[gimp/gimp-2-6] SGI: fix out of bounds writes



commit b428adfa9f24eceba2066f656f495b68480f6101
Author: Simon Budig <simon gimp org>
Date:   Wed Dec 9 16:05:05 2009 +0100

    SGI: fix out of bounds writes
    
    The functions read_rle8() and read_rle16() didn't check if the addresses
    to which they wrote are in bounds when expanding runlength encoded data.
    (cherry picked from commit 4d9724f2f67bca4005ca50c22afccd7bf30cc2e8)

 plug-ins/file-sgi/sgi-lib.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)
---
diff --git a/plug-ins/file-sgi/sgi-lib.c b/plug-ins/file-sgi/sgi-lib.c
index 7975b09..d926553 100644
--- a/plug-ins/file-sgi/sgi-lib.c
+++ b/plug-ins/file-sgi/sgi-lib.c
@@ -681,7 +681,7 @@ read_rle8(sgi_t *sgip,		/* I - SGI image to read from */
       return (-1);
     length ++;
 
-    count = ch & 127;
+    count = MIN (ch & 127, xsize);
     if (count == 0)
       break;
 
@@ -726,7 +726,7 @@ read_rle16(sgi_t *sgip,		/* I - SGI image to read from */
       return (-1);
     length ++;
 
-    count = ch & 127;
+    count = MIN (ch & 127, xsize);
     if (count == 0)
       break;
 



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]