b874ab977f
"Multiple buffer overflows in imlib 1.9.14 and earlier, which is used by gkrellm and several window managers, allow remote attackers to execute arbitrary code via certain image files." (1.9.15 is also affected) http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1026 Patch from Pavel Kankovsky.
98 lines
2.2 KiB
Text
98 lines
2.2 KiB
Text
$NetBSD: patch-ao,v 1.1 2004/12/10 09:30:42 salo Exp $
|
|
|
|
--- gdk_imlib/utils.c.orig 2002-03-22 15:43:29.000000000 +0100
|
|
+++ gdk_imlib/utils.c 2004-12-10 10:15:22.000000000 +0100
|
|
@@ -1236,36 +1236,56 @@
|
|
context = 0;
|
|
ptr = NULL;
|
|
end = NULL;
|
|
+ memset(lookup, 0, sizeof(lookup));
|
|
|
|
while (!done)
|
|
{
|
|
line = data[count++];
|
|
+ if (!line)
|
|
+ break;
|
|
+ line = strdup(line);
|
|
+ if (!line)
|
|
+ break;
|
|
+ len = strlen(line);
|
|
+ for (i = 0; i < len; ++i)
|
|
+ {
|
|
+ c = line[i];
|
|
+ if (c < 32)
|
|
+ line[i] = 32;
|
|
+ else if (c > 127)
|
|
+ line[i] = 127;
|
|
+ }
|
|
+
|
|
if (context == 0)
|
|
{
|
|
/* Header */
|
|
sscanf(line, "%i %i %i %i", &w, &h, &ncolors, &cpp);
|
|
- if (ncolors > 32766)
|
|
+ if (ncolors <= 0 || ncolors > 32766)
|
|
{
|
|
fprintf(stderr, "gdk_imlib ERROR: XPM data wth colors > 32766 not supported\n");
|
|
free(im);
|
|
+ free(line);
|
|
return NULL;
|
|
}
|
|
- if (cpp > 5)
|
|
+ if (cpp <= 0 || cpp > 5)
|
|
{
|
|
fprintf(stderr, "gdk_imlib ERROR: XPM data with characters per pixel > 5 not supported\n");
|
|
free(im);
|
|
+ free(line);
|
|
return NULL;
|
|
}
|
|
- if (w > 32767)
|
|
+ if (w <= 0 || w > 32767)
|
|
{
|
|
fprintf(stderr, "gdk_imlib ERROR: Image width > 32767 pixels for data\n");
|
|
free(im);
|
|
+ free(line);
|
|
return NULL;
|
|
}
|
|
- if (h > 32767)
|
|
+ if (h <= 0 || h > 32767)
|
|
{
|
|
fprintf(stderr, "gdk_imlib ERROR: Image height > 32767 pixels for data\n");
|
|
free(im);
|
|
+ free(line);
|
|
return NULL;
|
|
}
|
|
cmap = malloc(sizeof(struct _cmap) * ncolors);
|
|
@@ -1273,6 +1293,7 @@
|
|
if (!cmap)
|
|
{
|
|
free(im);
|
|
+ free(line);
|
|
return NULL;
|
|
}
|
|
im->rgb_width = w;
|
|
@@ -1282,6 +1303,7 @@
|
|
{
|
|
free(cmap);
|
|
free(im);
|
|
+ free(line);
|
|
return NULL;
|
|
}
|
|
im->alpha_data = NULL;
|
|
@@ -1355,7 +1377,7 @@
|
|
strcpy(col + colptr, " ");
|
|
colptr++;
|
|
}
|
|
- if (colptr + ls <= sizeof(col))
|
|
+ if (colptr + ls < sizeof(col))
|
|
{
|
|
strcpy(col + colptr, s);
|
|
colptr += ls;
|
|
@@ -1558,6 +1580,7 @@
|
|
}
|
|
if ((ptr) && ((ptr - im->rgb_data) >= w * h * 3))
|
|
done = 1;
|
|
+ free(line);
|
|
}
|
|
if (!transp)
|
|
{
|