Overview

File imlib-1.9.14-alt-bound.patch of Package imlib

--- imlib-1.9.14/gdk_imlib/io-bmp.c
+++ imlib-1.9.14/gdk_imlib/io-bmp.c
@@ -201,6 +201,13 @@
 		  for (bit = 0; bit < 8; bit++)
 		    {
 		      index = ((byte & (0x80 >> bit)) ? 1 : 0);
+		      if (index >= ncolors || poffset >= *w * *h * 3)
+			{
+			  fprintf(stderr, "IMLIB ERROR: corrupted file\n");
+			  free(data);
+			  free(cmap);
+			  return NULL;
+			}
 		      ptr[poffset] = cmap[index].r;
 		      ptr[poffset + 1] = cmap[index].g;
 		      ptr[poffset + 2] = cmap[index].b;
@@ -225,6 +232,8 @@
 			  index = ((byte & (0xF0 >> nibble * 4)) >> (!nibble * 4));
 			  if (index >= 16)
 			    index = 15;
+			  if (index >= ncolors || poffset >= *w * *h * 3)
+			    continue;
 			  ptr[poffset] = cmap[index].r;
 			  ptr[poffset + 1] = cmap[index].g;
 			  ptr[poffset + 2] = cmap[index].b;
@@ -267,6 +276,13 @@
 				{
 				  linepos++;
 				  byte = getc(file);
+				  if (byte >= ncolors || poffset >= *w * *h * 3)
+				    {
+				      fprintf(stderr, "IMLIB ERROR: corrupted file\n");
+				      free(data);
+				      free(cmap);
+				      return NULL;
+				    }
 				  ptr[poffset] = cmap[byte].r;
 				  ptr[poffset + 1] = cmap[byte].g;
 				  ptr[poffset + 2] = cmap[byte].b;
@@ -280,6 +296,13 @@
 			{
 			  for (i = 0; i < first; i++)
 			    {
+			      if (byte >= ncolors || poffset >= *w * *h * 3)
+				{
+				  fprintf(stderr, "IMLIB ERROR: corrupted file\n");
+				  free(data);
+				  free(cmap);
+				  return NULL;
+				}
 			      ptr[poffset] = cmap[byte].r;
 			      ptr[poffset + 1] = cmap[byte].g;
 			      ptr[poffset + 2] = cmap[byte].b;
@@ -290,6 +313,13 @@
 		    }
 		  else
 		    {
+		      if (byte >= ncolors || poffset >= *w * *h * 3)
+			{
+			  fprintf(stderr, "IMLIB ERROR: corrupted file\n");
+			  free(data);
+			  free(cmap);
+			  return NULL;
+			}
 		      ptr[poffset] = cmap[byte].r;
 		      ptr[poffset + 1] = cmap[byte].g;
 		      ptr[poffset + 2] = cmap[byte].b;
@@ -301,6 +331,13 @@
 	  else if (bpp == 24)
 	    {
 	      linepos += fread(&bbuf, 1, 3, file);
+	      if (poffset >= *w * *h * 3)
+		{
+		  fprintf(stderr, "IMLIB ERROR: corrupted file\n");
+		  free(data);
+		  free(cmap);
+		  return NULL;
+		}
 	      ptr[poffset] = (unsigned char)bbuf[2];
 	      ptr[poffset + 1] = (unsigned char)bbuf[1];
 	      ptr[poffset + 2] = (unsigned char)bbuf[0];
@@ -311,6 +348,13 @@
 	      unsigned char       temp;
 
 	      linepos += fread(&word, 2, 1, file);
+	      if (poffset >= *w * *h * 3)
+		{
+		  fprintf(stderr, "IMLIB ERROR: corrupted file\n");
+		  free(data);
+		  free(cmap);
+		  return NULL;
+		}
 	      temp = (word & rmask) >> rshift;
 	      ptr[poffset] = temp;
 	      temp = (word & gmask) >> gshift;
@@ -324,6 +368,13 @@
 	      unsigned char       temp;
 
 	      linepos += fread(&dword, 4, 1, file);
+	      if (poffset >= *w * *h * 3)
+		{
+		  fprintf(stderr, "IMLIB ERROR: corrupted file\n");
+		  free(data);
+		  free(cmap);
+		  return NULL;
+		}
 	      temp = (dword & rmask) >> rshift;
 	      ptr[poffset] = temp;
 	      temp = (dword & gmask) >> gshift;
openSUSE Build Service is sponsored by
Places