To: enlightenment-cvs@lists.sourceforge.net Subject: E CVS: libs/imlib2 raster From: Enlightenment CVS Date: Sat, 4 Nov 2006 23:58:06 -0500 (EST) Enlightenment CVS committal Author : raster Project : e17 Module : libs/imlib2 Dir : e17/libs/imlib2/src/modules/loaders Modified Files: loader_argb.c loader_gif.c loader_jpeg.c loader_lbm.c loader_png.c loader_pnm.c loader_tga.c loader_tiff.c loader_xpm.c Log Message: fix width and height checks in case of buffer overflow. =================================================================== RCS file: /cvs/e/e17/libs/imlib2/src/modules/loaders/loader_argb.c,v retrieving revision 1.2 retrieving revision 1.3 diff -u -3 -r1.2 -r1.3 --- loader_argb.c 14 Dec 2004 03:50:46 -0000 1.2 +++ loader_argb.c 5 Nov 2006 04:58:06 -0000 1.3 @@ -47,6 +47,11 @@ fclose(f); return 0; } + if ((w < 1) || (h < 1) || (w > 8192) || (h > 8192)) + { + fclose(f); + return 0; + } im->w = w; im->h = h; if (!im->format) =================================================================== RCS file: /cvs/e/e17/libs/imlib2/src/modules/loaders/loader_gif.c,v retrieving revision 1.2 retrieving revision 1.3 diff -u -3 -r1.2 -r1.3 --- loader_gif.c 14 Dec 2004 03:50:46 -0000 1.2 +++ loader_gif.c 5 Nov 2006 04:58:06 -0000 1.3 @@ -72,6 +72,11 @@ } w = gif->Image.Width; h = gif->Image.Height; + if ((w < 1) || (h < 1) || (w > 8192) || (h > 8192)) + { + DGifCloseFile(gif); + return 0; + } rows = malloc(h * sizeof(GifRowType *)); if (!rows) { =================================================================== RCS file: /cvs/e/e17/libs/imlib2/src/modules/loaders/loader_jpeg.c,v retrieving revision 1.3 retrieving revision 1.4 diff -u -3 -r1.3 -r1.4 --- loader_jpeg.c 7 Jan 2006 11:30:44 -0000 1.3 +++ loader_jpeg.c 5 Nov 2006 04:58:06 -0000 1.4 @@ -92,6 +92,12 @@ { im->w = w = cinfo.output_width; im->h = h = cinfo.output_height; + if ((w < 1) || (h < 1) || (w > 8192) || (h > 8192)) + { + jpeg_destroy_decompress(&cinfo); + fclose(f); + return 0; + } UNSET_FLAG(im->flags, F_HAS_ALPHA); im->format = strdup("jpeg"); } =================================================================== RCS file: /cvs/e/e17/libs/imlib2/src/modules/loaders/loader_lbm.c,v retrieving revision 1.2 retrieving revision 1.3 diff -u -3 -r1.2 -r1.3 --- loader_lbm.c 6 Sep 2006 07:09:05 -0000 1.2 +++ loader_lbm.c 5 Nov 2006 04:58:06 -0000 1.3 @@ -421,7 +421,10 @@ im->w = L2RWORD(ilbm.bmhd.data); im->h = L2RWORD(ilbm.bmhd.data + 2); - if (im->w <= 0 || im->h <= 0) ok = 0; + if ((im->w < 1) || (im->h < 1) || (im->w > 8192) || (im->h > 8192)) + { + ok = 0; + } ilbm.depth = ilbm.bmhd.data[8]; if (ilbm.depth < 1 || (ilbm.depth > 8 && ilbm.depth != 24 && ilbm.depth != 32)) ok = 0; /* Only 1 to 8, 24, or 32 planes. */ =================================================================== RCS file: /cvs/e/e17/libs/imlib2/src/modules/loaders/loader_png.c,v retrieving revision 1.2 retrieving revision 1.3 diff -u -3 -r1.2 -r1.3 --- loader_png.c 14 Dec 2004 03:50:46 -0000 1.2 +++ loader_png.c 5 Nov 2006 04:58:06 -0000 1.3 @@ -85,6 +85,13 @@ &interlace_type, NULL, NULL); im->w = (int)w32; im->h = (int)h32; + if ((w32 < 1) || (h32 < 1) || (w32 > 8192) || (h32 > 8192)) + { + png_read_end(png_ptr, info_ptr); + png_destroy_read_struct(&png_ptr, &info_ptr, (png_infopp) NULL); + fclose(f); + return 0; + } if (color_type == PNG_COLOR_TYPE_PALETTE) { png_set_expand(png_ptr); =================================================================== RCS file: /cvs/e/e17/libs/imlib2/src/modules/loaders/loader_pnm.c,v retrieving revision 1.2 retrieving revision 1.3 diff -u -3 -r1.2 -r1.3 --- loader_pnm.c 