$NetBSD: patch-ab,v 1.6 2004/12/10 09:30:42 salo Exp $ --- Imlib/load.c.orig 2004-09-21 02:23:20.000000000 +0200 +++ Imlib/load.c 2004-12-10 09:58:18.000000000 +0100 @@ -4,6 +4,8 @@ #include "Imlib_private.h" #include +#define G_MAXINT ((int) 0x7fffffff) + /* Split the ID - damages input */ static char * @@ -41,13 +43,17 @@ /* * Make sure we don't wrap on our memory allocations + * we check G_MAXINT/4 because rend.c malloc's w * h * bpp + * + 3 is safety margin */ void * _imlib_malloc_image(unsigned int w, unsigned int h) { - if( w > 32767 || h > 32767) + if (w <= 0 || w > 32767 || + h <= 0 || h > 32767 || + h >= (G_MAXINT/4 - 1) / w) return NULL; - return malloc(w * h * 3); + return malloc(w * h * 3 + 3); } #ifdef HAVE_LIBJPEG @@ -254,7 +260,8 @@ png_read_image(png_ptr, lines); png_destroy_read_struct(&png_ptr, &info_ptr, NULL); ptr = data; - if (color_type == PNG_COLOR_TYPE_GRAY_ALPHA) + if (color_type == PNG_COLOR_TYPE_GRAY + || color_type == PNG_COLOR_TYPE_GRAY_ALPHA) { for (y = 0; y < *h; y++) { @@ -279,6 +286,7 @@ } } } +#if 0 else if (color_type == PNG_COLOR_TYPE_GRAY) { for (y = 0; y < *h; y++) @@ -294,6 +302,7 @@ } } } +#endif else { for (y = 0; y < *h; y++) @@ -360,7 +369,9 @@ npix = ww * hh; *w = (int)ww; *h = (int)hh; - if(ww > 32767 || hh > 32767) + if (ww <= 0 || ww > 32767 || + hh <= 0 || hh > 32767 || + hh >= (G_MAXINT/sizeof(uint32)) / ww) { TIFFClose(tif); return NULL; @@ -463,7 +474,7 @@ } *w = gif->Image.Width; *h = gif->Image.Height; - if (*h > 32767 || *w > 32767) + if (*h <= 0 || *h > 32767 || *w <= 0 || *w > 32767) { return NULL; } @@ -1000,7 +1011,12 @@ comment = 0; quote = 0; context = 0; + memset(lookup, 0, sizeof(lookup)); + line = malloc(lsz); + if (!line) + return NULL; + while (!done) { pc = c; @@ -1029,25 +1045,25 @@ { /* Header */ sscanf(line, "%i %i %i %i", w, h, &ncolors, &cpp); - if (ncolors > 32766) + if (ncolors <= 0 || ncolors > 32766) { fprintf(stderr, "IMLIB ERROR: XPM files wth colors > 32766 not supported\n"); free(line); return NULL; } - if (cpp > 5) + if (cpp <= 0 || cpp > 5) { fprintf(stderr, "IMLIB ERROR: XPM files with characters per pixel > 5 not supported\n"); free(line); return NULL; } - if (*w > 32767) + if (*w <= 0 || *w > 32767) { fprintf(stderr, "IMLIB ERROR: Image width > 32767 pixels for file\n"); free(line); return NULL; } - if (*h > 32767) + if (*h <= 0 || *h > 32767) { fprintf(stderr, "IMLIB ERROR: Image height > 32767 pixels for file\n"); free(line); @@ -1080,11 +1096,13 @@ { int slen; int hascolor, iscolor; + int space; iscolor = 0; hascolor = 0; tok[0] = 0; col[0] = 0; + space = sizeof(col) - 1; s[0] = 0; len = strlen(line); strncpy(cmap[j].str, line, cpp); @@ -1107,10 +1125,10 @@ { if (k >= len) { - if (col[0]) - strcat(col, " "); - if (strlen(col) + strlen(s) < sizeof(col)) - strcat(col, s); + if (col[0] && space > 0) + strcat(col, " "), space -= 1; + if (slen <= space) + strcat(col, s), space -= slen; } if (col[0]) { @@ -1140,14 +1158,17 @@ } } } + if (slen < sizeof(tok)); strcpy(tok, s); col[0] = 0; + space = sizeof(col) - 1; } else { - if (col[0]) - strcat(col, " "); - strcat(col, s); + if (col[0] && space > 0) + strcat(col, " "), space -=1; + if (slen <= space) + strcat(col, s), space -= slen; } } } @@ -1376,12 +1397,12 @@ sscanf(s, "%i %i", w, h); a = *w; b = *h; - if (a > 32767) + if (a <= 0 || a > 32767) { fprintf(stderr, "IMLIB ERROR: Image width > 32767 pixels for file\n"); return NULL; } - if (b > 32767) + if (b <= 0 || b > 32767) { fprintf(stderr, "IMLIB ERROR: Image height > 32767 pixels for file\n"); return NULL;