From c855d1df60ebaf5ef8d02807d448eb088f147a2b Mon Sep 17 00:00:00 2001
From: Alx Sa <cmyk.student@gmail.com>
Date: Sat, 3 May 2025 14:13:46 +0000
Subject: [PATCH] plug-ins: ZDI-CAN-26752 mitigation

Resolves #13910
Since ICO can store PNGs, it's possible to create an
icon that's much larger than the stated image size and
cause a buffer overflow.
This patch adds a check to make sure the width * height * 4
calculation does not overflow in addition to making sure it
doesn't exceed the maximum allowed size for that icon.
---
 plug-ins/file-ico/ico-load.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/plug-ins/file-ico/ico-load.c b/plug-ins/file-ico/ico-load.c
index 9a222998bc1..818cf23cd31 100644
--- a/plug-ins/file-ico/ico-load.c
+++ b/plug-ins/file-ico/ico-load.c
@@ -299,7 +299,11 @@ ico_read_png (FILE    *fp,
   png_read_info (png_ptr, info);
   png_get_IHDR (png_ptr, info, &w, &h, &bit_depth, &color_type,
                 NULL, NULL, NULL);
-  if (w*h*4 > maxsize)
+  /* Check for overflow */
+  if ((w * h * 4) < w       ||
+      (w * h * 4) < h       ||
+      (w * h * 4) < (w * h) ||
+      (w * h * 4) > maxsize)
     {
       png_destroy_read_struct (&png_ptr, &info, NULL);
       return FALSE;
-- 
GitLab