1
0
forked from ports/contrib
contrib-tek/imlib/imlib-1.9.15-security.patch

511 lines
13 KiB
Diff
Raw Normal View History

2007-05-08 10:51:20 +10:00
diff -Nru imlib-1.9.15.orig/Imlib/load.c imlib-1.9.15/Imlib/load.c
--- imlib-1.9.15.orig/Imlib/load.c 2004-12-23 23:50:22.820521823 +0100
+++ imlib-1.9.15/Imlib/load.c 2004-12-23 23:50:36.549790030 +0100
@@ -4,6 +4,8 @@
#include "Imlib_private.h"
#include <setjmp.h>
+#define G_MAXINT ((int) 0x7fffffff)
+
/* Split the ID - damages input */
static char *
@@ -41,13 +43,17 @@
/*
* Make sure we don't wrap on our memory allocations
+ * we check G_MAXINT/4 because rend.c malloc's w * h * bpp
+ * + 3 is safety margin
*/
void * _imlib_malloc_image(unsigned int w, unsigned int h)
{
- if( w > 32767 || h > 32767)
- return NULL;
- return malloc(w * h * 3);
+ if (w <= 0 || w > 32767 ||
+ h <= 0 || h > 32767 ||
+ h >= (G_MAXINT/4 - 1) / w)
+ return NULL;
+ return malloc(w * h * 3 + 3);
}
#ifdef HAVE_LIBJPEG
@@ -360,7 +366,9 @@
npix = ww * hh;
*w = (int)ww;
*h = (int)hh;
- if(ww > 32767 || hh > 32767)
+ if (ww <= 0 || ww > 32767 ||
+ hh <= 0 || hh > 32767 ||
+ hh >= (G_MAXINT/sizeof(uint32)) / ww)
{
TIFFClose(tif);
return NULL;
@@ -463,7 +471,7 @@
}
*w = gif->Image.Width;
*h = gif->Image.Height;
- if (*h > 32767 || *w > 32767)
+ if (*h <= 0 || *h > 32767 || *w <= 0 || *w > 32767)
{
return NULL;
}
@@ -1000,7 +1008,12 @@
comment = 0;
quote = 0;
context = 0;
+ memset(lookup, 0, sizeof(lookup));
+
line = malloc(lsz);
+ if (!line)
+ return NULL;
+
while (!done)
{
pc = c;
@@ -1029,25 +1042,25 @@
{
/* Header */
sscanf(line, "%i %i %i %i", w, h, &ncolors, &cpp);
- if (ncolors > 32766)
+ if (ncolors <= 0 || ncolors > 32766)
{
fprintf(stderr, "IMLIB ERROR: XPM files wth colors > 32766 not supported\n");
free(line);
return NULL;
}
- if (cpp > 5)
+ if (cpp <= 0 || cpp > 5)
{
fprintf(stderr, "IMLIB ERROR: XPM files with characters per pixel > 5 not supported\n");
free(line);
return NULL;
}
- if (*w > 32767)
+ if (*w <= 0 || *w > 32767)
{
fprintf(stderr, "IMLIB ERROR: Image width > 32767 pixels for file\n");
free(line);
return NULL;
}
- if (*h > 32767)
+ if (*h <= 0 || *h > 32767)
{
fprintf(stderr, "IMLIB ERROR: Image height > 32767 pixels for file\n");
free(line);
@@ -1080,11 +1093,13 @@
{
int slen;
int hascolor, iscolor;
+ int space;
iscolor = 0;
hascolor = 0;
tok[0] = 0;
col[0] = 0;
+ space = sizeof(col) - 1;
s[0] = 0;
len = strlen(line);
strncpy(cmap[j].str, line, cpp);
@@ -1107,10 +1122,10 @@
{
if (k >= len)
{
- if (col[0])
- strcat(col, " ");
- if (strlen(col) + strlen(s) < sizeof(col))
- strcat(col, s);
+ if (col[0] && space > 0)
+ strcat(col, " "), space -= 1;
+ if (slen <= space)
+ strcat(col, s), space -= slen;
}
if (col[0])
