From 71e3b4a413a03627475944781f376da909de8dd5 Mon Sep 17 00:00:00 2001
From: Philip Withnall <withnall@endlessm.com>
Date: Wed, 18 Jan 2017 11:15:33 +0000
Subject: gdk-pixbuf-io: Add precondition checks for image dimensions

Refuse to save an invalid GdkPixbuf: one which has negative width,
height or number of channels.

This allows us to put assertions for all those properties in the I/O
code, which helps static analysis not go off on one because it thinks
the image width could be negative.

Coverity ID: 1388534

https://bugzilla.gnome.org/show_bug.cgi?id=777374
---
 gdk-pixbuf/gdk-pixbuf-io.c | 15 ++++++++++++++-
 gdk-pixbuf/io-jpeg.c       |  6 ++++++
 gdk-pixbuf/io-png.c        |  5 +++++
 gdk-pixbuf/io-tiff.c       |  5 +++++
 4 files changed, 30 insertions(+), 1 deletion(-)

diff --git a/gdk-pixbuf/gdk-pixbuf-io.c b/gdk-pixbuf/gdk-pixbuf-io.c
index 4295cfeb2..26c292118 100644
--- a/gdk-pixbuf/gdk-pixbuf-io.c
+++ b/gdk-pixbuf/gdk-pixbuf-io.c
@@ -2452,6 +2452,10 @@ gdk_pixbuf_savev (GdkPixbuf  *pixbuf,
         FILE *f = NULL;
         gboolean result;
        
+        g_return_val_if_fail (GDK_IS_PIXBUF (pixbuf), FALSE);
+        g_return_val_if_fail (gdk_pixbuf_get_width (pixbuf) >= 0, FALSE);
+        g_return_val_if_fail (gdk_pixbuf_get_height (pixbuf) >= 0, FALSE);
+        g_return_val_if_fail (gdk_pixbuf_get_n_channels (pixbuf) >= 0, FALSE);
         g_return_val_if_fail (filename != NULL, FALSE);
         g_return_val_if_fail (type != NULL, FALSE);
         g_return_val_if_fail (error == NULL || *error == NULL, FALSE);
@@ -2613,7 +2617,10 @@ gdk_pixbuf_save_to_callbackv   (GdkPixbuf  *pixbuf,
 {
         gboolean result;
         
-       
+        g_return_val_if_fail (GDK_IS_PIXBUF (pixbuf), FALSE);
+        g_return_val_if_fail (gdk_pixbuf_get_width (pixbuf) >= 0, FALSE);
+        g_return_val_if_fail (gdk_pixbuf_get_height (pixbuf) >= 0, FALSE);
+        g_return_val_if_fail (gdk_pixbuf_get_n_channels (pixbuf) >= 0, FALSE);
         g_return_val_if_fail (save_func != NULL, FALSE);
         g_return_val_if_fail (type != NULL, FALSE);
         g_return_val_if_fail (error == NULL || *error == NULL, FALSE);
@@ -2989,6 +2996,9 @@ gdk_pixbuf_save_to_streamv_async (GdkPixbuf           *pixbuf,
         SaveToStreamAsyncData *data;
 
         g_return_if_fail (GDK_IS_PIXBUF (pixbuf));
+        g_return_if_fail (gdk_pixbuf_get_width (pixbuf) >= 0);
+        g_return_if_fail (gdk_pixbuf_get_height (pixbuf) >= 0);
+        g_return_if_fail (gdk_pixbuf_get_n_channels (pixbuf) >= 0);
         g_return_if_fail (G_IS_OUTPUT_STREAM (stream));
         g_return_if_fail (type != NULL);
         g_return_if_fail (callback != NULL);
@@ -3041,6 +3051,9 @@ gdk_pixbuf_save_to_stream_async (GdkPixbuf           *pixbuf,
         va_list args;
 
         g_return_if_fail (GDK_IS_PIXBUF (pixbuf));
+        g_return_if_fail (gdk_pixbuf_get_width (pixbuf) >= 0);
+        g_return_if_fail (gdk_pixbuf_get_height (pixbuf) >= 0);
+        g_return_if_fail (gdk_pixbuf_get_n_channels (pixbuf) >= 0);
         g_return_if_fail (G_IS_OUTPUT_STREAM (stream));
         g_return_if_fail (type != NULL);
         g_return_if_fail (callback != NULL);
diff --git a/gdk-pixbuf/io-jpeg.c b/gdk-pixbuf/io-jpeg.c
index 3b0a1623c..96f993f40 100644
--- a/gdk-pixbuf/io-jpeg.c
+++ b/gdk-pixbuf/io-jpeg.c
@@ -1402,6 +1402,12 @@ real_save_jpeg (GdkPixbuf          *pixbuf,
        h = gdk_pixbuf_get_height (pixbuf);
        pixels = gdk_pixbuf_get_pixels (pixbuf);
 
+       /* Guaranteed by the caller. */
+       g_assert (w >= 0);
+       g_assert (h >= 0);
+       g_assert (rowstride >= 0);
+       g_assert (n_channels >= 0);
+
        /* Allocate a small buffer to convert image data,
 	* and a larger buffer if doing to_callback save.
 	*/
diff --git a/gdk-pixbuf/io-png.c b/gdk-pixbuf/io-png.c
index 364d5859b..a9fc1f6bf 100644
--- a/gdk-pixbuf/io-png.c
+++ b/gdk-pixbuf/io-png.c
@@ -1061,6 +1061,11 @@ static gboolean real_save_png (GdkPixbuf        *pixbuf,
        has_alpha = gdk_pixbuf_get_has_alpha (pixbuf);
        pixels = gdk_pixbuf_get_pixels (pixbuf);
 
+       /* Guaranteed by the caller. */
+       g_assert (w >= 0);
+       g_assert (h >= 0);
+       g_assert (rowstride >= 0);
+
        png_ptr = png_create_write_struct (PNG_LIBPNG_VER_STRING,
                                           error,
                                           png_simple_error_callback,
diff --git a/gdk-pixbuf/io-tiff.c b/gdk-pixbuf/io-tiff.c
index 9ca037852..62f25313a 100644
--- a/gdk-pixbuf/io-tiff.c
+++ b/gdk-pixbuf/io-tiff.c
@@ -720,6 +720,11 @@ gdk_pixbuf__tiff_image_save_to_callback (GdkPixbufSaveFunc   save_func,
         height = gdk_pixbuf_get_height (pixbuf);
         width = gdk_pixbuf_get_width (pixbuf);
 
+        /* Guaranteed by the caller. */
+        g_assert (width >= 0);
+        g_assert (height >= 0);
+        g_assert (rowstride >= 0);
+
         TIFFSetField (tiff, TIFFTAG_IMAGEWIDTH, width);
         TIFFSetField (tiff, TIFFTAG_IMAGELENGTH, height);
 
-- 
cgit v1.2.1