diff options
author | Bastien Nocera <hadess@hadess.net> | 2016-12-13 18:08:12 +0100 |
---|---|---|
committer | Bastien Nocera <hadess@hadess.net> | 2016-12-13 18:11:33 +0100 |
commit | 8d54caa31e1d397d86e0336d90091a14855de493 (patch) | |
tree | 70e7156d7e8d1b8408de75034b2315748accc8b9 | |
parent | 3724a739bb538af08260cad21ad9e70ae3bf4b1e (diff) | |
download | gdk-pixbuf-8d54caa31e1d397d86e0336d90091a14855de493.tar.gz |
pnm: Fix crash opening images with overly large dimensions
Internally, the PNM loader stores the width and height as unsigned
integers, but the external callback to the application,
GdkPixbufModuleSizeFunc, uses integers. So the maximum width and height
really are MAXINT, not MAXUINT.
https://bugzilla.gnome.org/show_bug.cgi?id=775232
-rw-r--r-- | gdk-pixbuf/io-pnm.c | 20 |
1 files changed, 18 insertions, 2 deletions
diff --git a/gdk-pixbuf/io-pnm.c b/gdk-pixbuf/io-pnm.c index 06b9e6aa4..c5e4fc475 100644 --- a/gdk-pixbuf/io-pnm.c +++ b/gdk-pixbuf/io-pnm.c @@ -325,7 +325,15 @@ pnm_read_header (PnmLoaderContext *context) if (retval != PNM_OK) return retval; - + + if (width > G_MAXINT) { + g_set_error_literal (context->error, + GDK_PIXBUF_ERROR, + GDK_PIXBUF_ERROR_CORRUPT_IMAGE, + _("PNM file has an invalid width")); + return PNM_FATAL_ERR; + } + if (!width) { g_set_error_literal (context->error, GDK_PIXBUF_ERROR, @@ -346,7 +354,15 @@ pnm_read_header (PnmLoaderContext *context) if (retval != PNM_OK) return retval; - + + if (height > G_MAXINT) { + g_set_error_literal (context->error, + GDK_PIXBUF_ERROR, + GDK_PIXBUF_ERROR_CORRUPT_IMAGE, + _("PNM file has an invalid height")); + return PNM_FATAL_ERR; + } + if (!height) { g_set_error_literal (context->error, GDK_PIXBUF_ERROR, |