diff options
author | Bastien Nocera <hadess@hadess.net> | 2019-03-01 12:00:57 +0100 |
---|---|---|
committer | Bastien Nocera <hadess@hadess.net> | 2019-03-01 12:52:35 +0100 |
commit | b1971843d4f3a0a257a990e450bd61818c04b825 (patch) | |
tree | a940af9f735a16056c4b78bf94443c183fc4f9e9 | |
parent | dc3b7677105ccc8f9c6d3d983181f68cbd309e96 (diff) | |
download | gdk-pixbuf-b1971843d4f3a0a257a990e450bd61818c04b825.tar.gz |
xpm: Sanity check XPM file dimensions
In the same way that libXpm sanity checks it.
-rw-r--r-- | gdk-pixbuf/io-xpm.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/gdk-pixbuf/io-xpm.c b/gdk-pixbuf/io-xpm.c index fedcc708d..0da5b241b 100644 --- a/gdk-pixbuf/io-xpm.c +++ b/gdk-pixbuf/io-xpm.c @@ -498,6 +498,15 @@ pixbuf_create_from_xpm (const gchar * (*get_buf) (enum buf_op op, gpointer handl return NULL; } + /* Check from libXpm's ParsePixels() */ + if ((h > 0 && w >= UINT_MAX / h) || + w * h >= UINT_MAX / sizeof(unsigned int)) { + g_set_error_literal (error, + GDK_PIXBUF_ERROR, + GDK_PIXBUF_ERROR_CORRUPT_IMAGE, + _("Invalid XPM header")); + return NULL; + } if (cpp <= 0 || cpp >= 32) { g_set_error_literal (error, GDK_PIXBUF_ERROR, |