Fix integer overflows in the xpm loader

This commit is contained in:
Matthias Clasen 2005-11-15 15:59:05 +00:00
parent f3f1bdc2f0
commit 868c9a85d7
2 changed files with 10 additions and 2 deletions

View File

@ -1,3 +1,8 @@
2005-11-15 Matthias Clasen <mclasen@redhat.com>
* io-xpm.c: Fix several integer overflows which have been
reported as CVE-2005-3186 and CVE-2005-2975.
2005-10-12 Matthias Clasen <mclasen@redhat.com>
* gdk-pixbuf-loader.c (gdk_pixbuf_loader_write): Only call

View File

@ -405,7 +405,8 @@ file_buffer (enum buf_op op, gpointer handle)
/* Fall through to the xpm_read_string. */
case op_body:
xpm_read_string (h->infile, &h->buffer, &h->buffer_size);
if(!xpm_read_string (h->infile, &h->buffer, &h->buffer_size))
return NULL;
return h->buffer;
default:
@ -500,7 +501,9 @@ pixbuf_create_from_xpm (const gchar * (*get_buf) (enum buf_op op, gpointer handl
_("XPM has invalid number of chars per pixel"));
return NULL;
}
if (n_col <= 0 || n_col >= G_MAXINT / (cpp + 1)) {
if (n_col <= 0 ||
n_col >= G_MAXINT / (cpp + 1) ||
n_col >= G_MAXINT / sizeof (XPMColor)) {
g_set_error (error,
GDK_PIXBUF_ERROR,
GDK_PIXBUF_ERROR_CORRUPT_IMAGE,