old
/
legacy-imlib2
3
0
Fork 4
Code Issues 3 Pull Requests Projects Releases Wiki Activity

Make IMAGE_DIMENSIONS_OK() more restrictive 

Prevents invalid reads and unreasonably large memory allocations
with input/queue/id:000210,src:000114,op:int32,pos:3,val:be:+32,+cov:

==20321== Invalid read of size 1
==20321==    at 0x1FCDB16: __imlib_ScaleAARGB (scale.c:1043)
==20321==    by 0x1F9BF81: __imlib_RenderImage (rend.c:409)
==20321==    by 0x1F0F82C: imlib_render_image_part_on_drawable_at_size (api.c:1886)
==20321==    by 0x40CD75: gib_imlib_render_image_part_on_drawable_at_size (gib_imlib.c:231)
==20321==    by 0x42C732: winwidget_render_image (winwidget.c:576)
==20321==    by 0x417ACA: feh_event_handle_keypress (keyevents.c:598)
==20321==    by 0x4190DE: feh_main_iteration (main.c:119)
==20321==    by 0x418F45: main (main.c:82)
==20321==  Address 0x3a12e034 is 12 bytes before a block of size 1,965,846,976 alloc'd
==20321==    at 0x103D293: malloc (in /usr/local/lib/valgrind/vgpreload_memcheck-amd64-freebsd.so)
==20321==    by 0x5B3D1F1: load (loader_pnm.c:149)
==20321==    by 0x1F7D70F: __imlib_LoadImage (image.c:1041)
==20321==    by 0x1F090E4: imlib_load_image_with_error_return (api.c:1299)
==20321==    by 0x40F47B: feh_load_image (imlib.c:252)
==20321==    by 0x42CA0E: winwidget_loadimage (winwidget.c:753)
==20321==    by 0x42C918: winwidget_create_from_file (winwidget.c:126)
==20321==    by 0x421869: init_slideshow_mode (slideshow.c:62)
==20321==    by 0x418F13: main (main.c:78)
This commit is contained in:
Fabian Keil 2014-12-03 15:00:48 +01:00 committed by Carsten Haitzler (Rasterman)
parent 1f9b0b3272
commit 143f2993d7
2 changed files with 5 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/lib/image.h
View File

@ -184,8 +184,11 @@ __hidden void __imlib_SaveImage(ImlibImage *im, const char *file,
#define SET_FLAG(flags, f) ((flags) |= (f))
#define UNSET_FLAG(flags, f) ((flags) &= (~f))
/* The maximum pixmap dimension is 65535. */
/* However, for now, use 46340 (46340^2 < 2^31) to avoid buffer overflow issues. */
# define X_MAX_DIM 46340
#define IMAGE_DIMENSIONS_OK(w, h) \
( ((w) > 0) && ((h) > 0) && \
((unsigned long long)(w) * (unsigned long long)(h) <= (1ULL << 29) - 1) )
( ((w) > 0) && ((h) > 0) && ((w) < X_MAX_DIM) && ((h) < X_MAX_DIM) )
#endif

4
src/lib/rend.c
View File

@ -16,10 +16,6 @@
#include "scale.h"
#include "ximage.h"
/* The maximum pixmap dimension is 65535. */
/* However, for now, use 46340 (46340^2 < 2^31) to avoid buffer overflow issues. */
#define X_MAX_DIM 46340
/* size of the lines per segment we scale / render at a time */
#define LINESIZE 16