xpm: Sanity check XPM file dimensions

In the same way that libXpm sanity checks it.
author: Bastien Nocera <hadess@hadess.net> 2019-03-01 12:00:57 +0100
committer: Bastien Nocera <hadess@hadess.net> 2019-03-01 12:52:35 +0100
commit: b1971843d4f3a0a257a990e450bd61818c04b825 (patch)
tree: a940af9f735a16056c4b78bf94443c183fc4f9e9
parent: dc3b7677105ccc8f9c6d3d983181f68cbd309e96 (diff)
download: gdk-pixbuf-b1971843d4f3a0a257a990e450bd61818c04b825.tar.gz
1 files changed, 9 insertions, 0 deletions
diff --git a/gdk-pixbuf/io-xpm.c b/gdk-pixbuf/io-xpm.c
index fedcc708d..0da5b241b 100644
--- a/gdk-pixbuf/io-xpm.c
+++ b/gdk-pixbuf/io-xpm.c
@@ -498,6 +498,15 @@ pixbuf_create_from_xpm (const gchar * (*get_buf) (enum buf_op op, gpointer handl
 		return NULL;
 
 	}
+	/* Check from libXpm's ParsePixels() */
+	if ((h > 0 && w >= UINT_MAX / h) ||
+	    w * h >= UINT_MAX / sizeof(unsigned int)) {
+		g_set_error_literal (error,
+                                     GDK_PIXBUF_ERROR,
+                                     GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+                                     _("Invalid XPM header"));
+		return NULL;
+	}
 	if (cpp <= 0 || cpp >= 32) {
                 g_set_error_literal (error,
                                      GDK_PIXBUF_ERROR,
author	Bastien Nocera <hadess@hadess.net>	2019-03-01 12:00:57 +0100
committer	Bastien Nocera <hadess@hadess.net>	2019-03-01 12:52:35 +0100
commit	b1971843d4f3a0a257a990e450bd61818c04b825 (patch)
tree	a940af9f735a16056c4b78bf94443c183fc4f9e9
parent	dc3b7677105ccc8f9c6d3d983181f68cbd309e96 (diff)
download	gdk-pixbuf-b1971843d4f3a0a257a990e450bd61818c04b825.tar.gz