Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
DISCONTINUED:openSUSE:11.1:Update
xzgv
xzgv-secfix.diff
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File xzgv-secfix.diff of Package xzgv
diff -Nur ../xzgv-0.8/src/readgif.c ./src/readgif.c --- ../xzgv-0.8/src/readgif.c 2002-03-03 05:34:32.000000000 +0100 +++ ./src/readgif.c 2004-11-03 17:44:32.000000000 +0100 @@ -8,6 +8,7 @@ #include <string.h> #include <unistd.h> #include <stdlib.h> +#include "sizetmax.h" #include "readgif.h" @@ -102,7 +103,15 @@ } if(local_colour_map) readcolmap(in); - + + if ((width <= 0) || (height <=0 ) || + (width > (SIZE_T_MAX/height)) || + ((width * height) > SIZE_T_MAX/3)) + { + fclose(in); + return(0); + } + if((image=malloc(width*height*3))==NULL) { fclose(in); diff -Nur ../xzgv-0.8/src/readjpeg.c ./src/readjpeg.c --- ../xzgv-0.8/src/readjpeg.c 2003-09-16 13:52:04.000000000 +0200 +++ ./src/readjpeg.c 2004-11-03 17:48:45.000000000 +0100 @@ -13,7 +13,7 @@ #include <jpeglib.h> #include "rcfile.h" - +#include "sizetmax.h" #include "readjpeg.h" @@ -265,12 +265,21 @@ /* this one shouldn't hurt */ cinfo.do_block_smoothing=FALSE; +if ((width <= 0) || (height <=0 ) || + (width > (SIZE_T_MAX/height)) || + ((width * height) > SIZE_T_MAX/3)) + longjmp(jerr.setjmp_buffer,1); + if((*imagep=image=malloc(width*height*3))==NULL) longjmp(jerr.setjmp_buffer,1); jpeg_start_decompress(&cinfo); /* read the image */ +if ((height <= 0) || + (height > (SIZE_T_MAX/sizeof(unsigned char *)))) + longjmp(jerr.setjmp_buffer,1); + if((lineptrs=malloc(height*sizeof(unsigned char *)))==NULL) longjmp(jerr.setjmp_buffer,1); diff -Nur ../xzgv-0.8/src/readmrf.c ./src/readmrf.c --- ../xzgv-0.8/src/readmrf.c 2000-10-07 15:26:55.000000000 +0200 +++ ./src/readmrf.c 2004-11-03 17:52:49.000000000 +0100 @@ -8,7 +8,7 @@ #include <string.h> #include <stdlib.h> #include "readmrf.h" - +#include "sizetmax.h" static int bitbox,bitsleft; @@ -91,6 +91,15 @@ w64=(w+63)/64; h64=(h+63)/64; +if ((w <= 0) || (h <=0 ) || + (w > (SIZE_T_MAX/h)) || ((w * h) > SIZE_T_MAX/3) || + (w64<=0) || (h64<=0) || (w64>(SIZE_T_MAX/h64)) || + (w64*h64) > SIZE_T_MAX/(64*64)) + { + return(0); + } + + if((*bmap=malloc(w*h*3))==NULL || (image=calloc(w64*h64*64*64,1))==NULL) { diff -Nur ../xzgv-0.8/src/readpng.c ./src/readpng.c --- ../xzgv-0.8/src/readpng.c 2003-07-10 17:13:43.000000000 +0200 +++ ./src/readpng.c 2004-11-03 18:12:21.465865773 +0100 @@ -17,6 +17,7 @@ #include <png.h> #include <setjmp.h> /* after png.h to avoid horrible thing in pngconf.h */ #include "readpng.h" +#include "sizetmax.h" /* must be global to allow aborting in mid-read */ @@ -129,6 +130,14 @@ } /* allocate image memory */ +if((width <= 0) || (height <=0 ) || + (width > (SIZE_T_MAX/height)) || + ((width * height) > SIZE_T_MAX/3)) + { + fclose(in); + return(0); + } + if((*theimageptr=theimage=malloc(width*height*3))==NULL) { png_read_end(png_ptr,info_ptr); diff -Nur ../xzgv-0.8/src/readprf.c ./src/readprf.c --- ../xzgv-0.8/src/readprf.c 2001-04-09 20:08:19.000000000 +0200 +++ ./src/readprf.c 2004-11-03 17:57:10.000000000 +0100 @@ -8,6 +8,7 @@ #include <string.h> #include <stdlib.h> #include "readprf.h" +#include "sizetmax.h" #define squaresize 64 @@ -163,6 +164,12 @@ if(planes==1) bytepp=1; +if((width <= 0) || (width > (SIZE_T_MAX/squaresize))) + { + fclose(in); + return(0); + } + n=width*squaresize; if((planebuf[0]=calloc(n,planes))==NULL) { @@ -173,6 +180,13 @@ for(f=1;f<planes;f++) planebuf[f]=planebuf[f-1]+n; +if((height <= 0 ) || + (width > (SIZE_T_MAX/height)) || ((width * height) > SIZE_T_MAX/3)) + { + fclose(in); + return(0); + } + if((*theimageptr=malloc(width*height*3))==NULL) { free(planebuf[0]); diff -Nur ../xzgv-0.8/src/readtiff.c ./src/readtiff.c --- ../xzgv-0.8/src/readtiff.c 2000-12-28 04:20:55.000000000 +0100 +++ ./src/readtiff.c 2004-11-03 18:02:49.000000000 +0100 @@ -11,7 +11,7 @@ #include <setjmp.h> #include <sys/file.h> /* for open et al */ #include <tiffio.h> - +#include "sizetmax.h" #include "readtiff.h" @@ -32,10 +32,26 @@ TIFFGetField(in,TIFFTAG_IMAGEWIDTH,&width); TIFFGetField(in,TIFFTAG_IMAGELENGTH,&height); +if((width <= 0) || (height <=0 ) || + (width > (SIZE_T_MAX/height)) || + ((width * height) > SIZE_T_MAX/sizeof(uint32))) + { + TIFFClose(in); + return(0); + } + + /* the width*3 guarantees there'll be at least one line * spare for the flip afterwards. */ numpix=width*height; + +if((width > (SIZE_T_MAX/3)) || (numpix*sizeof(uint32) > SIZE_T_MAX-width*3)) + { + TIFFClose(in); + return(0); + } + if((image=malloc(numpix*sizeof(uint32)+width*3))==NULL) { TIFFClose(in); diff -Nur ../xzgv-0.8/src/sizetmax.h ./src/sizetmax.h --- ../xzgv-0.8/src/sizetmax.h 1970-01-01 01:00:00.000000000 +0100 +++ ./src/sizetmax.h 2004-11-03 18:11:55.000000000 +0100 @@ -0,0 +1,8 @@ +/* unfortunately, there is no ANSI-C constant that holds the size of + * size_t. The only thing we know is that it is "the largest unsigned + * integer type on the platform" (usually unsigned long int, but not + * always, cf. 31-bit mode S/390.) At least we can rely on it being + * unsigned, hence the following should always work. + */ + +#define SIZE_T_MAX (~((size_t) 0))
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor