callisto-debian/gimp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

plug-ins/common/pnm.c (load_image) plug-ins/common/psp.c

Browse Source 
2007-07-05  Raphael Quinet  <raphael@gimp.org>

	* plug-ins/common/pnm.c (load_image)
	* plug-ins/common/psp.c (read_layer_block)
	* plug-ins/common/sunras.c (load_image)
	* plug-ins/common/xbm.c (load_image)
	* plug-ins/common/xwd.c (load_image): validate size values read
	from files before using them to allocate memory (bug #451379).

svn path=/trunk/; revision=22865
This commit is contained in:
Raphael Quinet
2007-07-04 23:32:15 +00:00
committed by Raphaël Quinet
parent 8a9408f1ac
commit 8cadeeb7d0
6 changed files with 106 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
ChangeLog
View File

@ -1,3 +1,12 @@
2007-07-05 Raphaël Quinet <raphael@gimp.org>
* plug-ins/common/pnm.c (load_image)
* plug-ins/common/psp.c (read_layer_block)
* plug-ins/common/sunras.c (load_image)
* plug-ins/common/xbm.c (load_image)
* plug-ins/common/xwd.c (load_image): validate size values read
from files before using them to allocate memory (bug #451379).
2007-07-04 Mukund Sivaraman <muks@mukund.org> 2007-07-04 Mukund Sivaraman <muks@mukund.org>
* plug-ins/common/psd-load.c: validate size values read from files * plug-ins/common/psd-load.c: validate size values read from files

5
plug-ins/common/pnm.c
View File

@ -536,6 +536,8 @@ load_image (const gchar *filename)
pnminfo->xres = g_ascii_isdigit(*buf) ? atoi (buf) : 0; pnminfo->xres = g_ascii_isdigit(*buf) ? atoi (buf) : 0;
CHECK_FOR_ERROR (pnminfo->xres <= 0, pnminfo->jmpbuf, CHECK_FOR_ERROR (pnminfo->xres <= 0, pnminfo->jmpbuf,
_("Invalid X resolution.")); _("Invalid X resolution."));
CHECK_FOR_ERROR (pnminfo->xres > GIMP_MAX_IMAGE_SIZE, pnminfo->jmpbuf,
_("Image width is larger than GIMP can handle."));
pnmscanner_gettoken (scan, buf, BUFLEN); pnmscanner_gettoken (scan, buf, BUFLEN);
CHECK_FOR_ERROR (pnmscanner_eof (scan), pnminfo->jmpbuf, CHECK_FOR_ERROR (pnmscanner_eof (scan), pnminfo->jmpbuf,
@ -543,6 +545,8 @@ load_image (const gchar *filename)
pnminfo->yres = g_ascii_isdigit (*buf) ? atoi (buf) : 0; pnminfo->yres = g_ascii_isdigit (*buf) ? atoi (buf) : 0;
CHECK_FOR_ERROR (pnminfo->yres <= 0, pnminfo->jmpbuf, CHECK_FOR_ERROR (pnminfo->yres <= 0, pnminfo->jmpbuf,
_("Invalid Y resolution.")); _("Invalid Y resolution."));
CHECK_FOR_ERROR (pnminfo->yres > GIMP_MAX_IMAGE_SIZE, pnminfo->jmpbuf,
_("Image height is larger than GIMP can handle."));
if (pnminfo->np != 0) /* pbm's don't have a maxval field */ if (pnminfo->np != 0) /* pbm's don't have a maxval field */
{ {
@ -603,6 +607,7 @@ pnm_load_ascii (PNMScanner *scan,
gchar buf[BUFLEN]; gchar buf[BUFLEN];
np = (info->np) ? (info->np) : 1; np = (info->np) ? (info->np) : 1;
/* No overflow as long as gimp_tile_height() < 2730 = 2^(31 - 18) / 3 */
data = g_new (guchar, gimp_tile_height () * info->xres * np); data = g_new (guchar, gimp_tile_height () * info->xres * np);
/* Buffer reads to increase performance */ /* Buffer reads to increase performance */

10
plug-ins/common/psp.c
View File

@ -1146,6 +1146,16 @@ read_layer_block (FILE *f,
width = saved_image_rect[2] - saved_image_rect[0]; width = saved_image_rect[2] - saved_image_rect[0];
height = saved_image_rect[3] - saved_image_rect[1]; height = saved_image_rect[3] - saved_image_rect[1];
/* FIXME: checking for G_MAXINT16 is too restrictive */
if ((width <= 0) || (width > G_MAXINT16)
|| (height <= 0) || (height > G_MAXINT16))
{
g_message ("Invalid layer dimensions: %dx%d", width, height);
fclose (f);
gimp_image_delete (image_ID);
return -1;
}
IFDBG(2) g_message IFDBG(2) g_message
("layer: %s %dx%d (%dx%d) @%d,%d opacity %d blend_mode %s " ("layer: %s %dx%d (%dx%d) @%d,%d opacity %d blend_mode %s "
"%d bitmaps %d channels", "%d bitmaps %d channels",

32
plug-ins/common/sunras.c
View File

@ -429,6 +429,38 @@ load_image (const gchar *filename)
*4 + sunhdr.l_ras_maplength, SEEK_SET); *4 + sunhdr.l_ras_maplength, SEEK_SET);
} }
if (sunhdr.l_ras_width <= 0)
{
g_message (_("'%s':\nNo image width specified"),
gimp_filename_to_utf8 (filename));
fclose (ifp);
return (-1);
}
if (sunhdr.l_ras_width > GIMP_MAX_IMAGE_SIZE)
{
g_message (_("'%s':\nImage width is larger than GIMP can handle"),
gimp_filename_to_utf8 (filename));
fclose (ifp);
return (-1);
}
if (sunhdr.l_ras_height <= 0)
{
g_message (_("'%s':\nNo image height specified"),
gimp_filename_to_utf8 (filename));
fclose (ifp);
return (-1);
}
if (sunhdr.l_ras_height > GIMP_MAX_IMAGE_SIZE)
{
g_message (_("'%s':\nImage height is larger than GIMP can handle"),
gimp_filename_to_utf8 (filename));
fclose (ifp);
return (-1);
}
gimp_progress_init_printf (_("Opening '%s'"), gimp_progress_init_printf (_("Opening '%s'"),
gimp_filename_to_utf8 (filename)); gimp_filename_to_utf8 (filename));

20
plug-ins/common/xbm.c
View File

@ -805,20 +805,34 @@ load_image (const gchar *filename)
return -1; return -1;
} }
if (width == 0) if (width <= 0)
{ {
g_message (_("'%s':\nNo image width specified"), g_message (_("'%s':\nNo image width specified"),
gimp_filename_to_utf8 (filename)); gimp_filename_to_utf8 (filename));
return -1; return -1;
} }
if (height == 0) if (width > GIMP_MAX_IMAGE_SIZE)
{
g_message (_("'%s':\nImage width is larger than GIMP can handle"),
gimp_filename_to_utf8 (filename));
return -1;
}
if (height <= 0)
{ {
g_message (_("'%s':\nNo image height specified"), g_message (_("'%s':\nNo image height specified"),
gimp_filename_to_utf8 (filename)); gimp_filename_to_utf8 (filename));
return -1; return -1;
} }
if (height > GIMP_MAX_IMAGE_SIZE)
{
g_message (_("'%s':\nImage height is larger than GIMP can handle"),
gimp_filename_to_utf8 (filename));
return -1;
}
if (intbits == 0) if (intbits == 0)
{ {
g_message (_("'%s':\nNo image data type specified"), g_message (_("'%s':\nNo image data type specified"),
@ -1063,7 +1077,7 @@ save_image (const gchar *filename,
#ifdef VERBOSE #ifdef VERBOSE
if (verbose > 1) if (verbose > 1)
printf ("TGA: writing %dx(%d+%d) pixel region\n", printf ("XBM: writing %dx(%d+%d) pixel region\n",
width, i, tileheight); width, i, tileheight);
#endif #endif

33
plug-ins/common/xwd.c
View File

@ -470,6 +470,39 @@ load_image (const gchar *filename)
} }
} }
if (xwdhdr.l_pixmap_width <= 0)
{
g_message (_("'%s':\nNo image width specified"),
gimp_filename_to_utf8 (filename));
fclose (ifp);
return (-1);
}
if (xwdhdr.l_pixmap_width > GIMP_MAX_IMAGE_SIZE
|| xwdhdr.l_bytes_per_line > GIMP_MAX_IMAGE_SIZE * 3)
{
g_message (_("'%s':\nImage width is larger than GIMP can handle"),
gimp_filename_to_utf8 (filename));
fclose (ifp);
return (-1);
}
if (xwdhdr.l_pixmap_height <= 0)
{
g_message (_("'%s':\nNo image height specified"),
gimp_filename_to_utf8 (filename));
fclose (ifp);
return (-1);
}
if (xwdhdr.l_pixmap_height > GIMP_MAX_IMAGE_SIZE)
{
g_message (_("'%s':\nImage height is larger than GIMP can handle"),
gimp_filename_to_utf8 (filename));
fclose (ifp);
return (-1);
}
gimp_progress_init_printf (_("Opening '%s'"), gimp_progress_init_printf (_("Opening '%s'"),
gimp_filename_to_utf8 (filename)); gimp_filename_to_utf8 (filename));