You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
71 lines
1.9 KiB
71 lines
1.9 KiB
12 years ago
|
From 4757cdf73d3675478d645a3ec8250ba02168a230 Mon Sep 17 00:00:00 2001
|
||
|
From: Nils Philippsen <nils@redhat.com>
|
||
|
Date: Tue, 16 Oct 2012 14:56:40 +0000
|
||
|
Subject: ppm-load: CVE-2012-4433: add plausibility checks for header fields
|
||
|
|
||
|
Refuse values that are non-decimal, negative or overflow the target
|
||
|
type.
|
||
|
---
|
||
|
diff --git a/operations/external/ppm-load.c b/operations/external/ppm-load.c
|
||
|
index 3d6bce7..465096d 100644
|
||
|
--- a/operations/external/ppm-load.c
|
||
|
+++ b/operations/external/ppm-load.c
|
||
|
@@ -36,6 +36,7 @@ gegl_chant_file_path (path, _("File"), "", _("Path of file to load."))
|
||
|
#include "gegl-chant.h"
|
||
|
#include <stdio.h>
|
||
|
#include <stdlib.h>
|
||
|
+#include <errno.h>
|
||
|
|
||
|
typedef enum {
|
||
|
PIXMAP_ASCII = 51,
|
||
|
@@ -44,8 +45,8 @@ typedef enum {
|
||
|
|
||
|
typedef struct {
|
||
|
map_type type;
|
||
|
- gint width;
|
||
|
- gint height;
|
||
|
+ glong width;
|
||
|
+ glong height;
|
||
|
gsize numsamples; /* width * height * channels */
|
||
|
gsize bpc; /* bytes per channel */
|
||
|
guchar *data;
|
||
|
@@ -82,11 +83,33 @@ ppm_load_read_header(FILE *fp,
|
||
|
}
|
||
|
|
||
|
/* Get Width and Height */
|
||
|
- img->width = strtol (header,&ptr,0);
|
||
|
- img->height = atoi (ptr);
|
||
|
+ errno = 0;
|
||
|
+ img->width = strtol (header,&ptr,10);
|
||
|
+ if (errno)
|
||
|
+ {
|
||
|
+ g_warning ("Error reading width: %s", strerror(errno));
|
||
|
+ return FALSE;
|
||
|
+ }
|
||
|
+ else if (img->width < 0)
|
||
|
+ {
|
||
|
+ g_warning ("Error: width is negative");
|
||
|
+ return FALSE;
|
||
|
+ }
|
||
|
+
|
||
|
+ img->height = strtol (ptr,&ptr,10);
|
||
|
+ if (errno)
|
||
|
+ {
|
||
|
+ g_warning ("Error reading height: %s", strerror(errno));
|
||
|
+ return FALSE;
|
||
|
+ }
|
||
|
+ else if (img->width < 0)
|
||
|
+ {
|
||
|
+ g_warning ("Error: height is negative");
|
||
|
+ return FALSE;
|
||
|
+ }
|
||
|
|
||
|
fgets (header,MAX_CHARS_IN_ROW,fp);
|
||
|
- maxval = strtol (header,&ptr,0);
|
||
|
+ maxval = strtol (header,&ptr,10);
|
||
|
|
||
|
if ((maxval != 255) && (maxval != 65535))
|
||
|
{
|
||
|
--
|
||
|
cgit v0.9.0.2
|