From bdc0b127e5690d3daedeb69f5b49c11ab698a61d Mon Sep 17 00:00:00 2001 From: Carsten Haitzler Date: Sun, 5 Nov 2006 04:58:06 +0000 Subject: [PATCH] fix width and height checks in case of buffer overflow. SVN revision: 26953 --- src/modules/loaders/loader_argb.c | 5 +++++ src/modules/loaders/loader_gif.c | 5 +++++ src/modules/loaders/loader_jpeg.c | 6 ++++++ src/modules/loaders/loader_lbm.c | 5 ++++- src/modules/loaders/loader_png.c | 7 +++++++ src/modules/loaders/loader_pnm.c | 7 ++++++- src/modules/loaders/loader_tga.c | 3 +-- src/modules/loaders/loader_tiff.c | 15 ++++++++++++--- src/modules/loaders/loader_xpm.c | 8 ++++---- 9 files changed, 50 insertions(+), 11 deletions(-) diff --git a/src/modules/loaders/loader_argb.c b/src/modules/loaders/loader_argb.c index baeb11a..16ec62f 100644 --- a/src/modules/loaders/loader_argb.c +++ b/src/modules/loaders/loader_argb.c @@ -47,6 +47,11 @@ load(ImlibImage * im, ImlibProgressFunction progress, fclose(f); return 0; } + if ((w < 1) || (h < 1) || (w > 8192) || (h > 8192)) + { + fclose(f); + return 0; + } im->w = w; im->h = h; if (!im->format) diff --git a/src/modules/loaders/loader_gif.c b/src/modules/loaders/loader_gif.c index a664275..0041a1c 100644 --- a/src/modules/loaders/loader_gif.c +++ b/src/modules/loaders/loader_gif.c @@ -72,6 +72,11 @@ load(ImlibImage * im, ImlibProgressFunction progress, char progress_granularity, } w = gif->Image.Width; h = gif->Image.Height; + if ((w < 1) || (h < 1) || (w > 8192) || (h > 8192)) + { + DGifCloseFile(gif); + return 0; + } rows = malloc(h * sizeof(GifRowType *)); if (!rows) { diff --git a/src/modules/loaders/loader_jpeg.c b/src/modules/loaders/loader_jpeg.c index 9f333fa..dab91b4 100644 --- a/src/modules/loaders/loader_jpeg.c +++ b/src/modules/loaders/loader_jpeg.c @@ -92,6 +92,12 @@ load(ImlibImage * im, ImlibProgressFunction progress, { im->w = w = cinfo.output_width; im->h = h = cinfo.output_height; + if ((w < 1) || (h < 1) || (w > 8192) || (h > 8192)) + { + jpeg_destroy_decompress(&cinfo); + fclose(f); + return 0; + } UNSET_FLAG(im->flags, F_HAS_ALPHA); im->format = strdup("jpeg"); } diff --git a/src/modules/loaders/loader_lbm.c b/src/modules/loaders/loader_lbm.c index 13ad7de..656d91b 100644 --- a/src/modules/loaders/loader_lbm.c +++ b/src/modules/loaders/loader_lbm.c @@ -421,7 +421,10 @@ ILBM ilbm; im->w = L2RWORD(ilbm.bmhd.data); im->h = L2RWORD(ilbm.bmhd.data + 2); - if (im->w <= 0 || im->h <= 0) ok = 0; + if ((im->w < 1) || (im->h < 1) || (im->w > 8192) || (im->h > 8192)) + { + ok = 0; + } ilbm.depth = ilbm.bmhd.data[8]; if (ilbm.depth < 1 || (ilbm.depth > 8 && ilbm.depth != 24 && ilbm.depth != 32)) ok = 0; /* Only 1 to 8, 24, or 32 planes. */ diff --git a/src/modules/loaders/loader_png.c b/src/modules/loaders/loader_png.c index 3ae190b..c1284ce 100644 --- a/src/modules/loaders/loader_png.c +++ b/src/modules/loaders/loader_png.c @@ -85,6 +85,13 @@ load(ImlibImage * im, ImlibProgressFunction progress, &interlace_type, NULL, NULL); im->w = (int)w32; im->h = (int)h32; + if ((w32 < 1) || (h32 < 1) || (w32 > 8192) || (h32 > 8192)) + { + png_read_end(png_ptr, info_ptr); + png_destroy_read_struct(&png_ptr, &info_ptr, (png_infopp) NULL); + fclose(f); + return 0; + } if (color_type == PNG_COLOR_TYPE_PALETTE) { png_set_expand(png_ptr); diff --git a/src/modules/loaders/loader_pnm.c b/src/modules/loaders/loader_pnm.c index ad4ccad..1cd9d2d 100644 --- a/src/modules/loaders/loader_pnm.c +++ b/src/modules/loaders/loader_pnm.c @@ -107,7 +107,7 @@ load(ImlibImage * im, ImlibProgressFunction progress, } } } - if ((w <= 0) || (w > 8192) || (h <= 0) || (h > 8192) || (v < 0) || (v > 255)) + if ((v < 0) || (v > 255)) { fclose(f); return 0; @@ -115,6 +115,11 @@ load(ImlibImage * im, ImlibProgressFunction progress, im->w = w; im->h = h; + if ((w < 1) || (h < 1) || (w > 8192) || (h > 8192)) + { + fclose(f); + return 0; + } if (!im->format) { if (p == '8') diff --git a/src/modules/loaders/loader_tga.c b/src/modules/loaders/loader_tga.c index 3408b78..90b60d4 100644 --- a/src/modules/loaders/loader_tga.c +++ b/src/modules/loaders/loader_tga.c @@ -297,9 +297,8 @@ load(ImlibImage * im, ImlibProgressFunction progress, im->w = (header->widthHi << 8) | header->widthLo; im->h = (header->heightHi << 8) | header->heightLo; - if ((im->w > 32767) || (im->w < 1) || (im->h > 32767) || (im->h < 1)) + if ((im->w < 1) || (im->h < 1) || (im->w > 8192) || (im->h > 8192)) { - im->w = 0; munmap(seg, ss.st_size); close(fd); return 0; diff --git a/src/modules/loaders/loader_tiff.c b/src/modules/loaders/loader_tiff.c index 12d8629..0eb5592 100644 --- a/src/modules/loaders/loader_tiff.c +++ b/src/modules/loaders/loader_tiff.c @@ -75,11 +75,11 @@ static void raster(TIFFRGBAImage_Extra * img, uint32 * rast, uint32 x, uint32 y, uint32 w, uint32 h) { - uint32 image_width, image_height; + int image_width, image_height; uint32 *pixel, pixel_value; int i, j, dy, rast_offset; DATA32 *buffer_pixel, *buffer = img->image->data; - int alpha_premult = (EXTRASAMPLE_UNASSALPHA==img->rgba.alpha); + int alpha_premult; image_width = img->image->w; image_height = img->image->h; @@ -91,6 +91,8 @@ raster(TIFFRGBAImage_Extra * img, uint32 * rast, /* I don't understand why, but that seems to be what's going on. */ /* libtiff needs better docs! */ + if (img->rgba.alpha == EXTRASAMPLE_UNASSALPHA) + alpha_premult = 1; for (i = y, rast_offset = 0; i > dy; i--, rast_offset--) { pixel = rast + (rast_offset * image_width); @@ -204,6 +206,12 @@ load(ImlibImage * im, ImlibProgressFunction progress, rgba_image.image = im; im->w = width = rgba_image.rgba.width; im->h = height = rgba_image.rgba.height; + if ((width < 1) || (height < 1) || (width > 8192) || (height > 8192)) + { + TIFFRGBAImageEnd((TIFFRGBAImage *) & rgba_image); + TIFFClose(tif); + return 0; + } rgba_image.num_pixels = num_pixels = width * height; if (rgba_image.rgba.alpha != EXTRASAMPLE_UNSPECIFIED) SET_FLAG(im->flags, F_HAS_ALPHA); @@ -397,8 +405,9 @@ save(ImlibImage * im, ImlibProgressFunction progress, char progress_granularity) if (has_alpha) { + uint16 extras[] = { EXTRASAMPLE_ASSOCALPHA }; TIFFSetField(tif, TIFFTAG_SAMPLESPERPIXEL, 4); - TIFFSetField(tif, TIFFTAG_EXTRASAMPLES, EXTRASAMPLE_ASSOCALPHA); + TIFFSetField(tif, TIFFTAG_EXTRASAMPLES, 1, extras); } else { diff --git a/src/modules/loaders/loader_xpm.c b/src/modules/loaders/loader_xpm.c index 100472d..2892a8c 100644 --- a/src/modules/loaders/loader_xpm.c +++ b/src/modules/loaders/loader_xpm.c @@ -211,19 +211,19 @@ load(ImlibImage * im, ImlibProgressFunction progress, char progress_granularity, xpm_parse_done(); return 0; } - if ((w > 32767) || (w < 1)) + if ((w > 8192) || (w < 1)) { fprintf(stderr, - "IMLIB ERROR: Image width > 32767 or < 1 pixels for file\n"); + "IMLIB ERROR: Image width > 8192 or < 1 pixels for file\n"); free(line); fclose(f); xpm_parse_done(); return 0; } - if ((h > 32767) || (h < 1)) + if ((h > 8192) || (h < 1)) { fprintf(stderr, - "IMLIB ERROR: Image height > 32767 or < 1 pixels for file\n"); + "IMLIB ERROR: Image height > 8192 or < 1 pixels for file\n"); free(line); fclose(f); xpm_parse_done();