b874ab977f
"Multiple buffer overflows in imlib 1.9.14 and earlier, which is used by gkrellm and several window managers, allow remote attackers to execute arbitrary code via certain image files." (1.9.15 is also affected) http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1026 Patch from Pavel Kankovsky.
187 lines
4.5 KiB
Text
187 lines
4.5 KiB
Text
$NetBSD: patch-ab,v 1.6 2004/12/10 09:30:42 salo Exp $
|
|
|
|
--- Imlib/load.c.orig 2004-09-21 02:23:20.000000000 +0200
|
|
+++ Imlib/load.c 2004-12-10 09:58:18.000000000 +0100
|
|
@@ -4,6 +4,8 @@
|
|
#include "Imlib_private.h"
|
|
#include <setjmp.h>
|
|
|
|
+#define G_MAXINT ((int) 0x7fffffff)
|
|
+
|
|
/* Split the ID - damages input */
|
|
|
|
static char *
|
|
@@ -41,13 +43,17 @@
|
|
|
|
/*
|
|
* Make sure we don't wrap on our memory allocations
|
|
+ * we check G_MAXINT/4 because rend.c malloc's w * h * bpp
|
|
+ * + 3 is safety margin
|
|
*/
|
|
|
|
void * _imlib_malloc_image(unsigned int w, unsigned int h)
|
|
{
|
|
- if( w > 32767 || h > 32767)
|
|
+ if (w <= 0 || w > 32767 ||
|
|
+ h <= 0 || h > 32767 ||
|
|
+ h >= (G_MAXINT/4 - 1) / w)
|
|
return NULL;
|
|
- return malloc(w * h * 3);
|
|
+ return malloc(w * h * 3 + 3);
|
|
}
|
|
|
|
#ifdef HAVE_LIBJPEG
|
|
@@ -254,7 +260,8 @@
|
|
png_read_image(png_ptr, lines);
|
|
png_destroy_read_struct(&png_ptr, &info_ptr, NULL);
|
|
ptr = data;
|
|
- if (color_type == PNG_COLOR_TYPE_GRAY_ALPHA)
|
|
+ if (color_type == PNG_COLOR_TYPE_GRAY
|
|
+ || color_type == PNG_COLOR_TYPE_GRAY_ALPHA)
|
|
{
|
|
for (y = 0; y < *h; y++)
|
|
{
|
|
@@ -279,6 +286,7 @@
|
|
}
|
|
}
|
|
}
|
|
+#if 0
|
|
else if (color_type == PNG_COLOR_TYPE_GRAY)
|
|
{
|
|
for (y = 0; y < *h; y++)
|
|
@@ -294,6 +302,7 @@
|
|
}
|
|
}
|
|
}
|
|
+#endif
|
|
else
|
|
{
|
|
for (y = 0; y < *h; y++)
|
|
@@ -360,7 +369,9 @@
|
|
npix = ww * hh;
|
|
*w = (int)ww;
|
|
*h = (int)hh;
|
|
- if(ww > 32767 || hh > 32767)
|
|
+ if (ww <= 0 || ww > 32767 ||
|
|
+ hh <= 0 || hh > 32767 ||
|
|
+ hh >= (G_MAXINT/sizeof(uint32)) / ww)
|
|
{
|
|
TIFFClose(tif);
|
|
return NULL;
|
|
@@ -463,7 +474,7 @@
|
|
}
|
|
*w = gif->Image.Width;
|
|
*h = gif->Image.Height;
|
|
- if (*h > 32767 || *w > 32767)
|
|
+ if (*h <= 0 || *h > 32767 || *w <= 0 || *w > 32767)
|
|
{
|
|
return NULL;
|
|
}
|
|
@@ -1000,7 +1011,12 @@
|
|
comment = 0;
|
|
quote = 0;
|
|
context = 0;
|
|
+ memset(lookup, 0, sizeof(lookup));
|
|
+
|
|
line = malloc(lsz);
|
|
+ if (!line)
|
|
+ return NULL;
|
|
+
|
|
while (!done)
|
|
{
|
|
pc = c;
|
|
@@ -1029,25 +1045,25 @@
|
|
{
|
|
/* Header */
|
|
sscanf(line, "%i %i %i %i", w, h, &ncolors, &cpp);
|
|
- if (ncolors > 32766)
|
|
+ if (ncolors <= 0 || ncolors > 32766)
|
|
{
|
|
fprintf(stderr, "IMLIB ERROR: XPM files wth colors > 32766 not supported\n");
|
|
free(line);
|
|
return NULL;
|
|
}
|
|
- if (cpp > 5)
|
|
+ if (cpp <= 0 || cpp > 5)
|
|
{
|
|
fprintf(stderr, "IMLIB ERROR: XPM files with characters per pixel > 5 not supported\n");
|
|
free(line);
|
|
return NULL;
|
|
}
|
|
- if (*w > 32767)
|
|
+ if (*w <= 0 || *w > 32767)
|
|
{
|
|
fprintf(stderr, "IMLIB ERROR: Image width > 32767 pixels for file\n");
|
|
free(line);
|
|
return NULL;
|
|
}
|
|
- if (*h > 32767)
|
|
+ if (*h <= 0 || *h > 32767)
|
|
{
|
|
fprintf(stderr, "IMLIB ERROR: Image height > 32767 pixels for file\n");
|
|
free(line);
|
|
@@ -1080,11 +1096,13 @@
|
|
{
|
|
int slen;
|
|
int hascolor, iscolor;
|
|
+ int space;
|
|
|
|
iscolor = 0;
|
|
hascolor = 0;
|
|
tok[0] = 0;
|
|
col[0] = 0;
|
|
+ space = sizeof(col) - 1;
|
|
s[0] = 0;
|
|
len = strlen(line);
|
|
strncpy(cmap[j].str, line, cpp);
|
|
@@ -1107,10 +1125,10 @@
|
|
{
|
|
if (k >= len)
|
|
{
|
|
- if (col[0])
|
|
- strcat(col, " ");
|
|
- if (strlen(col) + strlen(s) < sizeof(col))
|
|
- strcat(col, s);
|
|
+ if (col[0] && space > 0)
|
|
+ strcat(col, " "), space -= 1;
|
|
+ if (slen <= space)
|
|
+ strcat(col, s), space -= slen;
|
|
}
|
|
if (col[0])
|
|
{
|
|
@@ -1140,14 +1158,17 @@
|
|
}
|
|
}
|
|
}
|
|
+ if (slen < sizeof(tok));
|
|
strcpy(tok, s);
|
|
col[0] = 0;
|
|
+ space = sizeof(col) - 1;
|
|
}
|
|
else
|
|
{
|
|
- if (col[0])
|
|
- strcat(col, " ");
|
|
- strcat(col, s);
|
|
+ if (col[0] && space > 0)
|
|
+ strcat(col, " "), space -=1;
|
|
+ if (slen <= space)
|
|
+ strcat(col, s), space -= slen;
|
|
}
|
|
}
|
|
}
|
|
@@ -1376,12 +1397,12 @@
|
|
sscanf(s, "%i %i", w, h);
|
|
a = *w;
|
|
b = *h;
|
|
- if (a > 32767)
|
|
+ if (a <= 0 || a > 32767)
|
|
{
|
|
fprintf(stderr, "IMLIB ERROR: Image width > 32767 pixels for file\n");
|
|
return NULL;
|
|
}
|
|
- if (b > 32767)
|
|
+ if (b <= 0 || b > 32767)
|
|
{
|
|
fprintf(stderr, "IMLIB ERROR: Image height > 32767 pixels for file\n");
|
|
return NULL;
|