File xpm-overflow.patch of Package gdk-pixbuf

Overview Repositories Revisions Requests Users Attributes Meta

File xpm-overflow.patch of Package gdk-pixbuf

--- io-xpm.c
+++ io-xpm.c
@@ -340,7 +340,7 @@
 static GdkPixbuf *
 pixbuf_create_from_xpm (const gchar * (*get_buf) (enum buf_op op, gpointer handle), gpointer handle)
 {
-	gint w, h, n_col, cpp;
+	gint w, h, n_col, cpp, items;
 	gint cnt, xcnt, ycnt, wbytes, n, ns;
 	gint is_trans = FALSE;
 	const gchar *buffer;
@@ -357,13 +357,31 @@
 		g_warning ("No XPM header found");
 		return NULL;
 	}
-	sscanf (buffer, "%d %d %d %d", &w, &h, &n_col, &cpp);
+	items = sscanf (buffer, "%d %d %d %d", &w, &h, &n_col, &cpp);
+	if (items != 4) {
+		g_warning ("Invalid XPM header");
+		return NULL;
+	}
+
+	if (w <= 0) {
+                g_warning ("XPM file has image width <= 0");
+		return NULL;
+
+	}
+	if (h <= 0) {
+                g_warning ("XPM file has image height <= 0");
+		return NULL;
+
+	}
 	if (cpp <= 0 || cpp >= 32) {
 		g_warning ("XPM has invalid number of chars per pixel");
 		return NULL;
 	}
-	if (n_col <= 0 || n_col >= G_MAXINT / (cpp + 1)) {
-		g_warning ("XPM file has invalid number of colors");
+
+	if (n_col <= 0 ||
+           n_col >= G_MAXINT / (cpp + 1) ||
+           n_col >= G_MAXINT / sizeof (_XPMColor)) {
+                g_warning ("XPM file has invalid number of colors");
 		return NULL;
 	}

Places

File xpm-overflow.patch of Package gdk-pixbuf

Places