{
@@ -1140,14 +1155,17 @@
}
}
}
- strcpy(tok, s);
+ if (slen < sizeof(tok));
+ strcpy(tok, s);
col[0] = 0;
+ space = sizeof(col) - 1;
}
else
{
- if (col[0])
- strcat(col, " ");
- strcat(col, s);
+ if (col[0] && space > 0)
+ strcat(col, " "), space -=1;
+ if (slen <= space)
+ strcat(col, s), space -= slen;
}
}
}
@@ -1376,12 +1394,12 @@
sscanf(s, "%i %i", w, h);
a = *w;
b = *h;
- if (a > 32767)
+ if (a <= 0 || a > 32767)
{
fprintf(stderr, "IMLIB ERROR: Image width > 32767 pixels for file\n");
return NULL;
}
- if (b > 32767)
+ if (b <= 0 || b > 32767)
{
fprintf(stderr, "IMLIB ERROR: Image height > 32767 pixels for file\n");
return NULL;
diff -Nru imlib-1.9.15.orig/Imlib/utils.c imlib-1.9.15/Imlib/utils.c
--- imlib-1.9.15.orig/Imlib/utils.c 2004-12-23 23:50:22.824519281 +0100
+++ imlib-1.9.15/Imlib/utils.c 2004-12-23 23:50:36.553787487 +0100
@@ -1496,36 +1496,56 @@
context = 0;
ptr = NULL;
end = NULL;
+ memset(lookup, 0, sizeof(lookup));
while (!done)
{
line = data[count++];
+ if (!line)
+ break;
+ line = strdup(line);
+ if (!line)
+ break;
+ len = strlen(line);
+ for (i = 0; i < len; ++i)
+ {
+ c = line[i];
+ if (c < 32)
+ line[i] = 32;
+ else if (c > 127)
+ line[i] = 127;
+ }
+
if (context == 0)
{
/* Header */
sscanf(line, "%i %i %i %i", &w, &h, &ncolors, &cpp);
- if (ncolors > 32766)
+ if (ncolors <= 0 || ncolors > 32766)
{
fprintf(stderr, "IMLIB ERROR: XPM data wth colors > 32766 not supported\n");
free(im);
+ free(line);
return NULL;
}
- if (cpp > 5)
+ if (cpp <= 0 || cpp > 5)
{
fprintf(stderr, "IMLIB ERROR: XPM data with characters per pixel > 5 not supported\n");
free(im);
+ free(line);
return NULL;
}
- if (w > 32767)
+ if (w <= 0 || w > 32767)
{
fprintf(stderr, "IMLIB ERROR: Image width > 32767 pixels for data\n");
free(im);
+ free(line);
return NULL;
}
- if (h > 32767)
+ if (h <= 0 || h > 32767)
{
fprintf(stderr, "IMLIB ERROR: Image height > 32767 pixels for data\n");
free(im);
+ free(line);
return NULL;
}
cmap = malloc(sizeof(struct _cmap) * ncolors);
@@ -1533,6 +1553,7 @@
if (!cmap)
{
free(im);
+ free(line);
return NULL;
}
im->rgb_width = w;
@@ -1542,6 +1563,7 @@
{
free(cmap);
free(im);
+ free(line);
return NULL;
}
im->alpha_data = NULL;
@@ -1817,6 +1839,7 @@
}
if ((ptr) && ((ptr - im->rgb_data) >= w * h * 3))
done = 1;
+ free(line);
}
if (!transp)
{
diff -Nru imlib-1.9.15.orig/gdk_imlib/io-gif.c imlib-1.9.15/gdk_imlib/io-gif.c
--- imlib-1.9.15.orig/gdk_imlib/io-gif.c 2004-12-23 23:50:22.863494493 +0100
+++ imlib-1.9.15/gdk_imlib/io-gif.c 2004-12-23 23:50:36.554786852 +0100
@@ -55,7 +55,7 @@
}
*w = gif->Image.Width;
*h = gif->Image.Height;
- if(*h > 32767 || *w > 32767)
+ if(*h <= 0 || *h > 32767 || *w <= 0 || *w > 32767)
{
return NULL;
}
