[gdk-pixbuf] XBM: Fix signed integer overflow.
- From: Emmanuele Bassi <ebassi src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [gdk-pixbuf] XBM: Fix signed integer overflow.
- Date: Fri, 26 Jun 2020 10:14:40 +0000 (UTC)
commit 7ebedf37abfed653a5b6dcf4d9210270c3e99e46
Author: Tobias Stoeckmann <tobias stoeckmann org>
Date: Sun Jun 7 19:41:27 2020 +0200
XBM: Fix signed integer overflow.
Parsing an XBM file with pixel bits larger than int leads to undefined
behavior (signed integer overflow).
Since only the lowest 8 bits are used, this patched code produces the
same images as before.
Also do not increment gotone but set it to a value. If more than
INT_MAX values are parsed, this int would overflow as well.
Proof of Concept (compile with -fsanitize=undefined or -ftrapv):
static unsigned char poc_bits[] = {
0xFFFFFFFF };
gdk-pixbuf/io-xbm.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
---
diff --git a/gdk-pixbuf/io-xbm.c b/gdk-pixbuf/io-xbm.c
index 83de5c6da..5bf71e1bf 100644
--- a/gdk-pixbuf/io-xbm.c
+++ b/gdk-pixbuf/io-xbm.c
@@ -133,8 +133,8 @@ next_int (FILE *fstream)
/* trim high bits, check type and accumulate */
ch &= 0xff;
if (g_ascii_isxdigit (ch)) {
- value = (value << 4) + g_ascii_xdigit_value (ch);
- gotone++;
+ value = ((value & 0xf) << 4) + g_ascii_xdigit_value (ch);
+ gotone = 1;
} else if ((hex_table[ch]) < 0 && gotone) {
done++;
}
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]