diff options
author | Carsten Haitzler (Rasterman) <raster@rasterman.com> | 2014-08-14 17:04:55 +0900 |
---|---|---|
committer | Carsten Haitzler (Rasterman) <raster@rasterman.com> | 2014-08-14 17:04:55 +0900 |
commit | 3ad7feafe32b872435b7c57ac6e5bb8b4c54972e (patch) | |
tree | 2a1c0d2d573ca3e943c6ee895f0f98559f9c1d72 | |
parent | b25c416b14f315f21d7b4c0cc42961981c3117c4 (diff) | |
download | efl-3ad7feafe32b872435b7c57ac6e5bb8b4c54972e.tar.gz |
evas ico loader - ensure count is within sane ranges
this hopefully addresses CID 1205000
-rw-r--r-- | src/modules/evas/loaders/ico/evas_image_load_ico.c | 22 |
1 files changed, 13 insertions, 9 deletions
diff --git a/src/modules/evas/loaders/ico/evas_image_load_ico.c b/src/modules/evas/loaders/ico/evas_image_load_ico.c index 4932322a66..1fe6e27da6 100644 --- a/src/modules/evas/loaders/ico/evas_image_load_ico.c +++ b/src/modules/evas/loaders/ico/evas_image_load_ico.c @@ -130,7 +130,7 @@ evas_image_load_file_head_ico(void *loader_data, unsigned wanted_w = 0, wanted_h = 0; int cols, i, planes = 0, bpp = 0, pdelta, search = -1, have_choice = 0, - hasa = 1; + hasa = 1, icount; unsigned int bmoffset, bmsize, fsize; unsigned short reserved, type, count; struct { @@ -174,9 +174,11 @@ evas_image_load_file_head_ico(void *loader_data, if (!read_ushort(map, fsize, &position, &reserved)) goto close_file; if (!read_ushort(map, fsize, &position, &type)) goto close_file; if (!read_ushort(map, fsize, &position, &count)) goto close_file; - if (!((reserved == 0) && - ((type == ICON) || (type == CURSOR)) && (count > 0))) - goto close_file; + icount = count; + if (!((reserved == 0) && + ((type == ICON) || (type == CURSOR)) && + (icount > 0) && (icount <= 10000))) // between 1 and 10000 images + goto close_file; *error = EVAS_LOAD_ERROR_CORRUPT_FILE; if (key) @@ -206,7 +208,7 @@ evas_image_load_file_head_ico(void *loader_data, search = BIGGER; } } - for (i = 0; i < count; i++) + for (i = 0; i < icount; i++) { unsigned char tw = 0, th = 0, tcols = 0; if (!read_uchar(map, fsize, &position, &tw)) goto close_file; @@ -358,7 +360,7 @@ evas_image_load_file_data_ico(void *loader_data, unsigned int dword; int wanted_w = 0, wanted_h = 0, w, h, cols, i, planes = 0, bpp = 0, pdelta, search = -1, have_choice = 0, - stride, pstride, j, right_way_up = 0, diff_size = 0, cols2; + stride, pstride, j, right_way_up = 0, diff_size = 0, cols2, icount; unsigned int bmoffset, bmsize, bitcount, fsize, *pal, *surface, *pix, none_zero_alpha = 0; unsigned short reserved, type, count; @@ -404,9 +406,11 @@ evas_image_load_file_data_ico(void *loader_data, if (!read_ushort(map, fsize, &position, &reserved)) goto close_file; if (!read_ushort(map, fsize, &position, &type)) goto close_file; if (!read_ushort(map, fsize, &position, &count)) goto close_file; + icount = count; if (!((reserved == 0) && - ((type == ICON) || (type == CURSOR)) && (count > 0))) - goto close_file; + ((type == ICON) || (type == CURSOR)) && + (icount > 0) && (icount <= 10000))) // between 1 and 10000 images + goto close_file; *error = EVAS_LOAD_ERROR_CORRUPT_FILE; if (key) @@ -436,7 +440,7 @@ evas_image_load_file_data_ico(void *loader_data, search = BIGGER; } } - for (i = 0; i < count; i++) + for (i = 0; i < icount; i++) { unsigned char tw = 0, th = 0, tcols = 0; if (!read_uchar(map, fsize, &position, &tw)) goto close_file; |