old
/
legacy-imlib2
3
0
Fork 4
Code Issues 3 Pull Requests Projects Releases Wiki Activity

fix width and height checks in case of buffer overflow. 

SVN revision: 26953
This commit is contained in:
Carsten Haitzler 2006-11-05 04:58:06 +00:00
parent 9a324b0c23
commit bdc0b127e5
9 changed files with 50 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/modules/loaders/loader_argb.c
View File

@ -47,6 +47,11 @@ load(ImlibImage * im, ImlibProgressFunction progress,
fclose(f); fclose(f);
return 0; return 0;
} }
if ((w < 1) || (h < 1) || (w > 8192) || (h > 8192))
{
fclose(f);
return 0;
}
im->w = w; im->w = w;
im->h = h; im->h = h;
if (!im->format) if (!im->format)

5
src/modules/loaders/loader_gif.c
View File

@ -72,6 +72,11 @@ load(ImlibImage * im, ImlibProgressFunction progress, char progress_granularity,
} }
w = gif->Image.Width; w = gif->Image.Width;
h = gif->Image.Height; h = gif->Image.Height;
if ((w < 1) || (h < 1) || (w > 8192) || (h > 8192))
{
DGifCloseFile(gif);
return 0;
}
rows = malloc(h * sizeof(GifRowType *)); rows = malloc(h * sizeof(GifRowType *));
if (!rows) if (!rows)
{ {

6
src/modules/loaders/loader_jpeg.c
View File

@ -92,6 +92,12 @@ load(ImlibImage * im, ImlibProgressFunction progress,
{ {
im->w = w = cinfo.output_width; im->w = w = cinfo.output_width;
im->h = h = cinfo.output_height; im->h = h = cinfo.output_height;
if ((w < 1) || (h < 1) || (w > 8192) || (h > 8192))
{
jpeg_destroy_decompress(&cinfo);
fclose(f);
return 0;
}
UNSET_FLAG(im->flags, F_HAS_ALPHA); UNSET_FLAG(im->flags, F_HAS_ALPHA);
im->format = strdup("jpeg"); im->format = strdup("jpeg");
} }

5
src/modules/loaders/loader_lbm.c
View File

@ -421,7 +421,10 @@ ILBM ilbm;
im->w = L2RWORD(ilbm.bmhd.data); im->w = L2RWORD(ilbm.bmhd.data);
im->h = L2RWORD(ilbm.bmhd.data + 2); im->h = L2RWORD(ilbm.bmhd.data + 2);
if (im->w <= 0 || im->h <= 0) ok = 0; if ((im->w < 1) || (im->h < 1) || (im->w > 8192) || (im->h > 8192))
{
ok = 0;
}
ilbm.depth = ilbm.bmhd.data[8]; ilbm.depth = ilbm.bmhd.data[8];
if (ilbm.depth < 1 || (ilbm.depth > 8 && ilbm.depth != 24 && ilbm.depth != 32)) ok = 0; /* Only 1 to 8, 24, or 32 planes. */ if (ilbm.depth < 1 || (ilbm.depth > 8 && ilbm.depth != 24 && ilbm.depth != 32)) ok = 0; /* Only 1 to 8, 24, or 32 planes. */

7
src/modules/loaders/loader_png.c
View File

@ -85,6 +85,13 @@ load(ImlibImage * im, ImlibProgressFunction progress,
&interlace_type, NULL, NULL); &interlace_type, NULL, NULL);
im->w = (int)w32; im->w = (int)w32;
im->h = (int)h32; im->h = (int)h32;
if ((w32 < 1) || (h32 < 1) || (w32 > 8192) || (h32 > 8192))
{
png_read_end(png_ptr, info_ptr);
png_destroy_read_struct(&png_ptr, &info_ptr, (png_infopp) NULL);
fclose(f);
return 0;
}
if (color_type == PNG_COLOR_TYPE_PALETTE) if (color_type == PNG_COLOR_TYPE_PALETTE)
{ {
png_set_expand(png_ptr); png_set_expand(png_ptr);

7
src/modules/loaders/loader_pnm.c
View File

@ -107,7 +107,7 @@ load(ImlibImage * im, ImlibProgressFunction progress,
} }
} }
} }
if ((w <= 0) || (w > 8192) || (h <= 0) || (h > 8192) || (v < 0) || (v > 255)) if ((v < 0) || (v > 255))
{ {
fclose(f); fclose(f);
return 0; return 0;
@ -115,6 +115,11 @@ load(ImlibImage * im, ImlibProgressFunction progress,
im->w = w; im->w = w;
im->h = h; im->h = h;
if ((w < 1) || (h < 1) || (w > 8192) || (h > 8192))
{
fclose(f);
return 0;
}
if (!im->format) if (!im->format)
{ {
if (p == '8') if (p == '8')

