gdk-pixbuf-io: Add precondition checks for image dimensions

Refuse to save an invalid GdkPixbuf: one which has negative width, height or number of channels. This allows us to put assertions for all those properties in the I/O code, which helps static analysis not go off on one because it thinks the image width could be negative. Coverity ID: 1388534 https://bugzilla.gnome.org/show_bug.cgi?id=777374
author: Philip Withnall <withnall@endlessm.com> 2017-01-18 11:15:33 +0000
committer: Philip Withnall <withnall@endlessm.com> 2017-02-07 11:08:42 +0000
commit: 71e3b4a413a03627475944781f376da909de8dd5 (patch)
tree: 6a239e837df4ae213fa2fb2c070aeab5f40ad8cf /gdk-pixbuf
parent: 3dacbb48f0ca67d1b7124f6de58796a517dbed53 (diff)
download: gdk-pixbuf-71e3b4a413a03627475944781f376da909de8dd5.tar.gz
4 files changed, 30 insertions, 1 deletions
diff --git a/gdk-pixbuf/gdk-pixbuf-io.c b/gdk-pixbuf/gdk-pixbuf-io.c
index 4295cfeb2..26c292118 100644
--- a/gdk-pixbuf/gdk-pixbuf-io.c
+++ b/gdk-pixbuf/gdk-pixbuf-io.c
@@ -2452,6 +2452,10 @@ gdk_pixbuf_savev (GdkPixbuf  *pixbuf,
         FILE *f = NULL;
         gboolean result;
        
+        g_return_val_if_fail (GDK_IS_PIXBUF (pixbuf), FALSE);
+        g_return_val_if_fail (gdk_pixbuf_get_width (pixbuf) >= 0, FALSE);
+        g_return_val_if_fail (gdk_pixbuf_get_height (pixbuf) >= 0, FALSE);
+        g_return_val_if_fail (gdk_pixbuf_get_n_channels (pixbuf) >= 0, FALSE);
         g_return_val_if_fail (filename != NULL, FALSE);
         g_return_val_if_fail (type != NULL, FALSE);
         g_return_val_if_fail (error == NULL || *error == NULL, FALSE);
@@ -2613,7 +2617,10 @@ gdk_pixbuf_save_to_callbackv   (GdkPixbuf  *pixbuf,
 {
         gboolean result;
         
-       
+        g_return_val_if_fail (GDK_IS_PIXBUF (pixbuf), FALSE);
+        g_return_val_if_fail (gdk_pixbuf_get_width (pixbuf) >= 0, FALSE);
+        g_return_val_if_fail (gdk_pixbuf_get_height (pixbuf) >= 0, FALSE);
+        g_return_val_if_fail (gdk_pixbuf_get_n_channels (pixbuf) >= 0, FALSE);
         g_return_val_if_fail (save_func != NULL, FALSE);
         g_return_val_if_fail (type != NULL, FALSE);
         g_return_val_if_fail (error == NULL || *error == NULL, FALSE);
@@ -2989,6 +2996,9 @@ gdk_pixbuf_save_to_streamv_async (GdkPixbuf           *pixbuf,
         SaveToStreamAsyncData *data;
 
         g_return_if_fail (GDK_IS_PIXBUF (pixbuf));
+        g_return_if_fail (gdk_pixbuf_get_width (pixbuf) >= 0);
+        g_return_if_fail (gdk_pixbuf_get_height (pixbuf) >= 0);
+        g_return_if_fail (gdk_pixbuf_get_n_channels (pixbuf) >= 0);
         g_return_if_fail (G_IS_OUTPUT_STREAM (stream));
         g_return_if_fail (type != NULL);
         g_return_if_fail (callback != NULL);
@@ -3041,6 +3051,9 @@ gdk_pixbuf_save_to_stream_async (GdkPixbuf           *pixbuf,
         va_list args;
 
         g_return_if_fail (GDK_IS_PIXBUF (pixbuf));
+        g_return_if_fail (gdk_pixbuf_get_width (pixbuf) >= 0);
+        g_return_if_fail (gdk_pixbuf_get_height (pixbuf) >= 0);
+        g_return_if_fail (gdk_pixbuf_get_n_channels (pixbuf) >= 0);
         g_return_if_fail (G_IS_OUTPUT_STREAM (stream));
         g_return_if_fail (type != NULL);
         g_return_if_fail (callback != NULL);
diff --git a/gdk-pixbuf/io-jpeg.c b/gdk-pixbuf/io-jpeg.c
index 3b0a1623c..96f993f40 100644
--- a/gdk-pixbuf/io-jpeg.c
+++ b/gdk-pixbuf/io-jpeg.c
@@ -1402,6 +1402,12 @@ real_save_jpeg (GdkPixbuf          *pixbuf,
        h = gdk_pixbuf_get_height (pixbuf);
        pixels = gdk_pixbuf_get_pixels (pixbuf);
 
+       /* Guaranteed by the caller. */
+       g_assert (w >= 0);
+       g_assert (h >= 0);
+       g_assert (rowstride >= 0);
+       g_assert (n_channels >= 0);
+
        /* Allocate a small buffer to convert image data,
 	* and a larger buffer if doing to_callback save.
 	*/
diff --git a/gdk-pixbuf/io-png.c b/gdk-pixbuf/io-png.c
index 364d5859b..a9fc1f6bf 100644
--- a/gdk-pixbuf/io-png.c
+++ b/gdk-pixbuf/io-png.c
@@ -1061,6 +1061,11 @@ static gboolean real_save_png (GdkPixbuf        *pixbuf,
        has_alpha = gdk_pixbuf_get_has_alpha (pixbuf);
        pixels = gdk_pixbuf_get_pixels (pixbuf);
 
+       /* Guaranteed by the caller. */
+       g_assert (w >= 0);
+       g_assert (h >= 0);
+       g_assert (rowstride >= 0);
+
        png_ptr = png_create_write_struct (PNG_LIBPNG_VER_STRING,
                                           error,
                                           png_simple_error_callback,
diff --git a/gdk-pixbuf/io-tiff.c b/gdk-pixbuf/io-tiff.c
index 9ca037852..62f25313a 100644
--- a/gdk-pixbuf/io-tiff.c
+++ b/gdk-pixbuf/io-tiff.c
@@ -720,6 +720,11 @@ gdk_pixbuf__tiff_image_save_to_callback (GdkPixbufSaveFunc   save_func,
         height = gdk_pixbuf_get_height (pixbuf);
         width = gdk_pixbuf_get_width (pixbuf);
 
+        /* Guaranteed by the caller. */
+        g_assert (width >= 0);
+        g_assert (height >= 0);
+        g_assert (rowstride >= 0);
+
         TIFFSetField (tiff, TIFFTAG_IMAGEWIDTH, width);
         TIFFSetField (tiff, TIFFTAG_IMAGELENGTH, height);
author	Philip Withnall <withnall@endlessm.com>	2017-01-18 11:15:33 +0000
committer	Philip Withnall <withnall@endlessm.com>	2017-02-07 11:08:42 +0000
commit	71e3b4a413a03627475944781f376da909de8dd5 (patch)
tree	6a239e837df4ae213fa2fb2c070aeab5f40ad8cf /gdk-pixbuf
parent	3dacbb48f0ca67d1b7124f6de58796a517dbed53 (diff)
download	gdk-pixbuf-71e3b4a413a03627475944781f376da909de8dd5.tar.gz