From 143f2993d7ccb73b26bb83abac6fa86f443981f9 Mon Sep 17 00:00:00 2001
From: Fabian Keil <fk@fabiankeil.de>
Date: Wed, 3 Dec 2014 15:00:48 +0100
Subject: [PATCH] Make IMAGE_DIMENSIONS_OK() more restrictive

Prevents invalid reads and unreasonably large memory allocations
with input/queue/id:000210,src:000114,op:int32,pos:3,val:be:+32,+cov:

==20321== Invalid read of size 1
==20321==    at 0x1FCDB16: __imlib_ScaleAARGB (scale.c:1043)
==20321==    by 0x1F9BF81: __imlib_RenderImage (rend.c:409)
==20321==    by 0x1F0F82C: imlib_render_image_part_on_drawable_at_size (api.c:1886)
==20321==    by 0x40CD75: gib_imlib_render_image_part_on_drawable_at_size (gib_imlib.c:231)
==20321==    by 0x42C732: winwidget_render_image (winwidget.c:576)
==20321==    by 0x417ACA: feh_event_handle_keypress (keyevents.c:598)
==20321==    by 0x4190DE: feh_main_iteration (main.c:119)
==20321==    by 0x418F45: main (main.c:82)
==20321==  Address 0x3a12e034 is 12 bytes before a block of size 1,965,846,976 alloc'd
==20321==    at 0x103D293: malloc (in /usr/local/lib/valgrind/vgpreload_memcheck-amd64-freebsd.so)
==20321==    by 0x5B3D1F1: load (loader_pnm.c:149)
==20321==    by 0x1F7D70F: __imlib_LoadImage (image.c:1041)
==20321==    by 0x1F090E4: imlib_load_image_with_error_return (api.c:1299)
==20321==    by 0x40F47B: feh_load_image (imlib.c:252)
==20321==    by 0x42CA0E: winwidget_loadimage (winwidget.c:753)
==20321==    by 0x42C918: winwidget_create_from_file (winwidget.c:126)
==20321==    by 0x421869: init_slideshow_mode (slideshow.c:62)
==20321==    by 0x418F13: main (main.c:78)
---
 src/lib/image.h | 7 +++++--
 src/lib/rend.c  | 4 ----
 2 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/src/lib/image.h b/src/lib/image.h
index da82576..0175e94 100644
--- a/src/lib/image.h
+++ b/src/lib/image.h
@@ -184,8 +184,11 @@ __hidden void              __imlib_SaveImage(ImlibImage *im, const char *file,
 #define SET_FLAG(flags, f) ((flags) |= (f))
 #define UNSET_FLAG(flags, f) ((flags) &= (~f))
 
+/* The maximum pixmap dimension is 65535. */
+/* However, for now, use 46340 (46340^2 < 2^31) to avoid buffer overflow issues. */
+# define X_MAX_DIM 46340
+
 #define IMAGE_DIMENSIONS_OK(w, h) \
-   ( ((w) > 0) && ((h) > 0) && \
-     ((unsigned long long)(w) * (unsigned long long)(h) <= (1ULL << 29) - 1) )
+   ( ((w) > 0) && ((h) > 0) && ((w) < X_MAX_DIM) && ((h) < X_MAX_DIM) )
 
 #endif
diff --git a/src/lib/rend.c b/src/lib/rend.c
index 2d7934b..44be783 100644
--- a/src/lib/rend.c
+++ b/src/lib/rend.c
@@ -16,10 +16,6 @@
 #include "scale.h"
 #include "ximage.h"
 
-/* The maximum pixmap dimension is 65535. */
-/* However, for now, use 46340 (46340^2 < 2^31) to avoid buffer overflow issues. */
-#define X_MAX_DIM 46340
-
 /* size of the lines per segment we scale / render at a time */
 #define LINESIZE 16