You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
133 lines
5.5 KiB
133 lines
5.5 KiB
diff -Naur gimp-2.6.11/plug-ins/common/file-psp.c gimp-2.6.11-sec//plug-ins/common/file-psp.c
|
|
--- gimp-2.6.11/plug-ins/common/file-psp.c 2010-07-03 00:51:56.000000000 +0200
|
|
+++ gimp-2.6.11-sec//plug-ins/common/file-psp.c 2011-02-16 11:58:38.195883063 +0100
|
|
@@ -1244,6 +1244,10 @@
|
|
}
|
|
else
|
|
fread (buf, runcount, 1, f);
|
|
+
|
|
+ /* prevent buffer overflow for bogus data */
|
|
+ runcount = MIN (runcount, endq - q);
|
|
+
|
|
if (bytespp == 1)
|
|
{
|
|
memmove (q, buf, runcount);
|
|
diff -Naur gimp-2.6.11/plug-ins/common/sphere-designer.c gimp-2.6.11-sec//plug-ins/common/sphere-designer.c
|
|
--- gimp-2.6.11/plug-ins/common/sphere-designer.c 2010-07-03 00:51:56.000000000 +0200
|
|
+++ gimp-2.6.11-sec//plug-ins/common/sphere-designer.c 2011-02-16 11:58:32.967912810 +0100
|
|
@@ -1992,6 +1992,7 @@
|
|
gchar endbuf[21 * (G_ASCII_DTOSTR_BUF_SIZE + 1)];
|
|
gchar *end = endbuf;
|
|
gchar line[1024];
|
|
+ gchar fmt_str[16];
|
|
gint i;
|
|
texture *t;
|
|
gint majtype, type;
|
|
@@ -2016,6 +2017,8 @@
|
|
|
|
s.com.numtexture = 0;
|
|
|
|
+ snprintf (fmt_str, sizeof (fmt_str), "%%d %%d %%%lds", sizeof (endbuf) - 1);
|
|
+
|
|
while (!feof (f))
|
|
{
|
|
|
|
@@ -2026,7 +2029,7 @@
|
|
t = &s.com.texture[i];
|
|
setdefaults (t);
|
|
|
|
- if (sscanf (line, "%d %d %s", &t->majtype, &t->type, end) != 3)
|
|
+ if (sscanf (line, fmt_str, &t->majtype, &t->type, end) != 3)
|
|
t->color1.x = g_ascii_strtod (end, &end);
|
|
if (end && errno != ERANGE)
|
|
t->color1.y = g_ascii_strtod (end, &end);
|
|
diff -Naur gimp-2.6.11/plug-ins/gfig/gfig-style.c gimp-2.6.11-sec//plug-ins/gfig/gfig-style.c
|
|
--- gimp-2.6.11/plug-ins/gfig/gfig-style.c 2010-07-03 00:51:59.000000000 +0200
|
|
+++ gimp-2.6.11-sec//plug-ins/gfig/gfig-style.c 2011-02-16 11:58:32.967912810 +0100
|
|
@@ -165,6 +165,7 @@
|
|
gchar *ptr;
|
|
gchar *tmpstr;
|
|
gchar *endptr;
|
|
+ gchar fmt_str[32];
|
|
gchar colorstr_r[G_ASCII_DTOSTR_BUF_SIZE];
|
|
gchar colorstr_g[G_ASCII_DTOSTR_BUF_SIZE];
|
|
gchar colorstr_b[G_ASCII_DTOSTR_BUF_SIZE];
|
|
@@ -172,6 +173,10 @@
|
|
|
|
style_entry->r = style_entry->g = style_entry->b = style_entry->a = 0.;
|
|
|
|
+ snprintf (fmt_str, sizeof (fmt_str), "%%%lds %%%lds %%%lds %%%lds",
|
|
+ sizeof (colorstr_r) - 1, sizeof (colorstr_g) - 1,
|
|
+ sizeof (colorstr_b) - 1, sizeof (colorstr_a) - 1);
|
|
+
|
|
while (n < nitems)
|
|
{
|
|
ptr = strchr (text[n], ':');
|
|
@@ -181,7 +186,8 @@
|
|
ptr++;
|
|
if (!strcmp (tmpstr, name))
|
|
{
|
