diff -uprk.orig imlib-1.9.14.orig/Imlib/load.c imlib-1.9.14/Imlib/load.c --- imlib-1.9.14.orig/Imlib/load.c 2005-01-09 15:32:54 +0000 +++ imlib-1.9.14/Imlib/load.c 2005-01-09 15:35:27 +0000 @@ -4,6 +4,8 @@ #include "Imlib_private.h" #include +#define G_MAXINT ((int) 0x7fffffff) + /* Split the ID - damages input */ static char * @@ -41,13 +43,17 @@ _GetExtension(char *file) /* * Make sure we don't wrap on our memory allocations + * we check G_MAXINT/4 because rend.c malloc's w * h * bpp + * + 3 is safety margin */ void * _imlib_malloc_image(unsigned int w, unsigned int h) { - if( w > 32767 || h > 32767) - return NULL; - return malloc(w * h * 3); + if (w <= 0 || w > 32767 || + h <= 0 || h > 32767 || + h >= (G_MAXINT/4 - 1) / w) + return NULL; + return malloc(w * h * 3 + 3); } #ifdef HAVE_LIBJPEG @@ -360,7 +366,9 @@ _LoadTIFF(ImlibData * id, FILE *f, char npix = ww * hh; *w = (int)ww; *h = (int)hh; - if(ww > 32767 || hh > 32767) + if (ww <= 0 || ww > 32767 || + hh <= 0 || hh > 32767 || + hh >= (G_MAXINT/sizeof(uint32)) / ww) { TIFFClose(tif); return NULL; @@ -463,7 +471,7 @@ _LoadGIF(ImlibData * id, FILE *f, int *w } *w = gif->Image.Width; *h = gif->Image.Height; - if (*h > 32767 || *w > 32767) + if (*h <= 0 || *h > 32767 || *w <= 0 || *w > 32767) { return NULL; } @@ -1000,7 +1008,12 @@ _LoadXPM(ImlibData * id, FILE *file, int comment = 0; quote = 0; context = 0; + memset(lookup, 0, sizeof(lookup)); + line = malloc(lsz); + if (!line) + return NULL; + while (!done) { pc = c; @@ -1029,25 +1042,25 @@ _LoadXPM(ImlibData * id, FILE *file, int { /* Header */ sscanf(line, "%i %i %i %i", w, h, &ncolors, &cpp); - if (ncolors > 32766) + if (ncolors <= 0 || ncolors > 32766) { fprintf(stderr, "IMLIB ERROR: XPM files wth colors > 32766 not supported\n"); free(line); return NULL; } - if (cpp > 5) + if (cpp <= 0 || cpp > 5) { fprintf(stderr, "IMLIB ERROR: XPM files with characters per pixel > 5 not supported\n"); free(line); return NULL; } - if (*w > 32767) + if (*w <= 0 || *w > 32767) { fprintf(stderr, "IMLIB ERROR: Image width > 32767 pixels for file\n"); free(line); return NULL; } - if (*h > 32767) + if (*h <= 0 || *h > 32767) { fprintf(stderr, "IMLIB ERROR: Image height > 32767 pixels for file\n"); free(line); @@ -1080,11 +1093,13 @@ _LoadXPM(ImlibData * id, FILE *file, int { int slen; int hascolor, iscolor; + int space; iscolor = 0; hascolor = 0; tok[0] = 0; col[0] = 0; + space = sizeof(col) - 1; s[0] = 0; len = strlen(line); strncpy(cmap[j].str, line, cpp); @@ -1107,10 +1122,10 @@ _LoadXPM(ImlibData * id, FILE *file, int { if (k >= len) { - if (col[0]) - strcat(col, " "); - if (strlen(col) + strlen(s) < sizeof(col)) - strcat(col, s); + if (col[0] && space > 0) + strcat(col, " "), space -= 1; + if (slen <= space) + strcat(col, s), space -= slen; } if (col[0]) { @@ -1140,14 +1155,17 @@ _LoadXPM(ImlibData * id, FILE *file, int } } } - strcpy(tok, s); + if (slen < sizeof(tok)); + strcpy(tok, s); col[0] = 0; + space = sizeof(col) - 1; } else { - if (col[0]) - strcat(col, " "); - strcat(col, s); + if (col[0] && space > 0) + strcat(col, " "), space -=1; + if (slen <= space) + strcat(col, s), space -= slen; } } } @@ -1376,12 +1394,12 @@ _LoadPPM(ImlibData * id, FILE * f, int * sscanf(s, "%i %i", w, h); a = *w; b = *h; - if (a > 32767) + if (a <= 0 || a > 32767) { fprintf(stderr, "IMLIB ERROR: Image width > 32767 pixels for file\n"); return NULL; } - if (b > 32767) + if (b <= 0 || b > 32767) { fprintf(stderr, "IMLIB ERROR: Image height > 32767 pixels for file\n"); return NULL; diff -uprk.orig imlib-1.9.14.orig/Imlib/load.c.rej imlib-1.9.14/Imlib/load.c.rej --- imlib-1.9.14.orig/Imlib/load.c.rej 1970-01-01 00:00:00 +0000 +++ imlib-1.9.14/Imlib/load.c.rej 2005-01-09 15:33:28 +0000 @@ -0,0 +1,27 @@ +*************** +*** 631,642 **** + fread(dbuf, 4, 2, file); + *w = (int)dbuf[0]; + *h = (int)dbuf[1]; +- if (*w > 32767) + { + fprintf(stderr, "IMLIB ERROR: Image width > 32767 pixels for file\n"); + return NULL; + } +- if (*h > 32767) + { + fprintf(stderr, "IMLIB ERROR: Image height > 32767 pixels for file\n"); + return NULL; +--- 639,650 ---- + fread(dbuf, 4, 2, file); + *w = (int)dbuf[0]; + *h = (int)dbuf[1]; ++ if (*w <= 0 || *w > 32767) + { + fprintf(stderr, "IMLIB ERROR: Image width > 32767 pixels for file\n"); + return NULL; + } ++ if (*h <= 0 || *h > 32767) + { + fprintf(stderr, "IMLIB ERROR: Image height > 32767 pixels for file\n"); + return NULL; diff -uprk.orig imlib-1.9.14.orig/Imlib/utils.c imlib-1.9.14/Imlib/utils.c --- imlib-1.9.14.orig/Imlib/utils.c 2002-03-22 14:43:04 +0000 +++ imlib-1.9.14/Imlib/utils.c 2005-01-09 15:33:28 +0000 @@ -1496,36 +1496,56 @@ Imlib_create_image_from_xpm_data(ImlibDa context = 0; ptr = NULL; end = NULL; + memset(lookup, 0, sizeof(lookup)); while (!done) { line = data[count++]; + if (!line) + break; + line = strdup(line); + if (!line) + break; + len = strlen(line); + for (i = 0; i < len; ++i) + { + c = line[i]; + if (c < 32) + line[i] = 32; + else if (c > 127) + line[i] = 127; + } + if (context == 0) { /* Header */ sscanf(line, "%i %i %i %i", &w, &h, &ncolors, &cpp); - if (ncolors > 32766) + if (ncolors <= 0 || ncolors > 32766) { fprintf(stderr, "IMLIB ERROR: XPM data wth colors > 32766 not supported\n"); free(im); + free(line); return NULL; } - if (cpp > 5) + if (cpp <= 0 || cpp > 5) { fprintf(stderr, "IMLIB ERROR: XPM data with characters per pixel > 5 not supported\n"); free(im); + free(line); return NULL; } - if (w > 32767) + if (w <= 0 || w > 32767) { fprintf(stderr, "IMLIB ERROR: Image width > 32767 pixels for data\n"); free(im); + free(line); return NULL; } - if (h > 32767) + if (h <= 0 || h > 32767) { fprintf(stderr, "IMLIB ERROR: Image height > 32767 pixels for data\n"); free(im); + free(line); return NULL; } cmap = malloc(sizeof(struct _cmap) * ncolors); @@ -1533,6 +1553,7 @@ Imlib_create_image_from_xpm_data(ImlibDa if (!cmap) { free(im); + free(line); return NULL; } im->rgb_width = w; @@ -1542,6 +1563,7 @@ Imlib_create_image_from_xpm_data(ImlibDa { free(cmap); free(im); + free(line); return NULL; } im->alpha_data = NULL; @@ -1817,6 +1839,7 @@ Imlib_create_image_from_xpm_data(ImlibDa } if ((ptr) && ((ptr - im->rgb_data) >= w * h * 3)) done = 1; + free(line); } if (!transp) { diff -uprk.orig