27 Dec 2004 21:05:31 -0000 1.2 +++ loader_pnm.c 5 Nov 2006 04:58:06 -0000 1.3 @@ -107,7 +107,7 @@ } } } - if ((w <= 0) || (w > 8192) || (h <= 0) || (h > 8192) || (v < 0) || (v > 255)) + if ((v < 0) || (v > 255)) { fclose(f); return 0; @@ -115,6 +115,11 @@ im->w = w; im->h = h; + if ((w < 1) || (h < 1) || (w > 8192) || (h > 8192)) + { + fclose(f); + return 0; + } if (!im->format) { if (p == '8') =================================================================== RCS file: /cvs/e/e17/libs/imlib2/src/modules/loaders/loader_tga.c,v retrieving revision 1.4 retrieving revision 1.5 diff -u -3 -r1.4 -r1.5 --- loader_tga.c 4 Nov 2006 17:43:44 -0000 1.4 +++ loader_tga.c 5 Nov 2006 04:58:06 -0000 1.5 @@ -297,9 +297,8 @@ im->w = (header->widthHi << 8) | header->widthLo; im->h = (header->heightHi << 8) | header->heightLo; - if ((im->w > 32767) || (im->w < 1) || (im->h > 32767) || (im->h < 1)) + if ((im->w < 1) || (im->h < 1) || (im->w > 8192) || (im->h > 8192)) { - im->w = 0; munmap(seg, ss.st_size); close(fd); return 0; =================================================================== RCS file: /cvs/e/e17/libs/imlib2/src/modules/loaders/loader_tiff.c,v retrieving revision 1.7 retrieving revision 1.8 diff -u -3 -r1.7 -r1.8 --- loader_tiff.c 28 May 2006 00:05:50 -0000 1.7 +++ loader_tiff.c 5 Nov 2006 04:58:06 -0000 1.8 @@ -75,11 +75,11 @@ raster(TIFFRGBAImage_Extra * img, uint32 * rast, uint32 x, uint32 y, uint32 w, uint32 h) { - uint32 image_width, image_height; + int image_width, image_height; uint32 *pixel, pixel_value; int i, j, dy, rast_offset; DATA32 *buffer_pixel, *buffer = img->image->data; - int alpha_premult = (EXTRASAMPLE_UNASSALPHA==img->rgba.alpha); + int alpha_premult; image_width = img->image->w; image_height = img->image->h; @@ -91,6 +91,8 @@ /* I don't understand why, but that seems to be what's going on. */ /* libtiff needs better docs! */ + if (img->rgba.alpha == EXTRASAMPLE_UNASSALPHA) + alpha_premult = 1; for (i = y, rast_offset = 0; i > dy; i--, rast_offset--) { pixel = rast + (rast_offset * image_width); @@ -204,6 +206,12 @@ rgba_image.image = im; im->w = width = rgba_image.rgba.width; im->h = height = rgba_image.rgba.height; + if ((width < 1) || (height < 1) || (width > 8192) || (height > 8192)) + { + TIFFRGBAImageEnd((TIFFRGBAImage *) & rgba_image); + TIFFClose(tif); + return 0; + } rgba_image.num_pixels = num_pixels = width * height; if (rgba_image.rgba.alpha != EXTRASAMPLE_UNSPECIFIED) SET_FLAG(im->flags, F_HAS_ALPHA); @@ -397,8 +405,9 @@ if (has_alpha) { + uint16 extras[] = { EXTRASAMPLE_ASSOCALPHA }; TIFFSetField(tif, TIFFTAG_SAMPLESPERPIXEL, 4); - TIFFSetField(tif, TIFFTAG_EXTRASAMPLES, EXTRASAMPLE_ASSOCALPHA); + TIFFSetField(tif, TIFFTAG_EXTRASAMPLES, 1, extras); } else { =================================================================== RCS file: /cvs/e/e17/libs/imlib2/src/modules/loaders/loader_xpm.c,v retrieving revision 1.5 retrieving revision 1.6 diff -u -3 -r1.5 -r1.6 --- loader_xpm.c 20 Oct 2006 18:03:15 -0000 1.5 +++ loader_xpm.c 5 Nov 2006 04:58:06 -0000 1.6 @@ -211,19 +211,19 @@ xpm_parse_done(); return 0; } - if ((w > 32767) || (w < 1)) + if ((w > 8192) || (w < 1)) { fprintf(stderr, - "IMLIB ERROR: Image width > 32767 or < 1 pixels for file\n"); + "IMLIB ERROR: Image width > 8192 or < 1 pixels for file\n"); free(line); fclose(f); xpm_parse_done(); return 0; } - if ((h > 32767) || (h < 1)) + if ((h > 8192) || (h < 1)) { fprintf(stderr, - "IMLIB ERROR: Image height > 32767 or < 1 pixels for file\n"); + "IMLIB ERROR: Image height > 8192 or < 1 pixels for file\n"); free(line); fclose(f); xpm_parse_done();