summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorYuriy M. Kaminskiy <yumkam@gmail.com>2016-04-06 03:34:01 +0300
committerKim Woelders <kim@woelders.dk>2016-04-09 14:54:46 +0200
commit7eba2e4c8ac0e20838947f10f29d0efe1add8227 (patch)
tree580f442a850af59b723b628d259f9d685f059c2c
parentc94d83ccab15d5ef02f88d42dce38ed3f0892882 (diff)
Fix integer overflow resulting in insufficient heap allocation
IMAGE_DIMENSIONS_OK ensures that image width and height are less then 46340, so that maximum number of pixels is ~2**31. Unfortunately, there are a lot of code that allocates image data with something like malloc(w * h * sizeof(DATA32)); Obviously, on 32-bit machines this results in integer overflow, insufficient heap allocation, with [massive] out-of-bounds heap overwrite. Either X_MAX should be reduced to 32767, or (w)*(h) should be checked to not exceed ULONG_MAX/sizeof(DATA32). Security implications: *) for 32-bit machines: insufficient heap allocation and heap overwrite in many image loaders, with escalation potential to remote code execution; *) for 64-bit machines: it seems, no impact.
-rw-r--r--src/lib/image.h3
1 files changed, 2 insertions, 1 deletions
diff --git a/src/lib/image.h b/src/lib/image.h
index e9eb678..5fae6ed 100644
--- a/src/lib/image.h
+++ b/src/lib/image.h
@@ -188,7 +188,8 @@ void __imlib_SaveImage(ImlibImage * im, const char *file,
188 188
189/* The maximum pixmap dimension is 65535. */ 189/* The maximum pixmap dimension is 65535. */
190/* However, for now, use 46340 (46340^2 < 2^31) to avoid buffer overflow issues. */ 190/* However, for now, use 46340 (46340^2 < 2^31) to avoid buffer overflow issues. */
191#define X_MAX_DIM 46340 191/* Reduced further to 32767, so that (w * h * sizeof(DATA32)) won't exceed ULONG_MAX */
192#define X_MAX_DIM 32767
192 193
193#define IMAGE_DIMENSIONS_OK(w, h) \ 194#define IMAGE_DIMENSIONS_OK(w, h) \
194 ( ((w) > 0) && ((h) > 0) && ((w) < X_MAX_DIM) && ((h) < X_MAX_DIM) ) 195 ( ((w) > 0) && ((h) > 0) && ((w) < X_MAX_DIM) && ((h) < X_MAX_DIM) )