imlib-1.9.14.orig/gdk_imlib/io-gif.c imlib-1.9.14/gdk_imlib/io-gif.c --- imlib-1.9.14.orig/gdk_imlib/io-gif.c 2002-03-04 17:06:29 +0000 +++ imlib-1.9.14/gdk_imlib/io-gif.c 2005-01-09 15:33:28 +0000 @@ -55,7 +55,7 @@ loader_gif(FILE *f, int *w, int *h, int } *w = gif->Image.Width; *h = gif->Image.Height; - if(*h > 32767 || *w > 32767) + if(*h <= 0 || *h > 32767 || *w <= 0 || *w > 32767) { return NULL; } diff -uprk.orig imlib-1.9.14.orig/gdk_imlib/io-ppm.c imlib-1.9.14/gdk_imlib/io-ppm.c --- imlib-1.9.14.orig/gdk_imlib/io-ppm.c 2002-03-04 17:06:29 +0000 +++ imlib-1.9.14/gdk_imlib/io-ppm.c 2005-01-09 15:33:28 +0000 @@ -53,12 +53,12 @@ loader_ppm (FILE * f, int *w, int *h, in sscanf(s, "%i %i", w, h); a = *w; b = *h; - if (a > 32767) + if (a <= 0 || a > 32767) { fprintf(stderr, "gdk_imlib ERROR: Image width > 32767 pixels for file\n"); return NULL; } - if (b > 32767) + if (b <= 0 || b > 32767) { fprintf(stderr, "gdk_imlib ERROR: Image height > 32767 pixels for file\n"); return NULL; diff -uprk.orig imlib-1.9.14.orig/gdk_imlib/io-tiff.c imlib-1.9.14/gdk_imlib/io-tiff.c --- imlib-1.9.14.orig/gdk_imlib/io-tiff.c 2002-03-04 17:06:29 +0000 +++ imlib-1.9.14/gdk_imlib/io-tiff.c 2005-01-09 15:33:28 +0000 @@ -36,7 +36,9 @@ loader_tiff(FILE *f, char *file, int *w, npix = ww * hh; *w = (int)ww; *h = (int)hh; - if(ww > 32767 || hh > 32767) + if (ww <= 0 || ww > 32767 || + hh <= 0 || hh > 32767 || + hh >= (G_MAXINT/sizeof(uint32)) / ww) { TIFFClose(tif); return NULL; diff -uprk.orig imlib-1.9.14.orig/gdk_imlib/io-xpm.c imlib-1.9.14/gdk_imlib/io-xpm.c --- imlib-1.9.14.orig/gdk_imlib/io-xpm.c 2002-03-04 17:06:29 +0000 +++ imlib-1.9.14/gdk_imlib/io-xpm.c 2005-01-09 15:33:28 +0000 @@ -40,8 +40,12 @@ loader_xpm(FILE *file, int *w, int *h, i context = 0; i = j = 0; cmap = NULL; + memset(lookup, 0, sizeof(lookup)); line = malloc(lsz); + if (!line) + return NULL; + while (!done) { pc = c; @@ -70,25 +74,25 @@ loader_xpm(FILE *file, int *w, int *h, i { /* Header */ sscanf(line, "%i %i %i %i", w, h, &ncolors, &cpp); - if (ncolors > 32766) + if (ncolors <= 0 || ncolors > 32766) { fprintf(stderr, "gdk_imlib ERROR: XPM files wth colors > 32766 not supported\n"); free(line); return NULL; } - if (cpp > 5) + if (cpp <= 0 || cpp > 5) { fprintf(stderr, "gdk_imlib ERROR: XPM files with characters per pixel > 5 not supported\n"); free(line); return NULL; } - if (*w > 32767) + if (*w <= 0 || *w > 32767) { fprintf(stderr, "gdk_imlib ERROR: Image width > 32767 pixels for file\n"); free(line); return NULL; } - if (*h > 32767) + if (*h <= 0 || *h > 32767) { fprintf(stderr, "gdk_imlib ERROR: Image height > 32767 pixels for file\n"); free(line); @@ -120,11 +124,13 @@ loader_xpm(FILE *file, int *w, int *h, i { int slen; int hascolor, iscolor; + int space; hascolor = 0; iscolor = 0; tok[0] = 0; col[0] = 0; + space = sizeof(col) - 1; s[0] = 0; len = strlen(line); strncpy(cmap[j].str, line, cpp); @@ -147,10 +153,10 @@ loader_xpm(FILE *file, int *w, int *h, i { if (k >= len) { - if (col[0]) - strcat(col, " "); - if (strlen(col) + strlen(s) < sizeof(col)) - strcat(col, s); + if (col[0] && space > 0) + strncat(col, " ", space), space -= 1; + if (slen <= space) + strcat(col, s), space -= slen; } if (col[0]) { @@ -180,14 +186,17 @@ loader_xpm(FILE *file, int *w, int *h, i } } } - strcpy(tok, s); + if (slen < sizeof(tok)) + strcpy(tok, s); col[0] = 0; + space = sizeof(col) - 1; } else { - if (col[0]) - strcat(col, " "); - strcat(col, s); + if (col[0] && space > 0) + strcat(col, " "), space -= 1; + if (slen <= space) + strcat(col, s), space -= slen; } } } diff -uprk.orig imlib-1.9.14.orig/gdk_imlib/misc.c imlib-1.9.14/gdk_imlib/misc.c --- imlib-1.9.14.orig/gdk_imlib/misc.c 2002-03-04 17:06:32 +0000 +++ imlib-1.9.14/gdk_imlib/misc.c 2005-01-09 15:33:28 +0000 @@ -1355,11 +1355,16 @@ gdk_imlib_get_sysconfig() /* * Make sure we don't wrap on our memory allocations + * we check G_MAX_INT/4 because rend.c malloc's w * h * bpp + * + 3 is safety margin */ void *_gdk_malloc_image(unsigned int w, unsigned int h) { - if( w > 32767 || h > 32767) + if (w <= 0 || w > 32767 || + h <= 0 || h > 32767 || + h >= (G_MAXINT/4 - 1) / w) return NULL; - return malloc(w * h * 3); + return malloc(w * h * 3 + 3); } + diff -uprk.orig imlib-1.9.14.orig/gdk_imlib/utils.c imlib-1.9.14/gdk_imlib/utils.c --- imlib-1.9.14.orig/gdk_imlib/utils.c 2002-03-22 14:43:29 +0000 +++ imlib-1.9.14/gdk_imlib/utils.c 2005-01-09 15:33:28 +0000 @@ -1236,36 +1236,56 @@ gdk_imlib_create_image_from_xpm_data(cha context = 0; ptr = NULL; end = NULL; + memset(lookup, 0, sizeof(lookup)); while (!done) { line = data[count++]; + if (!line) + break; + line = strdup(line); + if (!line) + break; + len = strlen(line); + for (i = 0; i < len; ++i) + { + c = line[i]; + if (c < 32) + line[i] = 32; + else if (c > 127) + line[i] = 127; + } + if (context == 0) { /* Header */ sscanf(line, "%i %i %i %i", &w, &h, &ncolors, &cpp); - if (ncolors > 32766) + if (ncolors <= 0 || ncolors > 32766) { fprintf(stderr, "gdk_imlib ERROR: XPM data wth colors > 32766 not supported\n"); free(im); + free(line); return NULL; } - if (cpp > 5) + if (cpp <= 0 || cpp > 5) { fprintf(stderr, "gdk_imlib ERROR: XPM data with characters per pixel > 5 not supported\n"); free(im); + free(line); return NULL; } - if (w > 32767) + if (w <= 0 || w > 32767) { fprintf(stderr, "gdk_imlib ERROR: Image width > 32767 pixels for data\n"); free(im); + free(line); return NULL; } - if (h > 32767) + if (h <= 0 || h > 32767) { fprintf(stderr, "gdk_imlib ERROR: Image height > 32767 pixels for data\n"); free(im); + free(line); return NULL; } cmap = malloc(sizeof(struct _cmap) * ncolors); @@ -1273,6 +1293,7 @@ gdk_imlib_create_image_from_xpm_data(cha if (!cmap) { free(im); + free(line); return NULL; } im->rgb_width = w; @@ -1282,6 +1303,7 @@ gdk_imlib_create_image_from_xpm_data(cha { free(cmap); free(im); + free(line); return NULL; } im->alpha_data = NULL; @@ -1355,7 +1377,7 @@ gdk_imlib_create_image_from_xpm_data(cha strcpy(col + colptr, " "); colptr++; } - if (colptr + ls <= sizeof(col)) + if (colptr + ls < sizeof(col)) { strcpy(col + colptr, s); colptr += ls; @@ -1558,6 +1580,7 @@ gdk_imlib_create_image_from_xpm_data(cha } if ((ptr) && ((ptr - im->rgb_data) >= w * h * 3)) done = 1; + free(line); } if (!transp) {