diff options
| author | Matthias Clasen <mclasen@redhat.com> | 2012-04-14 14:21:09 -0400 |
|---|---|---|
| committer | Matthias Clasen <mclasen@redhat.com> | 2012-04-14 14:21:09 -0400 |
| commit | 4f0f465f991cd454d03189497f923eb40c170c22 (patch) | |
| tree | d217de11f1322d3d415237af7303728ae061fa6a | |
| parent | 385309042325393d2e11cdb62392e3a3a2ceedf1 (diff) | |
| download | gdk-pixbuf-4f0f465f991cd454d03189497f923eb40c170c22.tar.gz | |
Avoid an integer overflow in the xbm loader
At the same time, reject some silly input, such as negative
width or height.
https://bugzilla.gnome.org/show_bug.cgi?id=672811
| -rw-r--r-- | gdk-pixbuf/io-xbm.c | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/gdk-pixbuf/io-xbm.c b/gdk-pixbuf/io-xbm.c index 46653b906..4f3e1e8bd 100644 --- a/gdk-pixbuf/io-xbm.c +++ b/gdk-pixbuf/io-xbm.c @@ -183,10 +183,16 @@ read_bitmap_file_data (FILE *fstream, type++; } - if (!strcmp ("width", type)) + if (!strcmp ("width", type)) { + if (value <= 0) + RETURN (FALSE); ww = (unsigned int) value; - if (!strcmp ("height", type)) + } + if (!strcmp ("height", type)) { + if (value <= 0) + RETURN (FALSE); hh = (unsigned int) value; + } if (!strcmp ("hot", type)) { if (type-- == name_and_type || type-- == name_and_type) @@ -231,6 +237,8 @@ read_bitmap_file_data (FILE *fstream, bytes_per_line = (ww+7)/8 + padding; size = bytes_per_line * hh; + if (size / bytes_per_line != hh) /* overflow */ + RETURN (FALSE); bits = g_malloc (size); if (version10p) { |