|
- sscanf (ptr, "%s %s %s %s", colorstr_r, colorstr_g, colorstr_b, colorstr_a);
|
|
+ sscanf (ptr, fmt_str,
|
|
+ colorstr_r, colorstr_g, colorstr_b, colorstr_a);
|
|
style_entry->r = g_ascii_strtod (colorstr_r, &endptr);
|
|
style_entry->g = g_ascii_strtod (colorstr_g, &endptr);
|
|
style_entry->b = g_ascii_strtod (colorstr_b, &endptr);
|
|
diff -Naur gimp-2.6.11/plug-ins/lighting/lighting-ui.c gimp-2.6.11-sec//plug-ins/lighting/lighting-ui.c
|
|
--- gimp-2.6.11/plug-ins/lighting/lighting-ui.c 2010-07-03 00:51:59.000000000 +0200
|
|
+++ gimp-2.6.11-sec//plug-ins/lighting/lighting-ui.c 2011-02-16 11:58:32.968912815 +0100
|
|
@@ -1342,6 +1342,7 @@
|
|
gchar buffer3[G_ASCII_DTOSTR_BUF_SIZE];
|
|
gchar type_label[21];
|
|
gchar *endptr;
|
|
+ gchar fmt_str[32];
|
|
|
|
if (response_id == GTK_RESPONSE_OK)
|
|
{
|
|
@@ -1381,23 +1382,41 @@
|
|
return;
|
|
}
|
|
|
|
- fscanf (fp, " Position: %s %s %s", buffer1, buffer2, buffer3);
|
|
+ snprintf (fmt_str, sizeof (fmt_str),
|
|
+ " Position: %%%lds %%%lds %%%lds",
|
|
+ sizeof (buffer1) - 1,
|
|
+ sizeof (buffer2) - 1,
|
|
+ sizeof (buffer3) - 1);
|
|
+ fscanf (fp, fmt_str, buffer1, buffer2, buffer3);
|
|
source->position.x = g_ascii_strtod (buffer1, &endptr);
|
|
source->position.y = g_ascii_strtod (buffer2, &endptr);
|
|
source->position.z = g_ascii_strtod (buffer3, &endptr);
|
|
|
|
- fscanf (fp, " Direction: %s %s %s", buffer1, buffer2, buffer3);
|
|
+ snprintf (fmt_str, sizeof (fmt_str),
|
|
+ " Direction: %%%lds %%%lds %%%lds",
|
|
+ sizeof (buffer1) - 1,
|
|
+ sizeof (buffer2) - 1,
|
|
+ sizeof (buffer3) - 1);
|
|
+ fscanf (fp, fmt_str, buffer1, buffer2, buffer3);
|
|
source->direction.x = g_ascii_strtod (buffer1, &endptr);
|
|
source->direction.y = g_ascii_strtod (buffer2, &endptr);
|
|
source->direction.z = g_ascii_strtod (buffer3, &endptr);
|
|
|
|
- fscanf (fp, " Color: %s %s %s", buffer1, buffer2, buffer3);
|
|
+ snprintf (fmt_str, sizeof (fmt_str),
|
|
+ " Color: %%%lds %%%lds %%%lds",
|
|
+ sizeof (buffer1) - 1,
|
|
+ sizeof (buffer2) - 1,
|
|
+ sizeof (buffer3) - 1);
|
|
+ fscanf (fp, fmt_str, buffer1, buffer2, buffer3);
|
|
source->color.r = g_ascii_strtod (buffer1, &endptr);
|
|
source->color.g = g_ascii_strtod (buffer2, &endptr);
|
|
source->color.b = g_ascii_strtod (buffer3, &endptr);
|
|
source->color.a = 1.0;
|
|
|
|
- fscanf (fp, " Intensity: %s", buffer1);
|
|
+ snprintf (fmt_str, sizeof (fmt_str),
|
|
+ " Intensity: %%%lds",
|
|
+ sizeof (buffer1) - 1);
|
|
+ fscanf (fp, fmt_str, buffer1);
|
|
source->intensity = g_ascii_strtod (buffer1, &endptr);
|
|
|
|
}
|