Commit 868c9a85 authored by Matthias Clasen's avatar Matthias Clasen
Browse files

Fix integer overflows in the xpm loader

parent f3f1bdc2
2005-11-15 Matthias Clasen <mclasen@redhat.com>
* io-xpm.c: Fix several integer overflows which have been
reported as CVE-2005-3186 and CVE-2005-2975.
2005-10-12 Matthias Clasen <mclasen@redhat.com>
* gdk-pixbuf-loader.c (gdk_pixbuf_loader_write): Only call
......
......@@ -405,7 +405,8 @@ file_buffer (enum buf_op op, gpointer handle)
/* Fall through to the xpm_read_string. */
case op_body:
xpm_read_string (h->infile, &h->buffer, &h->buffer_size);
if(!xpm_read_string (h->infile, &h->buffer, &h->buffer_size))
return NULL;
return h->buffer;
default:
......@@ -500,7 +501,9 @@ pixbuf_create_from_xpm (const gchar * (*get_buf) (enum buf_op op, gpointer handl
_("XPM has invalid number of chars per pixel"));
return NULL;
}
if (n_col <= 0 || n_col >= G_MAXINT / (cpp + 1)) {
if (n_col <= 0 ||
n_col >= G_MAXINT / (cpp + 1) ||
n_col >= G_MAXINT / sizeof (XPMColor)) {
g_set_error (error,
GDK_PIXBUF_ERROR,
GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment