mirror of https://github.com/GNOME/gimp.git
6d804bf9ae
...XCF channel and layer properties
The properties PROP_ACTIVE_LAYER, PROP_FLOATING_SELECTION,
PROP_ACTIVE_CHANNEL saves the current object pointer the @info
structure. Others like PROP_SELECTION (for channel) and
PROP_GROUP_ITEM (for layer) will delete the current object and create
a new object, leaving the pointers in @info invalid (dangling).
Therefore, if a property from the first type will come before the
second, the result will be an UaF in the last lines of xcf_load_image
(when it actually using the pointers from @info).
I wasn't able to exploit this bug because that
g_object_instance->c_class gets cleared by the last g_object_unref and
GIMP_IS_{LAYER,CHANNEL} detects that and return FALSE.
|
||
|---|---|---|
| .. | ||
| .gitignore | ||
| Makefile.am | ||
| xcf-load.c | ||
| xcf-load.h | ||
| xcf-private.h | ||
| xcf-read.c | ||
| xcf-read.h | ||
| xcf-save.c | ||
| xcf-save.h | ||
| xcf-seek.c | ||
| xcf-seek.h | ||
| xcf-write.c | ||
| xcf-write.h | ||
| xcf.c | ||
| xcf.h | ||