diff -Nru imlib-1.9.15.orig/gdk_imlib/io-ppm.c imlib-1.9.15/gdk_imlib/io-ppm.c
--- imlib-1.9.15.orig/gdk_imlib/io-ppm.c 2004-12-23 23:50:22.864493857 +0100
+++ imlib-1.9.15/gdk_imlib/io-ppm.c 2004-12-23 23:50:36.556785581 +0100
@@ -53,12 +53,12 @@
sscanf(s, "%i %i", w, h);
a = *w;
b = *h;
- if (a > 32767)
+ if (a <= 0 || a > 32767)
{
fprintf(stderr, "gdk_imlib ERROR: Image width > 32767 pixels for file\n");
return NULL;
}
- if (b > 32767)
+ if (b <= 0 || b > 32767)
{
fprintf(stderr, "gdk_imlib ERROR: Image height > 32767 pixels for file\n");
return NULL;
diff -Nru imlib-1.9.15.orig/gdk_imlib/io-tiff.c imlib-1.9.15/gdk_imlib/io-tiff.c
--- imlib-1.9.15.orig/gdk_imlib/io-tiff.c 2004-12-23 23:50:22.864493857 +0100
+++ imlib-1.9.15/gdk_imlib/io-tiff.c 2004-12-23 23:50:36.557784945 +0100
@@ -36,7 +36,9 @@
npix = ww * hh;
*w = (int)ww;
*h = (int)hh;
- if(ww > 32767 || hh > 32767)
+ if (ww <= 0 || ww > 32767 ||
+ hh <= 0 || hh > 32767 ||
+ hh >= (G_MAXINT/sizeof(uint32)) / ww)
{
TIFFClose(tif);
return NULL;
diff -Nru imlib-1.9.15.orig/gdk_imlib/io-xpm.c imlib-1.9.15/gdk_imlib/io-xpm.c
--- imlib-1.9.15.orig/gdk_imlib/io-xpm.c 2004-12-23 23:50:22.864493857 +0100
+++ imlib-1.9.15/gdk_imlib/io-xpm.c 2004-12-23 23:50:36.558784309 +0100
@@ -40,8 +40,12 @@
context = 0;
i = j = 0;
cmap = NULL;
+ memset(lookup, 0, sizeof(lookup));
line = malloc(lsz);
+ if (!line)
+ return NULL;
+
while (!done)
{
pc = c;
@@ -70,25 +74,25 @@
{
/* Header */
sscanf(line, "%i %i %i %i", w, h, &ncolors, &cpp);
- if (ncolors > 32766)
+ if (ncolors <= 0 || ncolors > 32766)
{
fprintf(stderr, "gdk_imlib ERROR: XPM files wth colors > 32766 not supported\n");
free(line);
return NULL;
}
- if (cpp > 5)
+ if (cpp <= 0 || cpp > 5)
{
fprintf(stderr, "gdk_imlib ERROR: XPM files with characters per pixel > 5 not supported\n");
free(line);
return NULL;
}
- if (*w > 32767)
+ if (*w <= 0 || *w > 32767)
{
fprintf(stderr, "gdk_imlib ERROR: Image width > 32767 pixels for file\n");
free(line);
return NULL;
}
- if (*h > 32767)
+ if (*h <= 0 || *h > 32767)
{
fprintf(stderr, "gdk_imlib ERROR: Image height > 32767 pixels for file\n");
free(line);
@@ -120,11 +124,13 @@
{
int slen;
int hascolor, iscolor;
+ int space;
hascolor = 0;
iscolor = 0;
tok[0] = 0;
col[0] = 0;
+ space = sizeof(col) - 1;
s[0] = 0;
len = strlen(line);
strncpy(cmap[j].str, line, cpp);
@@ -147,10 +153,10 @@
{
if (k >= len)
{
- if (col[0])
- strcat(col, " ");
- if (strlen(col) + strlen(s) < sizeof(col))
- strcat(col, s);
+ if (col[0] && space > 0)
+ strncat(col, " ", space), space -= 1;
+ if (slen <= space)
+ strcat(col, s), space -= slen;
}
if (col[0])
{
@@ -180,14 +186,17 @@
}
}
}
- strcpy(tok, s);
+ if (slen < sizeof(tok))
+ strcpy(tok, s);
col[0] = 0;