3
src/modules/loaders/loader_tga.c
View File

@ -297,9 +297,8 @@ load(ImlibImage * im, ImlibProgressFunction progress,
im->w = (header->widthHi << 8) | header->widthLo; im->w = (header->widthHi << 8) | header->widthLo;
im->h = (header->heightHi << 8) | header->heightLo; im->h = (header->heightHi << 8) | header->heightLo;
if ((im->w > 32767) || (im->w < 1) || (im->h > 32767) || (im->h < 1)) if ((im->w < 1) || (im->h < 1) || (im->w > 8192) || (im->h > 8192))
{ {
im->w = 0;
munmap(seg, ss.st_size); munmap(seg, ss.st_size);
close(fd); close(fd);
return 0; return 0;

15
src/modules/loaders/loader_tiff.c
View File

@ -75,11 +75,11 @@ static void
raster(TIFFRGBAImage_Extra * img, uint32 * rast, raster(TIFFRGBAImage_Extra * img, uint32 * rast,
uint32 x, uint32 y, uint32 w, uint32 h) uint32 x, uint32 y, uint32 w, uint32 h)
{ {
uint32 image_width, image_height; int image_width, image_height;
uint32 *pixel, pixel_value; uint32 *pixel, pixel_value;
int i, j, dy, rast_offset; int i, j, dy, rast_offset;
DATA32 *buffer_pixel, *buffer = img->image->data; DATA32 *buffer_pixel, *buffer = img->image->data;
int alpha_premult = (EXTRASAMPLE_UNASSALPHA==img->rgba.alpha); int alpha_premult;
image_width = img->image->w; image_width = img->image->w;
image_height = img->image->h; image_height = img->image->h;
@ -91,6 +91,8 @@ raster(TIFFRGBAImage_Extra * img, uint32 * rast,
/* I don't understand why, but that seems to be what's going on. */ /* I don't understand why, but that seems to be what's going on. */
/* libtiff needs better docs! */ /* libtiff needs better docs! */
if (img->rgba.alpha == EXTRASAMPLE_UNASSALPHA)
alpha_premult = 1;
for (i = y, rast_offset = 0; i > dy; i--, rast_offset--) for (i = y, rast_offset = 0; i > dy; i--, rast_offset--)
{ {
pixel = rast + (rast_offset * image_width); pixel = rast + (rast_offset * image_width);
@ -204,6 +206,12 @@ load(ImlibImage * im, ImlibProgressFunction progress,
rgba_image.image = im; rgba_image.image = im;
im->w = width = rgba_image.rgba.width; im->w = width = rgba_image.rgba.width;
im->h = height = rgba_image.rgba.height; im->h = height = rgba_image.rgba.height;
if ((width < 1) || (height < 1) || (width > 8192) || (height > 8192))
{
TIFFRGBAImageEnd((TIFFRGBAImage *) & rgba_image);
TIFFClose(tif);
return 0;
}
rgba_image.num_pixels = num_pixels = width * height; rgba_image.num_pixels = num_pixels = width * height;
if (rgba_image.rgba.alpha != EXTRASAMPLE_UNSPECIFIED) if (rgba_image.rgba.alpha != EXTRASAMPLE_UNSPECIFIED)
SET_FLAG(im->flags, F_HAS_ALPHA); SET_FLAG(im->flags, F_HAS_ALPHA);
@ -397,8 +405,9 @@ save(ImlibImage * im, ImlibProgressFunction progress, char progress_granularity)
if (has_alpha) if (has_alpha)
{ {
uint16 extras[] = { EXTRASAMPLE_ASSOCALPHA };
TIFFSetField(tif, TIFFTAG_SAMPLESPERPIXEL, 4); TIFFSetField(tif, TIFFTAG_SAMPLESPERPIXEL, 4);
TIFFSetField(tif, TIFFTAG_EXTRASAMPLES, EXTRASAMPLE_ASSOCALPHA); TIFFSetField(tif, TIFFTAG_EXTRASAMPLES, 1, extras);
} }
else else
{ {

8
src/modules/loaders/loader_xpm.c
View File

@ -211,19 +211,19 @@ load(ImlibImage * im, ImlibProgressFunction progress, char progress_granularity,
xpm_parse_done(); xpm_parse_done();
return 0; return 0;
} }
if ((w > 32767) || (w < 1)) if ((w > 8192) || (w < 1))
{ {
fprintf(stderr, fprintf(stderr,
"IMLIB ERROR: Image width > 32767 or < 1 pixels for file\n"); "IMLIB ERROR: Image width > 8192 or < 1 pixels for file\n");
free(line); free(line);
fclose(f); fclose(f);
xpm_parse_done(); xpm_parse_done();
return 0; return 0;
} }
if ((h > 32767) || (h < 1)) if ((h > 8192) || (h < 1))
{ {
fprintf(stderr, fprintf(stderr,
"IMLIB ERROR: Image height > 32767 or < 1 pixels for file\n"); "IMLIB ERROR: Image height > 8192 or < 1 pixels for file\n");
free(line); free(line);
fclose(f); fclose(f);
xpm_parse_done(); xpm_parse_done();