diff --git a/legacy/evas/src/modules/loaders/edb/evas_image_load_edb.c b/legacy/evas/src/modules/loaders/edb/evas_image_load_edb.c index 6c1039ad80..6462fab3ff 100644 --- a/legacy/evas/src/modules/loaders/edb/evas_image_load_edb.c +++ b/legacy/evas/src/modules/loaders/edb/evas_image_load_edb.c @@ -57,14 +57,15 @@ evas_image_load_file_head_edb(RGBA_Image *im, const char *file, const char *key) } w = header[1]; h = header[2]; - alpha = header[3]; - compression = header[4]; - if ((w > 8192) || (h > 8192)) + if ((w < 1) || (h < 1) || (w > 8192) || (h > 8192)) { free(ret); e_db_close(db); return 0; } + alpha = header[3]; + compression = header[4]; + if ((compression == 0) && (size < ((w * h * 4) + 32))) { free(ret); @@ -127,14 +128,16 @@ evas_image_load_file_data_edb(RGBA_Image *im, const char *file, const char *key) } w = header[1]; h = header[2]; - alpha = header[3]; - compression = header[4]; - if ((w > 8192) || (h > 8192)) + if ((w < 1) || (h < 1) || (w > 8192) || (h > 8192)) { free(ret); e_db_close(db); return 0; } + + alpha = header[3]; + compression = header[4]; + if ((compression == 0) && (size < ((w * h * 4) + 32))) { free(ret); diff --git a/legacy/evas/src/modules/loaders/eet/evas_image_load_eet.c b/legacy/evas/src/modules/loaders/eet/evas_image_load_eet.c index a88b60604d..4c99d02277 100644 --- a/legacy/evas/src/modules/loaders/eet/evas_image_load_eet.c +++ b/legacy/evas/src/modules/loaders/eet/evas_image_load_eet.c @@ -32,7 +32,7 @@ evas_image_load_file_head_eet(RGBA_Image *im, const char *file, const char *key) eet_close(ef); return 0; } - if ((w > 8192) || (h > 8192)) + if ((w < 1) || (h < 1) || (w > 8192) || (h > 8192)) { eet_close(ef); return 0; @@ -71,7 +71,7 @@ evas_image_load_file_data_eet(RGBA_Image *im, const char *file, const char *key) eet_close(ef); return 0; } - if ((w > 8192) || (h > 8192)) + if ((w < 1) || (h < 1) || (w > 8192) || (h > 8192)) { free(body); eet_close(ef); diff --git a/legacy/evas/src/modules/loaders/gif/evas_image_load_gif.c b/legacy/evas/src/modules/loaders/gif/evas_image_load_gif.c index 2bb99a408f..197bf30cb0 100644 --- a/legacy/evas/src/modules/loaders/gif/evas_image_load_gif.c +++ b/legacy/evas/src/modules/loaders/gif/evas_image_load_gif.c @@ -67,13 +67,18 @@ evas_image_load_file_head_gif(RGBA_Image *im, const char *file, const char *key) } w = gif->Image.Width; h = gif->Image.Height; - done = 1; + if ((w < 1) || (h < 1) || (w > 8192) || (h > 8192)) + { + DGifCloseFile(gif); + return 0; + } + done = 1; } else if (rec == EXTENSION_RECORD_TYPE) { int ext_code; GifByteType *ext; - + ext = NULL; DGifGetExtension(gif, &ext_code, &ext); while (ext) diff --git a/legacy/evas/src/modules/loaders/jpeg/evas_image_load_jpeg.c b/legacy/evas/src/modules/loaders/jpeg/evas_image_load_jpeg.c index 846a6cf674..8f43352588 100644 --- a/legacy/evas/src/modules/loaders/jpeg/evas_image_load_jpeg.c +++ b/legacy/evas/src/modules/loaders/jpeg/evas_image_load_jpeg.c @@ -101,6 +101,11 @@ evas_image_load_file_head_jpeg_internal(RGBA_Image *im, FILE *f) } w = cinfo.output_width; h = cinfo.output_height; + if ((w < 1) || (h < 1) || (w > 8192) || (h > 8192)) + { + jpeg_destroy_decompress(&cinfo); + return 0; + } if (im->load_opts.scale_down_by > 1) { w /= im->load_opts.scale_down_by; diff --git a/legacy/evas/src/modules/loaders/png/evas_image_load_png.c b/legacy/evas/src/modules/loaders/png/evas_image_load_png.c index 276c6aeae8..41f7f36fd7 100644 --- a/legacy/evas/src/modules/loaders/png/evas_image_load_png.c +++ b/legacy/evas/src/modules/loaders/png/evas_image_load_png.c @@ -71,6 +71,12 @@ evas_image_load_file_head_png(RGBA_Image *im, const char *file, const char *key) png_get_IHDR(png_ptr, info_ptr, (png_uint_32 *) (&w32), (png_uint_32 *) (&h32), &bit_depth, &color_type, &interlace_type, NULL, NULL); + if ((w32 < 1) || (h32 < 1) || (w32 > 8192) || (h32 > 8192)) + { + png_destroy_read_struct(&png_ptr, &info_ptr, (png_infopp) NULL); + fclose(f); + return 0; + } if (!im->image) im->image = evas_common_image_surface_new(im); if (!im->image) @@ -152,8 +158,12 @@ evas_image_load_file_data_png(RGBA_Image *im, const char *file, const char *key) png_get_IHDR(png_ptr, info_ptr, (png_uint_32 *) (&w32), (png_uint_32 *) (&h32), &bit_depth, &color_type, &interlace_type, NULL, NULL); - im->image->w = (int) w32; - im->image->h = (int) h32; + if ((w32 != im->image->w) || (h32 != im->image->h)) + { + png_destroy_read_struct(&png_ptr, &info_ptr, (png_infopp) NULL); + fclose(f); + return 0; + } if (color_type == PNG_COLOR_TYPE_PALETTE) png_set_expand(png_ptr); if (info_ptr->color_type == PNG_COLOR_TYPE_RGB_ALPHA) hasa = 1; if (info_ptr->color_type == PNG_COLOR_TYPE_GRAY_ALPHA) diff --git a/legacy/evas/src/modules/loaders/svg/evas_image_load_svg.c b/legacy/evas/src/modules/loaders/svg/evas_image_load_svg.c index 71512249ec..19c8157610 100644 --- a/legacy/evas/src/modules/loaders/svg/evas_image_load_svg.c +++ b/legacy/evas/src/modules/loaders/svg/evas_image_load_svg.c @@ -73,6 +73,12 @@ evas_image_load_file_head_svg(RGBA_Image *im, const char *file, const char *key) rsvg_handle_get_dimensions(rsvg, &dim); w = dim.width; h = dim.height; + if ((w < 1) || (h < 1) || (w > 8192) || (h > 8192)) + { + rsvg_handle_free(rsvg); + chdir(pcwd); + return 0; + } if (im->load_opts.scale_down_by > 1) { w /= im->load_opts.scale_down_by; @@ -143,6 +149,12 @@ evas_image_load_file_data_svg(RGBA_Image *im, const char *file, const char *key) rsvg_handle_get_dimensions(rsvg, &dim); w = dim.width; h = dim.height; + if ((w < 1) || (h < 1) || (w > 8192) || (h > 8192)) + { + rsvg_handle_free(rsvg); + chdir(pcwd); + return 0; + } if (im->load_opts.scale_down_by > 1) { w /= im->load_opts.scale_down_by; diff --git a/legacy/evas/src/modules/loaders/tiff/evas_image_load_tiff.c b/legacy/evas/src/modules/loaders/tiff/evas_image_load_tiff.c index 48e257f67a..d7505ca9f2 100644 --- a/legacy/evas/src/modules/loaders/tiff/evas_image_load_tiff.c +++ b/legacy/evas/src/modules/loaders/tiff/evas_image_load_tiff.c @@ -66,11 +66,11 @@ static void raster(TIFFRGBAImage_Extra * img, uint32 * rast, uint32 x, uint32 y, uint32 w, uint32 h) { - uint32 image_width, image_height; + int