+ space = sizeof(col) - 1;
}
else
{
- if (col[0])
- strcat(col, " ");
- strcat(col, s);
+ if (col[0] && space > 0)
+ strcat(col, " "), space -= 1;
+ if (slen <= space)
+ strcat(col, s), space -= slen;
}
}
}
diff -Nru imlib-1.9.15.orig/gdk_imlib/misc.c imlib-1.9.15/gdk_imlib/misc.c
--- imlib-1.9.15.orig/gdk_imlib/misc.c 2004-12-23 23:50:22.866492586 +0100
+++ imlib-1.9.15/gdk_imlib/misc.c 2004-12-23 23:50:36.560783038 +0100
@@ -1355,11 +1355,16 @@
/*
* Make sure we don't wrap on our memory allocations
+ * we check G_MAX_INT/4 because rend.c malloc's w * h * bpp
+ * + 3 is safety margin
*/
void *_gdk_malloc_image(unsigned int w, unsigned int h)
{
- if( w > 32767 || h > 32767)
+ if (w <= 0 || w > 32767 ||
+ h <= 0 || h > 32767 ||
+ h >= (G_MAXINT/4 - 1) / w)
return NULL;
- return malloc(w * h * 3);
+ return malloc(w * h * 3 + 3);
}
+
diff -Nru imlib-1.9.15.orig/gdk_imlib/utils.c imlib-1.9.15/gdk_imlib/utils.c
--- imlib-1.9.15.orig/gdk_imlib/utils.c 2004-12-23 23:50:22.869490679 +0100
+++ imlib-1.9.15/gdk_imlib/utils.c 2004-12-23 23:50:36.563781131 +0100
@@ -1236,36 +1236,56 @@
context = 0;
ptr = NULL;
end = NULL;
+ memset(lookup, 0, sizeof(lookup));
while (!done)
{
line = data[count++];
+ if (!line)
+ break;
+ line = strdup(line);
+ if (!line)
+ break;
+ len = strlen(line);
+ for (i = 0; i < len; ++i)
+ {
+ c = line[i];
+ if (c < 32)
+ line[i] = 32;
+ else if (c > 127)
+ line[i] = 127;
+ }
+
if (context == 0)
{
/* Header */
sscanf(line, "%i %i %i %i", &w, &h, &ncolors, &cpp);
- if (ncolors > 32766)
+ if (ncolors <= 0 || ncolors > 32766)
{
fprintf(stderr, "gdk_imlib ERROR: XPM data wth colors > 32766 not supported\n");
free(im);
+ free(line);
return NULL;
}
- if (cpp > 5)
+ if (cpp <= 0 || cpp > 5)
{
fprintf(stderr, "gdk_imlib ERROR: XPM data with characters per pixel > 5 not supported\n");
free(im);
+ free(line);
return NULL;
}
- if (w > 32767)
+ if (w <= 0 || w > 32767)
{
fprintf(stderr, "gdk_imlib ERROR: Image width > 32767 pixels for data\n");
free(im);
+ free(line);
return NULL;
}
- if (h > 32767)
+ if (h <= 0 || h > 32767)
{
fprintf(stderr, "gdk_imlib ERROR: Image height > 32767 pixels for data\n");
free(im);
+ free(line);
return NULL;
}
cmap = malloc(sizeof(struct _cmap) * ncolors);
@@ -1273,6 +1293,7 @@
if (!cmap)
{
free(im);
+ free(line);
return NULL;
}
im->rgb_width = w;
@@ -1282,6 +1303,7 @@
{
free(cmap);
free(im);
+ free(line);
return NULL;
}
im->alpha_data = NULL;
@@ -1355,7 +1377,7 @@
strcpy(col + colptr, " ");
colptr++;
}
- if (colptr + ls <= sizeof(col))
+ if (colptr + ls < sizeof(col))
{
strcpy(col + colptr, s);
colptr += ls;
@@ -1558,6 +1580,7 @@
}
if ((ptr) && ((ptr - im->rgb_data) >= w * h * 3))
done = 1;
+ free(line);
}
if (!transp)
{