1 diff -Nru imlib-1.9.15.orig/Imlib/load.c imlib-1.9.15/Imlib/load.c
2 --- imlib-1.9.15.orig/Imlib/load.c 2004-12-23 23:50:22.820521823 +0100
3 +++ imlib-1.9.15/Imlib/load.c 2004-12-23 23:50:36.549790030 +0100
4 @@ -4,6 +4,8 @@
5 #include "Imlib_private.h"
6 #include <setjmp.h>
7
8 +#define G_MAXINT ((int) 0x7fffffff)
9 +
10 /* Split the ID - damages input */
11
12 static char *
13 @@ -41,13 +43,17 @@
14
15 /*
16 * Make sure we don't wrap on our memory allocations
17 + * we check G_MAXINT/4 because rend.c malloc's w * h * bpp
18 + * + 3 is safety margin
19 */
20
21 void * _imlib_malloc_image(unsigned int w, unsigned int h)
22 {
23 - if( w > 32767 || h > 32767)
24 - return NULL;
25 - return malloc(w * h * 3);
26 + if (w <= 0 || w > 32767 ||
27 + h <= 0 || h > 32767 ||
28 + h >= (G_MAXINT/4 - 1) / w)
29 + return NULL;
30 + return malloc(w * h * 3 + 3);
31 }
32
33 #ifdef HAVE_LIBJPEG
34 @@ -360,7 +366,9 @@
35 npix = ww * hh;
36 *w = (int)ww;
37 *h = (int)hh;
38 - if(ww > 32767 || hh > 32767)
39 + if (ww <= 0 || ww > 32767 ||
40 + hh <= 0 || hh > 32767 ||
41 + hh >= (G_MAXINT/sizeof(uint32)) / ww)
42 {
43 TIFFClose(tif);
44 return NULL;
45 @@ -463,7 +471,7 @@
46 }
47 *w = gif->Image.Width;
48 *h = gif->Image.Height;
49 - if (*h > 32767 || *w > 32767)
50 + if (*h <= 0 || *h > 32767 || *w <= 0 || *w > 32767)
51 {
52 return NULL;
53 }
54 @@ -1000,7 +1008,12 @@
55 comment = 0;
56 quote = 0;
57 context = 0;
58 + memset(lookup, 0, sizeof(lookup));
59 +
60 line = malloc(lsz);
61 + if (!line)
62 + return NULL;
63 +
64 while (!done)
65 {
66 pc = c;
67 @@ -1029,25 +1042,25 @@
68 {
69 /* Header */
70 sscanf(line, "%i %i %i %i", w, h, &ncolors, &cpp);
71 - if (ncolors > 32766)
72 + if (ncolors <= 0 || ncolors > 32766)
73 {
74 fprintf(stderr, "IMLIB ERROR: XPM files wth colors > 32766 not supported\n");
75 free(line);
76 return NULL;
77 }
78 - if (cpp > 5)
79 + if (cpp <= 0 || cpp > 5)
80 {
81 fprintf(stderr, "IMLIB ERROR: XPM files with characters per pixel > 5 not supported\n");
82 free(line);
83 return NULL;
84 }
85 - if (*w > 32767)
86 + if (*w <= 0 || *w > 32767)
87 {
88 fprintf(stderr, "IMLIB ERROR: Image width > 32767 pixels for file\n");
89 free(line);
90 return NULL;
91 }
92 - if (*h > 32767)
93 + if (*h <= 0 || *h > 32767)
94 {
95 fprintf(stderr, "IMLIB ERROR: Image height > 32767 pixels for file\n");
96 free(line);
97 @@ -1080,11 +1093,13 @@
98 {
99 int slen;
100 int hascolor, iscolor;
101 + int space;
102
103 iscolor = 0;
104 hascolor = 0;
105 tok[0] = 0;
106 col[0] = 0;
107 + space = sizeof(col) - 1;
108 s[0] = 0;
109 len = strlen(line);
110 strncpy(cmap[j].str, line, cpp);
111 @@ -1107,10 +1122,10 @@
112 {
113 if (k >= len)
114 {
115 - if (col[0])
116 - strcat(col, " ");
117 - if (strlen(col) + strlen(s) < sizeof(col))
118 - strcat(col, s);
119 + if (col[0] && space > 0)
120 + strcat(col, " "), space -= 1;
121 + if (slen <= space)
122 + strcat(col, s), space -= slen;
123 }
124 if (col[0])
125 {
126 @@ -1140,14 +1155,17 @@
127 }
128 }
129 }
130 - strcpy(tok, s);
131 + if (slen < sizeof(tok));
132 + strcpy(tok, s);
133 col[0] = 0;
134 + space = sizeof(col) - 1;
135 }
136 else
137 {
138 - if (col[0])
