Relax 8192 pixel dimension limit (ticket 361).
This time hopefully without buffer overflow issues. SVN revision: 41516
This commit is contained in:
parent
02d6b0d451
commit
5619f9e257
|
@ -34,9 +34,6 @@
|
||||||
# define DATA8 unsigned char
|
# define DATA8 unsigned char
|
||||||
# endif
|
# endif
|
||||||
|
|
||||||
/* Maximum image dimension */
|
|
||||||
#define IMLIB_MAX_DIM (2 << 20)
|
|
||||||
|
|
||||||
/* opaque data types */
|
/* opaque data types */
|
||||||
typedef void *Imlib_Context;
|
typedef void *Imlib_Context;
|
||||||
typedef void *Imlib_Image;
|
typedef void *Imlib_Image;
|
||||||
|
|
|
@ -188,4 +188,8 @@ __hidden void __imlib_SaveImage(ImlibImage *im, const char *file,
|
||||||
# define SET_FLAG(flags, f) ((flags) |= (f))
|
# define SET_FLAG(flags, f) ((flags) |= (f))
|
||||||
# define UNSET_FLAG(flags, f) ((flags) &= (~f))
|
# define UNSET_FLAG(flags, f) ((flags) &= (~f))
|
||||||
|
|
||||||
|
# define IMAGE_DIMENSIONS_OK(w, h) \
|
||||||
|
( ((w) > 0) && ((h) > 0) && \
|
||||||
|
((unsigned long long)(w) * (unsigned long long)(w) <= (1ULL << 31) - 1) )
|
||||||
|
|
||||||
#endif
|
#endif
|
||||||
|
|
|
@ -15,8 +15,9 @@
|
||||||
#include "rend.h"
|
#include "rend.h"
|
||||||
#include "rotate.h"
|
#include "rotate.h"
|
||||||
|
|
||||||
/* Maximum pixmap dimension (65535) */
|
/* The maximum pixmap dimension is 65535. */
|
||||||
#define X_MAX_DIM ((2 << 16) - 1)
|
/* However, for now, use 46340 (46340^2 < 2^31) to avoid buffer overflow issues. */
|
||||||
|
#define X_MAX_DIM 46340
|
||||||
|
|
||||||
/* size of the lines per segment we scale / render at a time */
|
/* size of the lines per segment we scale / render at a time */
|
||||||
#define LINESIZE 16
|
#define LINESIZE 16
|
||||||
|
|
|
@ -36,7 +36,7 @@ load(ImlibImage * im, ImlibProgressFunction progress,
|
||||||
fclose(f);
|
fclose(f);
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
if ((w < 1) || (h < 1) || (w > IMLIB_MAX_DIM) || (h > IMLIB_MAX_DIM))
|
if (!IMAGE_DIMENSIONS_OK(w, h))
|
||||||
{
|
{
|
||||||
fclose(f);
|
fclose(f);
|
||||||
return 0;
|
return 0;
|
||||||
|
|
|
@ -193,7 +193,7 @@ load(ImlibImage * im, ImlibProgressFunction progress,
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
if ((w < 1) || (h < 1) || (w > IMLIB_MAX_DIM) || (h > IMLIB_MAX_DIM))
|
if (!IMAGE_DIMENSIONS_OK(w, h))
|
||||||
{
|
{
|
||||||
fclose(f);
|
fclose(f);
|
||||||
return 0;
|
return 0;
|
||||||
|
|
|
@ -58,8 +58,7 @@ load(ImlibImage * im, ImlibProgressFunction progress, char progress_granularity,
|
||||||
}
|
}
|
||||||
w = gif->Image.Width;
|
w = gif->Image.Width;
|
||||||
h = gif->Image.Height;
|
h = gif->Image.Height;
|
||||||
if ((w < 1) || (h < 1) ||
|
if (!IMAGE_DIMENSIONS_OK(w, h))
|
||||||
(w > IMLIB_MAX_DIM) || (h > IMLIB_MAX_DIM))
|
|
||||||
{
|
{
|
||||||
DGifCloseFile(gif);
|
DGifCloseFile(gif);
|
||||||
return 0;
|
return 0;
|
||||||
|
|
|
@ -76,7 +76,7 @@ load(ImlibImage * im, ImlibProgressFunction progress,
|
||||||
{
|
{
|
||||||
im->w = w = cinfo.output_width;
|
im->w = w = cinfo.output_width;
|
||||||
im->h = h = cinfo.output_height;
|
im->h = h = cinfo.output_height;
|
||||||
if ((w < 1) || (h < 1) || (w > IMLIB_MAX_DIM) || (h > IMLIB_MAX_DIM))
|
if (!IMAGE_DIMENSIONS_OK(w, h))
|
||||||
{
|
{
|
||||||
im->w = im->h = 0;
|
im->w = im->h = 0;
|
||||||
jpeg_destroy_decompress(&cinfo);
|
jpeg_destroy_decompress(&cinfo);
|
||||||
|
@ -96,7 +96,7 @@ load(ImlibImage * im, ImlibProgressFunction progress,
|
||||||
im->h = h = cinfo.output_height;
|
im->h = h = cinfo.output_height;
|
||||||
|
|
||||||
if ((cinfo.rec_outbuf_height > 16) || (cinfo.output_components <= 0) ||
|
if ((cinfo.rec_outbuf_height > 16) || (cinfo.output_components <= 0) ||
|
||||||
(w < 1) || (h < 1) || (w > IMLIB_MAX_DIM) || (h > IMLIB_MAX_DIM))
