channel /home/ahunt/git/gimp/app/xcf/xcf-load.c:2219:9 #3 0xb147eb in xcf_load_image /home/ahunt/git/gimp/app/xcf/xcf-load.c:653:17 #4 0xb121bb in xcf_load_stream /home/ahunt/git/gimp/app/xcf/xcf.c:305:19 #5 0x619ead in LLVMFuzzerTestOneInput /home/ahunt/git/gimp/app/fuzzers/xcf_fuzzer.c:50:17 #6 0x51d414 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15 #7 0x507092 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:6 #8 0x50d400 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:856:9 #9 0x537452 in main /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #10 0x7fb551e7c349 in __libc_start_main (/lib64/libc.so.6+0x24349) #11 0x4e0829 in _start /home/abuild/rpmbuild/BUILD/glibc-2.26/csu/../sysdeps/x86_64/start.S:120 0x6150000047d0 is located 336 bytes inside of 504-byte region [0x615000004680,0x615000004878) freed by thread T0 here: #0 0x5e8612 in free /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:127:3 #1 0x7fb552d9ce08 in g_free /home/ahunt/git/glib/_build/../glib/gmem.c:199:3 #2 0x7fb552dc7a6b in g_slice_free1 /home/ahunt/git/glib/_build/../glib/gslice.c:1183:7 #3 0x7fb5531e7b04 in g_type_free_instance /home/ahunt/git/glib/_build/../gobject/gtype.c:2008:5 #4 0x7fb5531bfe3a in g_object_unref /home/ahunt/git/glib/_build/../gobject/gobject.c:3604:11 #5 0xd4d4d4 in gimp_image_take_mask /home/ahunt/git/gimp/app/core/gimpimage.c:3267:5 #6 0xb23438 in xcf_load_channel_props /home/ahunt/git/gimp/app/xcf/xcf-load.c:1739:13 #7 0xb1a3cc in xcf_load_channel /home/ahunt/git/gimp/app/xcf/xcf-load.c:2219:9 #8 0xb147eb in xcf_load_image /home/ahunt/git/gimp/app/xcf/xcf-load.c:653:17 #9 0xb121bb in xcf_load_stream /home/ahunt/git/gimp/app/xcf/xcf.c:305:19 #10 0x619ead in LLVMFuzzerTestOneInput /home/ahunt/git/gimp/app/fuzzers/xcf_fuzzer.c:50:17 #11 0x51d414 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15 #12 0x507092 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:6 #13 0x50d400 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:856:9 #14 0x537452 in main /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #15 0x7fb551e7c349 in __libc_start_main (/lib64/libc.so.6+0x24349) previously allocated by thread T0 here: #0 0x5e887d in malloc /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3 #1 0x7fb552d9ccf2 in g_malloc /home/ahunt/git/glib/_build/../glib/gmem.c:106:13 #2 0x7fb552dc72e0 in g_slice_alloc /home/ahunt/git/glib/_build/../glib/gslice.c:1072:11 #3 0x7fb552dc78ae in g_slice_alloc0 /home/ahunt/git/glib/_build/../glib/gslice.c:1098:18 #4 0x7fb5531e6e0a in g_type_create_instance /home/ahunt/git/glib/_build/../gobject/gtype.c:1911:17 #5 0x7fb5531c215e in g_object_new_internal /home/ahunt/git/glib/_build/../gobject/gobject.c:1945:24 #6 0x7fb5531c1d1f in g_object_new_valist /home/ahunt/git/glib/_build/../gobject/gobject.c:2288:16 #7 0x7fb5531c0e8b in g_object_new /home/ahunt/git/glib/_build/../gobject/gobject.c:1788:12 #8 0xdb7260 in gimp_item_new /home/ahunt/git/gimp/app/core/gimpitem.c:722:10 #9 0xce1668 in gimp_drawable_new /home/ahunt/git/gimp/app/core/gimpdrawable.c:1067:14 #10 0xe283e9 in gimp_selection_new /home/ahunt/git/gimp/app/core/gimpselection.c:626:13 #11 0xb2342a in xcf_load_channel_props /home/ahunt/git/gimp/app/xcf/xcf-load.c:1735:15 #12 0xb1a3cc in xcf_load_channel /home/ahunt/git/gimp/app/xcf/xcf-load.c:2219:9 #13 0xb147eb in xcf_load_image /home/ahunt/git/gimp/app/xcf/xcf-load.c:653:17 #14 0xb121bb in xcf_load_stream /home/ahunt/git/gimp/app/xcf/xcf.c:305:19 #15 0x619ead in LLVMFuzzerTestOneInput /home/ahunt/git/gimp/app/fuzzers/xcf_fuzzer.c:50:17 #16 0x51d414 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:599:15 #17 0x507092 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:323:6 #18 0x50d400 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:856:9 #19 0x537452 in main /home/abuild/rpmbuild/BUILD/llvm-12.0.0.src/build/../projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10 #20 0x7fb551e7c349 in __libc_start_main (/lib64/libc.so.6+0x24349) SUMMARY: AddressSanitizer: heap-use-after-free /home/ahunt/git/glib/_build/../gobject/gtype.c:4117:26 in g_type_check_instance_cast Shadow bytes around the buggy address: 0x0c2a7fff88a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2a7fff88b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa 0x0c2a7fff88c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2a7fff88d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2a7fff88e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd =>0x0c2a7fff88f0: fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd 0x0c2a7fff8900: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa 0x0c2a7fff8910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2a7fff8920: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2a7fff8930: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c2a7fff8940: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==6381==ABORTING ( crash-c35bcae86d35ce7d0cd8ffcb41a470f37354e018 ) diff --git a/app/xcf/xcf-load.c b/app/xcf/xcf-load.c index 1fb0752832..3b1bcc872a 100644 |
Jehan <jehan@girinstud.io> | no | 2024-11-04 | ||
| ZDI-CAN-26752.patch | [PATCH] plug-ins: ZDI-CAN-26752 mitigation Resolves #13910 Since ICO can store PNGs, it's possible to create an icon that's much larger than the stated image size and cause a buffer overflow. This patch adds a check to make sure the width * height * 4 calculation does not overflow in addition to making sure it doesn't exceed the maximum allowed size for that icon. |
Alx Sa <cmyk.student@gmail.com> | no | 2025-05-03 | ||
| plug-ins-Fix-DDS-vulnerability-ZDI-CAN-22093.patch | plug-ins: Fix DDS vulnerability (ZDI-CAN-22093) Resolves #10069 Currently, the DDS header information for the width, height, and bytes per scan line are read in and assumed to be correct. As these values are used for memory allocation and reading, it would be good to verify they do not exceed the file size. This patch adds a condition after the header is read in to verify those values. If they exceed the file size (mins an offset), the file is not read in and an error message is shown. |
Alx Sa <cmyk.student@gmail.com> | no | debian | https://gitlab.gnome.org/GNOME/gimp/-/commit/7db71cd0b6e36c454aa0d2d3efeec7e636db4dbc | 2023-10-01 |
| plug-ins-Fix-DDS-import-regression-from-7db71cd0.patch | plug-ins: Fix DDS import regression from 7db71cd0 @Wormnest pointed out that compressed files are likely smaller than width * height * bps, so our check to prevent ZDI-CAN-22093 also caught valid files. The size check is removed from load_image () and moved to load_layer () before the two fread() functions, as we know exactly how much we'll try to read at that point. (Backport of 8faad92e) |
Alx Sa <cmyk.student@gmail.com> | no | debian | https://gitlab.gnome.org/GNOME/gimp/-/commit/e92f279c97282a2b20dca0d923db7465f2057703 | 2023-10-27 |
| plug-ins-Additional-fixes-for-DDS-Import.patch | plug-ins: Additional fixes for DDS Import @Wormnest noted remaining regressions after 8faad92e. The second fread() only runs if the DDSD_PITCH flag is set, so the error handling check should also be conditional. Additionally, the ZDI-CAN-22093 exploit no longer runs but still could cause a plug-in crash. This patch adds an additional check to ensure the buffer size was within bounds. |
Alx Sa <cmyk.student@gmail.com> | no | debian | https://gitlab.gnome.org/GNOME/gimp/-/commit/9dda8139e4d07e3a273436eda993fef32555edbe | 2023-10-28 |
| CVE-2025-2760.patch | https://gitlab.gnome.org/GNOME/gimp/-/issues/12790#note_2328950 | no |
All known versions for source package 'gimp'
- 3.0.4-6 (sid)
- 3.0.4-4 (forky)
- 3.0.4-3 (trixie)
- 2.10.34-1+deb12u3 (bookworm-security, bookworm)