freeimage: unstable-2021-11-01 -> 3.18.0-unstable-2024-04-18 (#369766)

diff -rupN --no-dereference freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PluginICO.cpp freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PluginICO.cpp

--- freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PluginICO.cpp	2023-09-28 19:34:45.524031668 +0200

+++ freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PluginICO.cpp	2023-09-28 19:34:47.717009813 +0200

@@ -301,6 +301,9 @@ LoadStandardIcon(FreeImageIO *io, fi_han

 	int width  = bmih.biWidth;

 	int height = bmih.biHeight / 2; // height == xor + and mask

 	unsigned bit_count = bmih.biBitCount;

+	if (bit_count != 1 && bit_count != 2 && bit_count != 4 && bit_count != 8 && bit_count != 16 && bit_count != 24 && bit_count != 32) {

+	  return NULL;

+	}

 	unsigned line   = CalculateLine(width, bit_count);

 	unsigned pitch  = CalculatePitch(line);

diff -rupN --no-dereference freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PSDParser.cpp freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PSDParser.cpp

--- freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PSDParser.cpp	2023-09-28 19:34:47.287014100 +0200

+++ freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PSDParser.cpp	2023-09-28 19:34:47.832008666 +0200

@@ -780,6 +780,10 @@ int psdThumbnail::Read(FreeImageIO *io,

 		FreeImage_Unload(_dib);

 	}

+	if (_WidthBytes != _Width * _BitPerPixel / 8) {

+	  throw "Invalid PSD image";

+	}

+

 	if(_Format == 1) {

 		// kJpegRGB thumbnail image

 		_dib = FreeImage_LoadFromHandle(FIF_JPEG, io, handle);

diff -rupN --no-dereference freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PSDParser.cpp freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PSDParser.cpp

--- freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PSDParser.cpp	2023-09-28 19:34:47.936007630 +0200

+++ freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PSDParser.cpp	2023-09-28 19:34:47.940007590 +0200

@@ -1466,6 +1466,7 @@ FIBITMAP* psdParser::ReadImageData(FreeI

 	const unsigned dstBpp =  (depth == 1) ? 1 : FreeImage_GetBPP(bitmap)/8;

 	const unsigned dstLineSize = FreeImage_GetPitch(bitmap);

 	BYTE* const dst_first_line = FreeImage_GetScanLine(bitmap, nHeight - 1);//<*** flipped

+	const unsigned dst_buffer_size = dstLineSize * nHeight;

 	BYTE* line_start = new BYTE[lineSize]; //< fileline cache

@@ -1481,6 +1482,9 @@ FIBITMAP* psdParser::ReadImageData(FreeI

 				const unsigned channelOffset = GetChannelOffset(bitmap, c) * bytes;

 				BYTE* dst_line_start = dst_first_line + channelOffset;

+				if (channelOffset + lineSize > dst_buffer_size) {

+					throw "Invalid PSD image";

+				}

 				for(unsigned h = 0; h < nHeight; ++h, dst_line_start -= dstLineSize) {//<*** flipped

 					io->read_proc(line_start, lineSize, 1, handle);

 					ReadImageLine(dst_line_start, line_start, lineSize, dstBpp, bytes);

diff -rupN --no-dereference freeimage-svn-r1909-FreeImage-trunk/Source/Metadata/Exif.cpp freeimage-svn-r1909-FreeImage-trunk-new/Source/Metadata/Exif.cpp

--- freeimage-svn-r1909-FreeImage-trunk/Source/Metadata/Exif.cpp	2023-09-28 19:34:45.003036859 +0200

+++ freeimage-svn-r1909-FreeImage-trunk-new/Source/Metadata/Exif.cpp	2023-09-28 19:34:47.505011926 +0200

@@ -770,8 +770,13 @@ jpeg_read_exif_dir(FIBITMAP *dib, const

 	//

 	const WORD entriesCount0th = ReadUint16(msb_order, ifd0th);

-	

-	DWORD next_offset = ReadUint32(msb_order, DIR_ENTRY_ADDR(ifd0th, entriesCount0th));

+

+	const BYTE* de_addr = DIR_ENTRY_ADDR(ifd0th, entriesCount0th);

+	if(de_addr+4 >= (BYTE*)(dwLength + ifd0th - tiffp)) {

+		return TRUE; //< no thumbnail

+	}

+

+	DWORD next_offset = ReadUint32(msb_order, de_addr);

 	if((next_offset == 0) || (next_offset >= dwLength)) {

 		return TRUE; //< no thumbnail

 	}

diff -rupN --no-dereference freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PluginTIFF.cpp freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PluginTIFF.cpp

--- freeimage-svn-r1909-FreeImage-trunk/Source/FreeImage/PluginTIFF.cpp	2023-09-28 19:34:47.713009853 +0200

+++ freeimage-svn-r1909-FreeImage-trunk-new/Source/FreeImage/PluginTIFF.cpp	2023-09-28 19:34:48.043006563 +0200

@@ -2142,6 +2142,11 @@ Load(FreeImageIO *io, fi_handle handle,

 				uint32_t tileRowSize = (uint32_t)TIFFTileRowSize(tif);

 				uint32_t imageRowSize = (uint32_t)TIFFScanlineSize(tif);

+				if (width / tileWidth * tileRowSize * 8 > bitspersample * samplesperpixel * width) {

+				  free(tileBuffer);

+				  throw "Corrupted tiled TIFF file";

+				}

+

 				// In the tiff file the lines are saved from up to down 

 				// In a DIB the lines must be saved from down to up