aports/community/gimp/CVE-2017-17786-1.patch

From ef9c821fff8b637a2178eab1c78cae6764c50e12 Mon Sep 17 00:00:00 2001
From: Jehan <jehan@girinstud.io>
Date: Wed, 20 Dec 2017 13:02:38 +0100
Subject: Bug 739134 - (CVE-2017-17786) Out of bounds read / heap overflow
 in...
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

... TGA importer.

Be more thorough on valid TGA RGB and RGBA images.
In particular current TGA plug-in can import RGBA as 32 bits (8 bits per
channel) and 16 bits (5 bits per color channel and 1 bit for alpha), and
RGB as 15 and 24 bits.
Maybe there exist more variants, but if they do exist, we simply don't
support them yet.

Thanks to Hanno Böck for the report and a first patch attempt.

(cherry picked from commit 674b62ad45b6579ec6d7923dc3cb1ef4e8b5498b)
---
 plug-ins/common/file-tga.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/plug-ins/common/file-tga.c b/plug-ins/common/file-tga.c
index aef9870..426acc2 100644
--- a/plug-ins/common/file-tga.c
+++ b/plug-ins/common/file-tga.c
@@ -564,12 +564,16 @@ load_image (const gchar  *filename,
           }
         break;
       case TGA_TYPE_COLOR:
-        if (info.bpp != 15 && info.bpp != 16 &&
-            info.bpp != 24 && info.bpp != 32)
+        if ((info.bpp != 15 && info.bpp != 16 &&
+             info.bpp != 24 && info.bpp != 32)      ||
+            ((info.bpp == 15 || info.bpp == 24) &&
+             info.alphaBits != 0)                   ||
+            (info.bpp == 16 && info.alphaBits != 1) ||
+            (info.bpp == 32 && info.alphaBits != 8))
           {
-            g_message ("Unhandled sub-format in '%s' (type = %u, bpp = %u)",
+            g_message ("Unhandled sub-format in '%s' (type = %u, bpp = %u, alpha = %u)",
                        gimp_filename_to_utf8 (filename),
-                       info.imageType, info.bpp);
+                       info.imageType, info.bpp, info.alphaBits);
             return -1;
           }
         break;
-- 
cgit v0.12