image_width, image_height; uint32 *pixel, pixel_value; int i, j, dy, rast_offset; DATA32 *buffer_pixel, *buffer = img->image->image->data; - int alpha_premult = (EXTRASAMPLE_UNASSALPHA==img->rgba.alpha); + int alpha_premult; image_width = img->image->image->w; image_height = img->image->image->h; @@ -82,6 +82,8 @@ raster(TIFFRGBAImage_Extra * img, uint32 * rast, /* I don't understand why, but that seems to be what's going on. */ /* libtiff needs better docs! */ + if (img->rgba.alpha == EXTRASAMPLE_UNASSALPHA) + alpha_premult = 1; for (i = y, rast_offset = 0; i > dy; i--, rast_offset--) { pixel = rast + (rast_offset * image_width); @@ -166,6 +168,12 @@ evas_image_load_file_head_tiff(RGBA_Image *im, const char *file, const char *key } if (tiff_image.alpha != EXTRASAMPLE_UNSPECIFIED) im->flags |= RGBA_IMAGE_HAS_ALPHA; + if ((tiff_image.width < 1) || (tiff_image.height < 1) || + (tiff_image.width > 8192) || (tiff_image.height > 8192)) + { + TIFFClose(tif); + return 0; + } im->image->w = tiff_image.width; im->image->h = tiff_image.height; @@ -235,6 +243,12 @@ evas_image_load_file_data_tiff(RGBA_Image *im, const char *file, const char *key } if (rgba_image.rgba.alpha != EXTRASAMPLE_UNSPECIFIED) im->flags |= RGBA_IMAGE_HAS_ALPHA; + if ((rgba_image.rgba.width != im->image->w) || + (rgba_image.rgba.height != im->image->h)) + { + TIFFClose(tif); + return 0; + } im->image->w = rgba_image.rgba.width; im->image->h = rgba_image.rgba.height; rgba_image.num_pixels = num_pixels = im->image->w * im->image->h; diff --git a/legacy/evas/src/modules/loaders/xpm/evas_image_load_xpm.c b/legacy/evas/src/modules/loaders/xpm/evas_image_load_xpm.c index c8bbfb5a72..6ed0fbbad5 100644 --- a/legacy/evas/src/modules/loaders/xpm/evas_image_load_xpm.c +++ b/legacy/evas/src/modules/loaders/xpm/evas_image_load_xpm.c @@ -213,19 +213,19 @@ evas_image_load_file_xpm(RGBA_Image *im, const char *file, const char *key, int xpm_parse_done(); return 0; } - if ((w > 32767) || (w < 1)) + if ((w > 8192) || (w < 1)) { fprintf(stderr, - "XPM ERROR: Image width > 32767 or < 1 pixels for file\n"); + "XPM ERROR: Image width > 8192 or < 1 pixels for file\n"); free(line); fclose(f); xpm_parse_done(); return 0; } - if ((h > 32767) || (h < 1)) + if ((h > 8192) || (h < 1)) { fprintf(stderr, - "XPM ERROR: Image height > 32767 or < 1 pixels for file\n"); + "XPM ERROR: Image height > 8192 or < 1 pixels for file\n"); free(line); fclose(f); xpm_parse_done(); diff --git a/legacy/evas/src/modules/savers/tiff/evas_image_save_tiff.c b/legacy/evas/src/modules/savers/tiff/evas_image_save_tiff.c index 59a42b1ab4..7e6dd1cbbf 100644 --- a/legacy/evas/src/modules/savers/tiff/evas_image_save_tiff.c +++ b/legacy/evas/src/modules/savers/tiff/evas_image_save_tiff.c @@ -49,8 +49,9 @@ save_image_tiff(RGBA_Image *im, const char *file, int compress, int interlace) if (has_alpha) { + uint16 extras[] = { EXTRASAMPLE_ASSOCALPHA }; TIFFSetField(tif, TIFFTAG_SAMPLESPERPIXEL, 4); - TIFFSetField(tif, TIFFTAG_EXTRASAMPLES, EXTRASAMPLE_ASSOCALPHA); + TIFFSetField(tif, TIFFTAG_EXTRASAMPLES, 1, extras); } else {