XBM: Fix signed integer overflow.

Parsing an XBM file with pixel bits larger than int leads to undefined behavior (signed integer overflow). Since only the lowest 8 bits are used, this patched code produces the same images as before. Also do not increment gotone but set it to a value. If more than INT_MAX values are parsed, this int would overflow as well. Proof of Concept (compile with -fsanitize=undefined or -ftrapv): static unsigned char poc_bits[] = { 0xFFFFFFFF };
author: Tobias Stoeckmann <tobias@stoeckmann.org> 2020-06-07 19:41:27 +0200
committer: Emmanuele Bassi <ebassi@gmail.com> 2020-06-26 10:10:53 +0000
commit: 7ebedf37abfed653a5b6dcf4d9210270c3e99e46 (patch)
tree: b75fce50273ff348ee1e47d66fcd5a52a8578f13 /gdk-pixbuf
parent: 3756f7b4a1d8d0f53f52d09dd50288582c4a79b6 (diff)
download: gdk-pixbuf-7ebedf37abfed653a5b6dcf4d9210270c3e99e46.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/gdk-pixbuf/io-xbm.c b/gdk-pixbuf/io-xbm.c
index 83de5c6da..5bf71e1bf 100644
--- a/gdk-pixbuf/io-xbm.c
+++ b/gdk-pixbuf/io-xbm.c
@@ -133,8 +133,8 @@ next_int (FILE *fstream)
 			/* trim high bits, check type and accumulate */
 			ch &= 0xff;
 			if (g_ascii_isxdigit (ch)) {
-				value = (value << 4) + g_ascii_xdigit_value (ch);
-				gotone++;
+				value = ((value & 0xf) << 4) + g_ascii_xdigit_value (ch);
+				gotone = 1;
 			} else if ((hex_table[ch]) < 0 && gotone) {
 				done++;
 			}
author	Tobias Stoeckmann <tobias@stoeckmann.org>	2020-06-07 19:41:27 +0200
committer	Emmanuele Bassi <ebassi@gmail.com>	2020-06-26 10:10:53 +0000
commit	7ebedf37abfed653a5b6dcf4d9210270c3e99e46 (patch)
tree	b75fce50273ff348ee1e47d66fcd5a52a8578f13 /gdk-pixbuf
parent	3756f7b4a1d8d0f53f52d09dd50288582c4a79b6 (diff)
download	gdk-pixbuf-7ebedf37abfed653a5b6dcf4d9210270c3e99e46.tar.gz