Enlightenment CVS committal
Author : raster
Project : e17
Module : libs/imlib2
Dir : e17/libs/imlib2/src/modules/loaders
Modified Files:
loader_argb.c loader_gif.c loader_jpeg.c loader_lbm.c
loader_png.c loader_pnm.c loader_tga.c loader_tiff.c
loader_xpm.c
Log Message:
fix width and height checks in case of buffer overflow.
===================================================================
RCS file: /cvs/e/e17/libs/imlib2/src/modules/loaders/loader_argb.c,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -3 -r1.2 -r1.3
--- loader_argb.c 14 Dec 2004 03:50:46 -0000 1.2
+++ loader_argb.c 5 Nov 2006 04:58:06 -0000 1.3
@@ -47,6 +47,11 @@
fclose(f);
return 0;
}
+ if ((w < 1) || (h < 1) || (w > 8192) || (h > 8192))
+ {
+ fclose(f);
+ return 0;
+ }
im->w = w;
im->h = h;
if (!im->format)
===================================================================
RCS file: /cvs/e/e17/libs/imlib2/src/modules/loaders/loader_gif.c,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -3 -r1.2 -r1.3
--- loader_gif.c 14 Dec 2004 03:50:46 -0000 1.2
+++ loader_gif.c 5 Nov 2006 04:58:06 -0000 1.3
@@ -72,6 +72,11 @@
}
w = gif->Image.Width;
h = gif->Image.Height;
+ if ((w < 1) || (h < 1) || (w > 8192) || (h > 8192))
+ {
+ DGifCloseFile(gif);
+ return 0;
+ }
rows = malloc(h * sizeof(GifRowType *));
if (!rows)
{
===================================================================
RCS file: /cvs/e/e17/libs/imlib2/src/modules/loaders/loader_jpeg.c,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -3 -r1.3 -r1.4
--- loader_jpeg.c 7 Jan 2006 11:30:44 -0000 1.3
+++ loader_jpeg.c 5 Nov 2006 04:58:06 -0000 1.4
@@ -92,6 +92,12 @@
{
im->w = w = cinfo.output_width;
im->h = h = cinfo.output_height;
+ if ((w < 1) || (h < 1) || (w > 8192) || (h > 8192))
+ {
+ jpeg_destroy_decompress(&cinfo);
+ fclose(f);
+ return 0;
+ }
UNSET_FLAG(im->flags, F_HAS_ALPHA);
im->format = strdup("jpeg");
}
===================================================================
RCS file: /cvs/e/e17/libs/imlib2/src/modules/loaders/loader_lbm.c,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -3 -r1.2 -r1.3
--- loader_lbm.c 6 Sep 2006 07:09:05 -0000 1.2
+++ loader_lbm.c 5 Nov 2006 04:58:06 -0000 1.3
@@ -421,7 +421,10 @@
im->w = L2RWORD(ilbm.bmhd.data);
im->h = L2RWORD(ilbm.bmhd.data + 2);
- if (im->w <= 0 || im->h <= 0) ok = 0;
+ if ((im->w < 1) || (im->h < 1) || (im->w > 8192) || (im->h > 8192))
+ {
+ ok = 0;
+ }
ilbm.depth = ilbm.bmhd.data[8];
if (ilbm.depth < 1 || (ilbm.depth > 8 && ilbm.depth != 24 &&
ilbm.depth != 32)) ok = 0; /* Only 1 to 8, 24, or 32 planes. */
===================================================================
RCS file: /cvs/e/e17/libs/imlib2/src/modules/loaders/loader_png.c,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -3 -r1.2 -r1.3
--- loader_png.c 14 Dec 2004 03:50:46 -0000 1.2
+++ loader_png.c 5 Nov 2006 04:58:06 -0000 1.3
@@ -85,6 +85,13 @@
&interlace_type, NULL, NULL);
im->w = (int)w32;
im->h = (int)h32;
+ if ((w32 < 1) || (h32 < 1) || (w32 > 8192) || (h32 > 8192))
+ {
+ png_read_end(png_ptr, info_ptr);
+ png_destroy_read_struct(&png_ptr, &info_ptr, (png_infopp) NULL);
+ fclose(f);
+ return 0;
+ }
if (color_type == PNG_COLOR_TYPE_PALETTE)
{
png_set_expand(png_ptr);
===================================================================
RCS file: /cvs/e/e17/libs/imlib2/src/modules/loaders/loader_pnm.c,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -3 -r1.2 -r1.3
--- loader_pnm.c 27 Dec 2004 21:05:31 -0000 1.2
+++ loader_pnm.c 5 Nov 2006 04:58:06 -0000 1.3
@@ -107,7 +107,7 @@
}
}
}
- if ((w <= 0) || (w > 8192) || (h <= 0) || (h > 8192) || (v < 0) || (v >
