[gdk-pixbuf] pnm: Fix crash opening images with overly large dimensions
- From: Bastien Nocera <hadess src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [gdk-pixbuf] pnm: Fix crash opening images with overly large dimensions
- Date: Tue, 13 Dec 2016 17:12:32 +0000 (UTC)
commit 8d54caa31e1d397d86e0336d90091a14855de493
Author: Bastien Nocera <hadess hadess net>
Date: Tue Dec 13 18:08:12 2016 +0100
pnm: Fix crash opening images with overly large dimensions
Internally, the PNM loader stores the width and height as unsigned
integers, but the external callback to the application,
GdkPixbufModuleSizeFunc, uses integers. So the maximum width and height
really are MAXINT, not MAXUINT.
https://bugzilla.gnome.org/show_bug.cgi?id=775232
gdk-pixbuf/io-pnm.c | 20 ++++++++++++++++++--
1 files changed, 18 insertions(+), 2 deletions(-)
---
diff --git a/gdk-pixbuf/io-pnm.c b/gdk-pixbuf/io-pnm.c
index 06b9e6a..c5e4fc4 100644
--- a/gdk-pixbuf/io-pnm.c
+++ b/gdk-pixbuf/io-pnm.c
@@ -325,7 +325,15 @@ pnm_read_header (PnmLoaderContext *context)
if (retval != PNM_OK)
return retval;
-
+
+ if (width > G_MAXINT) {
+ g_set_error_literal (context->error,
+ GDK_PIXBUF_ERROR,
+ GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+ _("PNM file has an invalid width"));
+ return PNM_FATAL_ERR;
+ }
+
if (!width) {
g_set_error_literal (context->error,
GDK_PIXBUF_ERROR,
@@ -346,7 +354,15 @@ pnm_read_header (PnmLoaderContext *context)
if (retval != PNM_OK)
return retval;
-
+
+ if (height > G_MAXINT) {
+ g_set_error_literal (context->error,
+ GDK_PIXBUF_ERROR,
+ GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+ _("PNM file has an invalid height"));
+ return PNM_FATAL_ERR;
+ }
+
if (!height) {
g_set_error_literal (context->error,
GDK_PIXBUF_ERROR,
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
