forked from old/legacy-imlib2
Harden API and internals against overly large images
Prevents potential integer overflow -> insufficient allocation -> heap overflow scenarios.
This commit is contained in:
parent
7836d83951
commit
633a8667b1
|
@ -1976,7 +1976,7 @@ imlib_create_image(int width, int height)
|
|||
DATA32 *data;
|
||||
|
||||
CHECK_CONTEXT(ctx);
|
||||
if ((width <= 0) || (height <= 0))
|
||||
if (!IMAGE_DIMENSIONS_OK(width, height))
|
||||
return NULL;
|
||||
data = malloc(width * height * sizeof(DATA32));
|
||||
if (data)
|
||||
|
@ -2010,7 +2010,7 @@ imlib_create_image_using_data(int width, int height, DATA32 * data)
|
|||
CHECK_CONTEXT(ctx);
|
||||
CHECK_PARAM_POINTER_RETURN("imlib_create_image_using_data", "data", data,
|
||||
NULL);
|
||||
if ((width <= 0) || (height <= 0))
|
||||
if (!IMAGE_DIMENSIONS_OK(width, height))
|
||||
return NULL;
|
||||
im = __imlib_CreateImage(width, height, data);
|
||||
if (im)
|
||||
|
@ -2039,7 +2039,7 @@ imlib_create_image_using_copied_data(int width, int height, DATA32 * data)
|
|||
CHECK_CONTEXT(ctx);
|
||||
CHECK_PARAM_POINTER_RETURN("imlib_create_image_using_copied_data", "data",
|
||||
data, NULL);
|
||||
if ((width <= 0) || (height <= 0))
|
||||
if (!IMAGE_DIMENSIONS_OK(width, height))
|
||||
return NULL;
|
||||
im = __imlib_CreateImage(width, height, NULL);
|
||||
if (!im)
|
||||
|
@ -2085,6 +2085,8 @@ imlib_create_image_from_drawable(Pixmap mask, int x, int y, int width,
|
|||
char domask = 0;
|
||||
|
||||
CHECK_CONTEXT(ctx);
|
||||
if (!IMAGE_DIMENSIONS_OK(width, height))
|
||||
return NULL;
|
||||
if (mask)
|
||||
{
|
||||
domask = 1;
|
||||
|
@ -2131,6 +2133,8 @@ imlib_create_image_from_ximage(XImage * image, XImage * mask, int x, int y,
|
|||
ImlibImage *im;
|
||||
|
||||
CHECK_CONTEXT(ctx);
|
||||
if (!IMAGE_DIMENSIONS_OK(width, height))
|
||||
return NULL;
|
||||
im = __imlib_CreateImage(width, height, NULL);
|
||||
im->data = malloc(width * height * sizeof(DATA32));
|
||||
__imlib_GrabXImageToRGBA(im->data, 0, 0, width, height,
|
||||
|
@ -2181,6 +2185,10 @@ imlib_create_scaled_image_from_drawable(Pixmap mask, int source_x,
|
|||
Pixmap p, m;
|
||||
|
||||
CHECK_CONTEXT(ctx);
|
||||
if (!IMAGE_DIMENSIONS_OK(source_width, source_height))
|
||||
return NULL;
|
||||
if (!IMAGE_DIMENSIONS_OK(destination_width, destination_height))
|
||||
return NULL;
|
||||
if ((mask) || (get_mask_from_shape))
|
||||
domask = 1;
|
||||
p = XCreatePixmap(ctx->display, ctx->drawable, destination_width,
|
||||
|
@ -2375,6 +2383,10 @@ imlib_clone_image(void)
|
|||
im_old->loader->load(im_old, NULL, 0, 1);
|
||||
if (!(im_old->data))
|
||||
return NULL;
|
||||
/* Note: below check should've ensured by original image allocation,
|
||||
* but better safe than sorry. */
|
||||
if (!IMAGE_DIMENSIONS_OK(im_old->w, im_old->h))
|
||||
return NULL;
|
||||
im = __imlib_CreateImage(im_old->w, im_old->h, NULL);
|
||||
if (!(im))
|
||||
return NULL;
|
||||
|
@ -2423,6 +2435,8 @@ imlib_create_cropped_image(int x, int y, int width, int height)
|
|||
CHECK_CONTEXT(ctx);
|
||||
CHECK_PARAM_POINTER_RETURN("imlib_create_cropped_image", "image",
|
||||
ctx->image, NULL);
|
||||
if (!IMAGE_DIMENSIONS_OK(abs(width), abs(height)))
|
||||
return NULL;
|
||||
CAST_IMAGE(im_old, ctx->image);
|
||||
if ((!(im_old->data)) && (im_old->loader) && (im_old->loader->load))
|
||||
im_old->loader->load(im_old, NULL, 0, 1);
|
||||
|
@ -2479,6 +2493,8 @@ imlib_create_cropped_scaled_image(int source_x, int source_y,
|
|||
CHECK_CONTEXT(ctx);
|
||||
CHECK_PARAM_POINTER_RETURN("imlib_create_cropped_scaled_image", "image",
|
||||
ctx->image, NULL);
|
||||
if (!IMAGE_DIMENSIONS_OK(abs(destination_width), abs(destination_height)))
|
||||
return NULL;
|
||||
CAST_IMAGE(im_old, ctx->image);
|
||||
if ((!(im_old->data)) && (im_old->loader) && (im_old->loader->load))
|
||||
im_old->loader->load(im_old, NULL, 0, 1);
|
||||
|
@ -4681,6 +4697,9 @@ imlib_create_rotated_image(double angle)
|
|||
dx = (int)(cos(angle) * _ROTATE_PREC_MAX);
|
||||
dy = -(int)(sin(angle) * _ROTATE_PREC_MAX);
|
||||
|
||||
if (!IMAGE_DIMENSIONS_OK(sz, sz))
|
||||
return NULL;
|
||||
|
||||
im = __imlib_CreateImage(sz, sz, NULL);
|
||||
im->data = calloc(sz * sz, sizeof(DATA32));
|
||||
if (!(im->data))
|
||||
|
|
|
@ -81,10 +81,11 @@ __imlib_render_str(ImlibImage * im, ImlibFont * fn, int drx, int dry,
|
|||
__imlib_font_query_advance(fn, text, &w, NULL);
|
||||
h = __imlib_font_max_ascent_get(fn) - __imlib_font_max_descent_get(fn);
|
||||
|
||||
data = malloc(w * h * sizeof(DATA32));
|
||||
if (!IMAGE_DIMENSIONS_OK(w, h))
|
||||
return;
|
||||
data = calloc(w * h, sizeof(DATA32));
|
||||
if (!data)
|
||||
return;
|
||||
memset(data, 0, w * h * sizeof(DATA32));
|
||||
/* TODO check if this is the right way of rendering. Esp for huge sizes */
|
||||
im2 = __imlib_CreateImage(w, h, data);
|
||||
if (!im2)
|
||||
|
|
|
@ -580,6 +580,9 @@ __imlib_RenderImageSkewed(Display * d, ImlibImage * im, Drawable w, Drawable m,
|
|||
dy1 = 0;
|
||||
}
|
||||
|
||||
if (!IMAGE_DIMENSIONS_OK(dw, dh))
|
||||
return;
|
||||
|
||||
__imlib_GetContext(d, v, cm, depth);
|
||||
|
||||
back = __imlib_CreateImage(dw, dh, NULL);
|
||||
|
|
Loading…
Reference in New Issue