|
!IMAGE_DIMENSIONS_OK(w, h))
|
||||||
{
|
{
|
||||||
im->w = im->h = 0;
|
im->w = im->h = 0;
|
||||||
jpeg_destroy_decompress(&cinfo);
|
jpeg_destroy_decompress(&cinfo);
|
||||||
|
|
|
@ -402,8 +402,7 @@ ILBM ilbm;
|
||||||
|
|
||||||
im->w = L2RWORD(ilbm.bmhd.data);
|
im->w = L2RWORD(ilbm.bmhd.data);
|
||||||
im->h = L2RWORD(ilbm.bmhd.data + 2);
|
im->h = L2RWORD(ilbm.bmhd.data + 2);
|
||||||
if ((im->w < 1) || (im->h < 1) ||
|
if (!IMAGE_DIMENSIONS_OK(im->w, im->h))
|
||||||
(im->w > IMLIB_MAX_DIM) || (im->h > IMLIB_MAX_DIM))
|
|
||||||
{
|
{
|
||||||
ok = 0;
|
ok = 0;
|
||||||
}
|
}
|
||||||
|
|
|
@ -71,7 +71,7 @@ load(ImlibImage * im, ImlibProgressFunction progress,
|
||||||
&interlace_type, NULL, NULL);
|
&interlace_type, NULL, NULL);
|
||||||
im->w = (int)w32;
|
im->w = (int)w32;
|
||||||
im->h = (int)h32;
|
im->h = (int)h32;
|
||||||
if ((w32 < 1) || (h32 < 1) || (w32 > IMLIB_MAX_DIM) || (h32 > IMLIB_MAX_DIM))
|
if (!IMAGE_DIMENSIONS_OK(w32, h32))
|
||||||
{
|
{
|
||||||
png_read_end(png_ptr, info_ptr);
|
png_read_end(png_ptr, info_ptr);
|
||||||
png_destroy_read_struct(&png_ptr, &info_ptr, (png_infopp) NULL);
|
png_destroy_read_struct(&png_ptr, &info_ptr, (png_infopp) NULL);
|
||||||
|
|
|
@ -103,7 +103,7 @@ load(ImlibImage * im, ImlibProgressFunction progress,
|
||||||
|
|
||||||
im->w = w;
|
im->w = w;
|
||||||
im->h = h;
|
im->h = h;
|
||||||
if ((w < 1) || (h < 1) || (w > IMLIB_MAX_DIM) || (h > IMLIB_MAX_DIM))
|
if (!IMAGE_DIMENSIONS_OK(w, h))
|
||||||
{
|
{
|
||||||
fclose(f);
|
fclose(f);
|
||||||
return 0;
|
return 0;
|
||||||
|
|
|
@ -283,8 +283,7 @@ load(ImlibImage * im, ImlibProgressFunction progress,
|
||||||
im->w = (header->widthHi << 8) | header->widthLo;
|
im->w = (header->widthHi << 8) | header->widthLo;
|
||||||
im->h = (header->heightHi << 8) | header->heightLo;
|
im->h = (header->heightHi << 8) | header->heightLo;
|
||||||
|
|
||||||
if ((im->w < 1) || (im->h < 1) ||
|
if (!IMAGE_DIMENSIONS_OK(im->w, im->h))
|
||||||
(im->w > IMLIB_MAX_DIM) || (im->h > IMLIB_MAX_DIM))
|
|
||||||
{
|
{
|
||||||
munmap(seg, ss.st_size);
|
munmap(seg, ss.st_size);
|
||||||
close(fd);
|
close(fd);
|
||||||
|
|
|
@ -184,8 +184,7 @@ load(ImlibImage * im, ImlibProgressFunction progress,
|
||||||
rgba_image.image = im;
|
rgba_image.image = im;
|
||||||
im->w = width = rgba_image.rgba.width;
|
im->w = width = rgba_image.rgba.width;
|
||||||
im->h = height = rgba_image.rgba.height;
|
im->h = height = rgba_image.rgba.height;
|
||||||
if ((width < 1) || (height < 1) ||
|
if (!IMAGE_DIMENSIONS_OK(width, height))
|
||||||
(width > IMLIB_MAX_DIM) || (height > IMLIB_MAX_DIM))
|
|
||||||
{
|
{
|
||||||
TIFFRGBAImageEnd((TIFFRGBAImage *) & rgba_image);
|
TIFFRGBAImageEnd((TIFFRGBAImage *) & rgba_image);
|
||||||
TIFFClose(tif);
|
TIFFClose(tif);
|
||||||
|
|
|
@ -204,21 +204,11 @@ load(ImlibImage * im, ImlibProgressFunction progress, char progress_granularity,
|
||||||
xpm_parse_done();
|
xpm_parse_done();
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
if ((w > IMLIB_MAX_DIM) || (w < 1))
|
if (!IMAGE_DIMENSIONS_OK(w, h))
|
||||||
{
|
{
|
||||||
fprintf(stderr,
|
fprintf(stderr,
|
||||||
"IMLIB ERROR: Image width > %d or < 1 pixels for file\n",
|
"IMLIB ERROR: Invalid image dimension: %dx%d\n",
|
||||||
IMLIB_MAX_DIM);
|
w, h);
|
||||||
free(line);
|
|
||||||
fclose(f);
|
|
||||||
xpm_parse_done();
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
if ((h > IMLIB_MAX_DIM) || (h < 1))
|
|
||||||
{
|
|
||||||
fprintf(stderr,
|
|
||||||
"IMLIB ERROR: Image height > %d or < 1 pixels for file\n",
|
|
||||||
IMLIB_MAX_DIM);
|
|
||||||
free(line);
|
free(line);
|
||||||
fclose(f);
|
fclose(f);
|
||||||
xpm_parse_done();
|
xpm_parse_done();
|
||||||
|
|
Loading…
Reference in New Issue