139 - strcat(col, " ");
140 - strcat(col, s);
141 + if (col[0] && space > 0)
142 + strcat(col, " "), space -=1;
143 + if (slen <= space)
144 + strcat(col, s), space -= slen;
145 }
146 }
147 }
148 @@ -1376,12 +1394,12 @@
149 sscanf(s, "%i %i", w, h);
150 a = *w;
151 b = *h;
152 - if (a > 32767)
153 + if (a <= 0 || a > 32767)
154 {
155 fprintf(stderr, "IMLIB ERROR: Image width > 32767 pixels for file\n");
156 return NULL;
157 }
158 - if (b > 32767)
159 + if (b <= 0 || b > 32767)
160 {
161 fprintf(stderr, "IMLIB ERROR: Image height > 32767 pixels for file\n");
162 return NULL;
163 diff -Nru imlib-1.9.15.orig/Imlib/utils.c imlib-1.9.15/Imlib/utils.c
164 --- imlib-1.9.15.orig/Imlib/utils.c 2004-12-23 23:50:22.824519281 +0100
165 +++ imlib-1.9.15/Imlib/utils.c 2004-12-23 23:50:36.553787487 +0100
166 @@ -1496,36 +1496,56 @@
167 context = 0;
168 ptr = NULL;
169 end = NULL;
170 + memset(lookup, 0, sizeof(lookup));
171
172 while (!done)
173 {
174 line = data[count++];
175 + if (!line)
176 + break;
177 + line = strdup(line);
178 + if (!line)
179 + break;
180 + len = strlen(line);
181 + for (i = 0; i < len; ++i)
182 + {
183 + c = line[i];
184 + if (c < 32)
185 + line[i] = 32;
186 + else if (c > 127)
187 + line[i] = 127;
188 + }
189 +
190 if (context == 0)
191 {
192 /* Header */
193 sscanf(line, "%i %i %i %i", &w, &h, &ncolors, &cpp);
194 - if (ncolors > 32766)
195 + if (ncolors <= 0 || ncolors > 32766)
196 {
197 fprintf(stderr, "IMLIB ERROR: XPM data wth colors > 32766 not supported\n");
198 free(im);
199 + free(line);
200 return NULL;
201 }
202 - if (cpp > 5)
203 + if (cpp <= 0 || cpp > 5)
204 {
205 fprintf(stderr, "IMLIB ERROR: XPM data with characters per pixel > 5 not supported\n");
206 free(im);
207 + free(line);
208 return NULL;
209 }
210 - if (w > 32767)
211 + if (w <= 0 || w > 32767)
212 {
213 fprintf(stderr, "IMLIB ERROR: Image width > 32767 pixels for data\n");
214 free(im);
215 + free(line);
216 return NULL;
217 }
218 - if (h > 32767)
219 + if (h <= 0 || h > 32767)
220 {
221 fprintf(stderr, "IMLIB ERROR: Image height > 32767 pixels for data\n");
222 free(im);
223 + free(line);
224 return NULL;
225 }
226 cmap = malloc(sizeof(struct _cmap) * ncolors);
227 @@ -1533,6 +1553,7 @@
228 if (!cmap)
229 {
230 free(im);
231 + free(line);
232 return NULL;
233 }
234 im->rgb_width = w;
235 @@ -1542,6 +1563,7 @@
236 {
237 free(cmap);
238 free(im);
239 + free(line);
240 return NULL;
241 }
242 im->alpha_data = NULL;
243 @@ -1817,6 +1839,7 @@
244 }
245 if ((ptr) && ((ptr - im->rgb_data) >= w * h * 3))
246 done = 1;
247 + free(line);
248 }
249 if (!transp)
250 {
251 diff -Nru imlib-1.9.15.orig/gdk_imlib/io-gif.c imlib-1.9.15/gdk_imlib/io-gif.c
252 --- imlib-1.9.15.orig/gdk_imlib/io-gif.c 2004-12-23 23:50:22.863494493 +0100
253 +++ imlib-1.9.15/gdk_imlib/io-gif.c 2004-12-23 23:50:36.554786852 +0100
254 @@ -55,7 +55,7 @@
255 }
256 *w = gif->Image.Width;
257 *h = gif->Image.Height;
258 - if(*h > 32767 || *w > 32767)
259 + if(*h <= 0 || *h > 32767 || *w <= 0 || *w > 32767)
260 {
261 return NULL;
262 }
263 diff -Nru imlib-1.9.15.orig/gdk_imlib/io-ppm.c imlib-1.9.15/gdk_imlib/io-ppm.c
