gbr/pat: Fix out of boundary read on illegal names

The file formats GBR and PAT contain names which are supposed to be
NUL-terminated within the files. If no such terminating NUL byte
exists, the parsers of GBR and PAT trigger an out of boundary read
during utf-8 conversion.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>

app/core/gimpbrush-load.c

@@ -248,7 +248,7 @@ gimp_brush_load_brush (GimpContext   *context,
           return NULL;
         }
 
-      utf8 = gimp_any_to_utf8 (name, -1,
+      utf8 = gimp_any_to_utf8 (name, bn_size - 1,
                                _("Invalid UTF-8 string in brush file '%s'."),
                                gimp_file_get_utf8_name (file));
       g_free (name);

app/core/gimppattern-load.c

@@ -119,7 +119,7 @@ gimp_pattern_load (GimpContext   *context,
           goto error;
         }
 
-      utf8 = gimp_any_to_utf8 (name, -1,
+      utf8 = gimp_any_to_utf8 (name, bn_size - 1,
                                _("Invalid UTF-8 string in pattern file '%s'."),
                                gimp_file_get_utf8_name (file));
       g_free (name);

plug-ins/common/file-gbr.c

@@ -474,7 +474,7 @@ load_image (GFile   *file,
           return -1;
         }
 
-      name = gimp_any_to_utf8 (temp, -1,
+      name = gimp_any_to_utf8 (temp, size - 1,
                                _("Invalid UTF-8 string in brush file '%s'."),
                                g_file_get_parse_name (file));
       g_free (temp);

plug-ins/common/file-pat.c

@@ -376,7 +376,7 @@ load_image (GFile   *file,
       return -1;
     }
 
-  name = gimp_any_to_utf8 (temp, -1,
+  name = gimp_any_to_utf8 (temp, ph.header_size - sizeof (PatternHeader) - 1,
                            _("Invalid UTF-8 string in pattern file '%s'."),
                            g_file_get_parse_name (file));
   g_free (temp);