255))
+ if ((v < 0) || (v > 255))
{
fclose(f);
return 0;
@@ -115,6 +115,11 @@
im->w = w;
im->h = h;
+ if ((w < 1) || (h < 1) || (w > 8192) || (h > 8192))
+ {
+ fclose(f);
+ return 0;
+ }
if (!im->format)
{
if (p == '8')
===================================================================
RCS file: /cvs/e/e17/libs/imlib2/src/modules/loaders/loader_tga.c,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -3 -r1.4 -r1.5
--- loader_tga.c 4 Nov 2006 17:43:44 -0000 1.4
+++ loader_tga.c 5 Nov 2006 04:58:06 -0000 1.5
@@ -297,9 +297,8 @@
im->w = (header->widthHi << 8) | header->widthLo;
im->h = (header->heightHi << 8) | header->heightLo;
- if ((im->w > 32767) || (im->w < 1) || (im->h > 32767) || (im->h < 1))
+ if ((im->w < 1) || (im->h < 1) || (im->w > 8192) || (im->h > 8192))
{
- im->w = 0;
munmap(seg, ss.st_size);
close(fd);
return 0;
===================================================================
RCS file: /cvs/e/e17/libs/imlib2/src/modules/loaders/loader_tiff.c,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -3 -r1.7 -r1.8
--- loader_tiff.c 28 May 2006 00:05:50 -0000 1.7
+++ loader_tiff.c 5 Nov 2006 04:58:06 -0000 1.8
@@ -75,11 +75,11 @@
raster(TIFFRGBAImage_Extra * img, uint32 * rast,
uint32 x, uint32 y, uint32 w, uint32 h)
{
- uint32 image_width, image_height;
+ int image_width, image_height;
uint32 *pixel, pixel_value;
int i, j, dy, rast_offset;
DATA32 *buffer_pixel, *buffer = img->image->data;
- int alpha_premult =
(EXTRASAMPLE_UNASSALPHA==img->rgba.alpha);
+ int alpha_premult;
image_width = img->image->w;
image_height = img->image->h;
@@ -91,6 +91,8 @@
/* I don't understand why, but that seems to be what's going on. */
/* libtiff needs better docs! */
+ if (img->rgba.alpha == EXTRASAMPLE_UNASSALPHA)
+ alpha_premult = 1;
for (i = y, rast_offset = 0; i > dy; i--, rast_offset--)
{
pixel = rast + (rast_offset * image_width);
@@ -204,6 +206,12 @@
rgba_image.image = im;
im->w = width = rgba_image.rgba.width;
im->h = height = rgba_image.rgba.height;
+ if ((width < 1) || (height < 1) || (width > 8192) || (height > 8192))
+ {
+ TIFFRGBAImageEnd((TIFFRGBAImage *) & rgba_image);
+ TIFFClose(tif);
+ return 0;
+ }
rgba_image.num_pixels = num_pixels = width * height;
if (rgba_image.rgba.alpha != EXTRASAMPLE_UNSPECIFIED)
SET_FLAG(im->flags, F_HAS_ALPHA);
@@ -397,8 +405,9 @@
if (has_alpha)
{
+ uint16 extras[] = { EXTRASAMPLE_ASSOCALPHA };
TIFFSetField(tif, TIFFTAG_SAMPLESPERPIXEL, 4);
- TIFFSetField(tif, TIFFTAG_EXTRASAMPLES, EXTRASAMPLE_ASSOCALPHA);
+ TIFFSetField(tif, TIFFTAG_EXTRASAMPLES, 1, extras);
}
else
{
===================================================================
RCS file: /cvs/e/e17/libs/imlib2/src/modules/loaders/loader_xpm.c,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -3 -r1.5 -r1.6
--- loader_xpm.c 20 Oct 2006 18:03:15 -0000 1.5
+++ loader_xpm.c 5 Nov 2006 04:58:06 -0000 1.6
@@ -211,19 +211,19 @@
xpm_parse_done();
return 0;
}
- if ((w > 32767) || (w < 1))
+ if ((w > 8192) || (w < 1))
{
fprintf(stderr,
- "IMLIB ERROR: Image width > 32767 or < 1
pixels for file\n");
+ "IMLIB ERROR: Image width > 8192 or < 1
pixels for file\n");
free(line);
fclose(f);
xpm_parse_done();
return 0;
}
- if ((h > 32767) || (h < 1))
+ if ((h > 8192) || (h < 1))
{
fprintf(stderr,
- "IMLIB ERROR: Image height > 32767 or < 1
pixels for file\n");
+ "IMLIB ERROR: Image height > 8192 or < 1
pixels for file\n");
free(line);
fclose(f);
xpm_parse_done();
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
enlightenment-cvs mailing list
enlightenment-cvs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/enlightenment-cvs
