diff options
author | Tobias Stoeckmann <tobias@stoeckmann.org> | 2020-06-07 19:41:27 +0200 |
---|---|---|
committer | Emmanuele Bassi <ebassi@gmail.com> | 2020-06-26 10:10:53 +0000 |
commit | 7ebedf37abfed653a5b6dcf4d9210270c3e99e46 (patch) | |
tree | b75fce50273ff348ee1e47d66fcd5a52a8578f13 | |
parent | 3756f7b4a1d8d0f53f52d09dd50288582c4a79b6 (diff) | |
download | gdk-pixbuf-7ebedf37abfed653a5b6dcf4d9210270c3e99e46.tar.gz |
XBM: Fix signed integer overflow.
Parsing an XBM file with pixel bits larger than int leads to undefined
behavior (signed integer overflow).
Since only the lowest 8 bits are used, this patched code produces the
same images as before.
Also do not increment gotone but set it to a value. If more than
INT_MAX values are parsed, this int would overflow as well.
Proof of Concept (compile with -fsanitize=undefined or -ftrapv):
static unsigned char poc_bits[] = {
0xFFFFFFFF };
-rw-r--r-- | gdk-pixbuf/io-xbm.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/gdk-pixbuf/io-xbm.c b/gdk-pixbuf/io-xbm.c index 83de5c6da..5bf71e1bf 100644 --- a/gdk-pixbuf/io-xbm.c +++ b/gdk-pixbuf/io-xbm.c @@ -133,8 +133,8 @@ next_int (FILE *fstream) /* trim high bits, check type and accumulate */ ch &= 0xff; if (g_ascii_isxdigit (ch)) { - value = (value << 4) + g_ascii_xdigit_value (ch); - gotone++; + value = ((value & 0xf) << 4) + g_ascii_xdigit_value (ch); + gotone = 1; } else if ((hex_table[ch]) < 0 && gotone) { done++; } |