Fix integer overflows in the xpm loader

868c9a85 · Matthias Clasen · f3f1bdc2 · 868c9a85 · 868c9a85
Commit 868c9a85 authored Nov 15, 2005 by Matthias Clasen
Hide whitespace changes
Inline Side-by-side

Showing with 10 additions and 2 deletions

gdk-pixbuf/ChangeLog gdk-pixbuf/ChangeLog +5 -0

gdk-pixbuf/io-xpm.c gdk-pixbuf/io-xpm.c +5 -2

No files found.
--- a/gdk-pixbuf/ChangeLog
+++ b/gdk-pixbuf/ChangeLog
+2005-11-15  Matthias Clasen  <mclasen@redhat.com>
+
+	* io-xpm.c: Fix several integer overflows which have been
+	reported as CVE-2005-3186 and CVE-2005-2975.
+
 2005-10-12  Matthias Clasen  <mclasen@redhat.com>

 	* gdk-pixbuf-loader.c (gdk_pixbuf_loader_write): Only call

--- a/gdk-pixbuf/io-xpm.c
+++ b/gdk-pixbuf/io-xpm.c
@@ -405,7 +405,8 @@ file_buffer (enum buf_op op, gpointer handle)
 		/* Fall through to the xpm_read_string. */

 	case op_body:
-		xpm_read_string (h->infile, &h->buffer, &h->buffer_size);
+		if(!xpm_read_string (h->infile, &h->buffer, &h->buffer_size))
+			return NULL;
 		return h->buffer;

 	default:
@@ -500,7 +501,9 @@ pixbuf_create_from_xpm (const gchar * (*get_buf) (enum buf_op op, gpointer handl
                             _("XPM has invalid number of chars per pixel"));
 		return NULL;
 	}
-	if (n_col <= 0 || n_col >= G_MAXINT / (cpp + 1)) {
+	if (n_col <= 0 || 
+	    n_col >= G_MAXINT / (cpp + 1) || 
+	    n_col >= G_MAXINT / sizeof (XPMColor)) {
                g_set_error (error,
                             GDK_PIXBUF_ERROR,
                             GDK_PIXBUF_ERROR_CORRUPT_IMAGE,