forked from old/legacy-imlib2
Make IMAGE_DIMENSIONS_OK() more restrictive
Prevents invalid reads and unreasonably large memory allocations with input/queue/id:000210,src:000114,op:int32,pos:3,val:be:+32,+cov: ==20321== Invalid read of size 1 ==20321== at 0x1FCDB16: __imlib_ScaleAARGB (scale.c:1043) ==20321== by 0x1F9BF81: __imlib_RenderImage (rend.c:409) ==20321== by 0x1F0F82C: imlib_render_image_part_on_drawable_at_size (api.c:1886) ==20321== by 0x40CD75: gib_imlib_render_image_part_on_drawable_at_size (gib_imlib.c:231) ==20321== by 0x42C732: winwidget_render_image (winwidget.c:576) ==20321== by 0x417ACA: feh_event_handle_keypress (keyevents.c:598) ==20321== by 0x4190DE: feh_main_iteration (main.c:119) ==20321== by 0x418F45: main (main.c:82) ==20321== Address 0x3a12e034 is 12 bytes before a block of size 1,965,846,976 alloc'd ==20321== at 0x103D293: malloc (in /usr/local/lib/valgrind/vgpreload_memcheck-amd64-freebsd.so) ==20321== by 0x5B3D1F1: load (loader_pnm.c:149) ==20321== by 0x1F7D70F: __imlib_LoadImage (image.c:1041) ==20321== by 0x1F090E4: imlib_load_image_with_error_return (api.c:1299) ==20321== by 0x40F47B: feh_load_image (imlib.c:252) ==20321== by 0x42CA0E: winwidget_loadimage (winwidget.c:753) ==20321== by 0x42C918: winwidget_create_from_file (winwidget.c:126) ==20321== by 0x421869: init_slideshow_mode (slideshow.c:62) ==20321== by 0x418F13: main (main.c:78)
This commit is contained in:
parent
1f9b0b3272
commit
143f2993d7
|
@ -184,8 +184,11 @@ __hidden void __imlib_SaveImage(ImlibImage *im, const char *file,
|
|||
#define SET_FLAG(flags, f) ((flags) |= (f))
|
||||
#define UNSET_FLAG(flags, f) ((flags) &= (~f))
|
||||
|
||||
/* The maximum pixmap dimension is 65535. */
|
||||
/* However, for now, use 46340 (46340^2 < 2^31) to avoid buffer overflow issues. */
|
||||
# define X_MAX_DIM 46340
|
||||
|
||||
#define IMAGE_DIMENSIONS_OK(w, h) \
|
||||
( ((w) > 0) && ((h) > 0) && \
|
||||
((unsigned long long)(w) * (unsigned long long)(h) <= (1ULL << 29) - 1) )
|
||||
( ((w) > 0) && ((h) > 0) && ((w) < X_MAX_DIM) && ((h) < X_MAX_DIM) )
|
||||
|
||||
#endif
|
||||
|
|
|
@ -16,10 +16,6 @@
|
|||
#include "scale.h"
|
||||
#include "ximage.h"
|
||||
|
||||
/* The maximum pixmap dimension is 65535. */
|
||||
/* However, for now, use 46340 (46340^2 < 2^31) to avoid buffer overflow issues. */
|
||||
#define X_MAX_DIM 46340
|
||||
|
||||
/* size of the lines per segment we scale / render at a time */
|
||||
#define LINESIZE 16
|
||||
|
||||
|
|
Loading…
Reference in New Issue