264 --- imlib-1.9.15.orig/gdk_imlib/io-ppm.c 2004-12-23 23:50:22.864493857 +0100
265 +++ imlib-1.9.15/gdk_imlib/io-ppm.c 2004-12-23 23:50:36.556785581 +0100
266 @@ -53,12 +53,12 @@
267 sscanf(s, "%i %i", w, h);
268 a = *w;
269 b = *h;
270 - if (a > 32767)
271 + if (a <= 0 || a > 32767)
272 {
273 fprintf(stderr, "gdk_imlib ERROR: Image width > 32767 pixels for file\n");
274 return NULL;
275 }
276 - if (b > 32767)
277 + if (b <= 0 || b > 32767)
278 {
279 fprintf(stderr, "gdk_imlib ERROR: Image height > 32767 pixels for file\n");
280 return NULL;
281 diff -Nru imlib-1.9.15.orig/gdk_imlib/io-tiff.c imlib-1.9.15/gdk_imlib/io-tiff.c
282 --- imlib-1.9.15.orig/gdk_imlib/io-tiff.c 2004-12-23 23:50:22.864493857 +0100
283 +++ imlib-1.9.15/gdk_imlib/io-tiff.c 2004-12-23 23:50:36.557784945 +0100
284 @@ -36,7 +36,9 @@
285 npix = ww * hh;
286 *w = (int)ww;
287 *h = (int)hh;
288 - if(ww > 32767 || hh > 32767)
289 + if (ww <= 0 || ww > 32767 ||
290 + hh <= 0 || hh > 32767 ||
291 + hh >= (G_MAXINT/sizeof(uint32)) / ww)
292 {
293 TIFFClose(tif);
294 return NULL;
295 diff -Nru imlib-1.9.15.orig/gdk_imlib/io-xpm.c imlib-1.9.15/gdk_imlib/io-xpm.c
296 --- imlib-1.9.15.orig/gdk_imlib/io-xpm.c 2004-12-23 23:50:22.864493857 +0100
297 +++ imlib-1.9.15/gdk_imlib/io-xpm.c 2004-12-23 23:50:36.558784309 +0100
298 @@ -40,8 +40,12 @@
299 context = 0;
300 i = j = 0;
301 cmap = NULL;
302 + memset(lookup, 0, sizeof(lookup));
303
304 line = malloc(lsz);
305 + if (!line)
306 + return NULL;
307 +
308 while (!done)
309 {
310 pc = c;
311 @@ -70,25 +74,25 @@
312 {
313 /* Header */
314 sscanf(line, "%i %i %i %i", w, h, &ncolors, &cpp);
315 - if (ncolors > 32766)
316 + if (ncolors <= 0 || ncolors > 32766)
317 {
318 fprintf(stderr, "gdk_imlib ERROR: XPM files wth colors > 32766 not supported\n");
319 free(line);
320 return NULL;
321 }
322 - if (cpp > 5)
323 + if (cpp <= 0 || cpp > 5)
324 {
325 fprintf(stderr, "gdk_imlib ERROR: XPM files with characters per pixel > 5 not supported\n");
326 free(line);
327 return NULL;
328 }
329 - if (*w > 32767)
330 + if (*w <= 0 || *w > 32767)
331 {
332 fprintf(stderr, "gdk_imlib ERROR: Image width > 32767 pixels for file\n");
333 free(line);
334 return NULL;
335 }
336 - if (*h > 32767)
337 + if (*h <= 0 || *h > 32767)
338 {
339 fprintf(stderr, "gdk_imlib ERROR: Image height > 32767 pixels for file\n");
340 free(line);
341 @@ -120,11 +124,13 @@
342 {
343 int slen;
344 int hascolor, iscolor;
345 + int space;
346
347 hascolor = 0;
348 iscolor = 0;
349 tok[0] = 0;
350 col[0] = 0;
351 + space = sizeof(col) - 1;
352 s[0] = 0;
353 len = strlen(line);
354 strncpy(cmap[j].str, line, cpp);
355 @@ -147,10 +153,10 @@
356 {
357 if (k >= len)
358 {
359 - if (col[0])
360 - strcat(col, " ");
361 - if (strlen(col) + strlen(s) < sizeof(col))
362 - strcat(col, s);
363 + if (col[0] && space > 0)
364 + strncat(col, " ", space), space -= 1;
365 + if (slen <= space)
366 + strcat(col, s), space -= slen;
367 }
368 if (col[0])
369 {
370 @@ -180,14 +186,17 @@
371 }
372 }
373 }
374 - strcpy(tok, s);
375 + if (slen < sizeof(tok))
376 + strcpy(tok, s);
377 col[0] = 0;
378 + space = sizeof(col) - 1;
379 }
380 else
381 {
382 - if (col[0])
383 - strcat(col, " ");
384 - strcat(col, s);
385 + if (col[0] && space > 0)
386 + strcat(col, " "), space -= 1;
387 + if (slen <= space)
388 + strcat(col, s), space -= slen;
389 }
390 }
391 }
392 diff -Nru imlib-1.9.15.orig/gdk_imlib/misc.c imlib-1.9.15/gdk_imlib/misc.c
393 --- imlib-1.9.15.orig/gdk_imlib/misc.c 2004-12-23 23:50:22.866492586 +0100
394 +++ imlib-1.9.15/gdk_imlib/misc.c 2004-12-23 23:50:36.560783038 +0100
395 @@ -1355,11 +1355,16 @@
396
397 /*
398 * Make sure we don't wrap on our memory allocations
399 + * we check G_MAX_INT/4 because rend.c malloc's w * h * bpp
400 + * + 3 is safety margin
401 */
402
403 void *_gdk_malloc_image(unsigned int w, unsigned int h)
404 {
405 - if( w > 32767 || h > 32767)
406 + if (w <= 0 || w > 32767 ||
407 + h <= 0 || h > 32767 ||
408 + h >= (G_MAXINT/4 - 1) / w)
409 return NULL;
410 - return malloc(w * h * 3);
411 + return malloc(w * h * 3 + 3);
412 }
413 +
414 diff -Nru imlib-1.9.15.orig/gdk_imlib/utils.c imlib-1.9.15/gdk_imlib/utils.c
415 --- imlib-1.9.15.orig/gdk_imlib/utils.c 2004-12-23 23:50:22.869490679 +0100
416 +++ imlib-1.9.15/gdk_imlib/utils.c 2004-12-23 23:50:36.563781131 +0100
417 @@ -1236,36 +1236,56 @@
418 context = 0;
419 ptr = NULL;
420 end = NULL;
421 + memset(lookup, 0, sizeof(lookup));
422
423 while (!done)
424 {
425 line = data[count++];
426 + if (!line)
427 + break;
428 + line = strdup(line);
429 + if (!line)
430 + break;
431 + len = strlen(line);
432 + for (i = 0; i < len; ++i)
433 + {
434 + c = line[i];
435 + if (c < 32)
436 + line[i] = 32;
437 + else if (c > 127)
438 + line[i] = 127;
439 + }
440 +
441 if (context == 0)
442 {
443 /* Header */
444 sscanf(line, "%i %i %i %i", &w, &h, &ncolors, &cpp);
445 - if (ncolors > 32766)
446 + if (ncolors <= 0 || ncolors > 32766)
447 {
448 fprintf(stderr, "gdk_imlib ERROR: XPM data wth colors > 32766 not supported\n");
449 free(im);
450 + free(line);
451 return NULL;
452 }
453 - if (cpp > 5)
454 + if (cpp <= 0 || cpp > 5)
455 {
456 fprintf(stderr, "gdk_imlib ERROR: XPM data with characters per pixel > 5 not supported\n");
457 free(im);
458 + free(line);
459 return NULL;
460 }
461 - if (w > 32767)
462 + if (w <= 0 || w > 32767)
463 {
464 fprintf(stderr, "gdk_imlib ERROR: Image width > 32767 pixels for data\n");
465 free(im);
466 + free(line);
467 return NULL;
468 }
469 - if (h > 32767)
470 + if (h <= 0 || h > 32767)
471 {
472 fprintf(stderr, "gdk_imlib ERROR: Image height > 32767 pixels for data\n");
473 free(im);
474 + free(line);
475 return NULL;
476 }
477 cmap = malloc(sizeof(struct _cmap) * ncolors);
478 @@ -1273,6 +1293,7 @@
479 if (!cmap)
480 {
481 free(im);
482 + free(line);
483 return NULL;
484 }
485 im->rgb_width = w;
486 @@ -1282,6 +1303,7 @@
487 {
488 free(cmap);
489 free(im);
490 + free(line);
491 return NULL;
492 }
493 im->alpha_data = NULL;
494 @@ -1355,7 +1377,7 @@
495 strcpy(col + colptr, " ");
496 colptr++;
497 }
498 - if (colptr + ls <= sizeof(col))
499 + if (colptr + ls < sizeof(col))
500 {
501 strcpy(col + colptr, s);
502 colptr += ls;
503 @@ -1558,6 +1580,7 @@
504 }
505 if ((ptr) && ((ptr - im->rgb_data) >= w * h * 3))
506 done = 1;
507 + free(line);
508 }
509 if (!transp)
510 {
|
