Overview

File xzgv-secfix.diff of Package xzgv

diff -Nur ../xzgv-0.8/src/readgif.c ./src/readgif.c
--- ../xzgv-0.8/src/readgif.c	2002-03-03 05:34:32.000000000 +0100
+++ ./src/readgif.c	2004-11-03 17:44:32.000000000 +0100
@@ -8,6 +8,7 @@
 #include <string.h>
 #include <unistd.h>
 #include <stdlib.h>
+#include "sizetmax.h"
 #include "readgif.h"
 
 
@@ -102,7 +103,15 @@
     }
   
   if(local_colour_map) readcolmap(in);
-  
+
+  if ((width <= 0) || (height <=0 ) || 
+      (width > (SIZE_T_MAX/height)) ||
+      ((width * height) > SIZE_T_MAX/3))
+    {
+    fclose(in);
+    return(0);
+    }
+
   if((image=malloc(width*height*3))==NULL)
     {
     fclose(in);
diff -Nur ../xzgv-0.8/src/readjpeg.c ./src/readjpeg.c
--- ../xzgv-0.8/src/readjpeg.c	2003-09-16 13:52:04.000000000 +0200
+++ ./src/readjpeg.c	2004-11-03 17:48:45.000000000 +0100
@@ -13,7 +13,7 @@
 #include <jpeglib.h>
 
 #include "rcfile.h"
-
+#include "sizetmax.h"
 #include "readjpeg.h"
 
 
@@ -265,12 +265,21 @@
 /* this one shouldn't hurt */
 cinfo.do_block_smoothing=FALSE;
 
+if ((width <= 0) || (height <=0 ) ||
+      (width > (SIZE_T_MAX/height)) ||
+      ((width * height) > SIZE_T_MAX/3))
+  longjmp(jerr.setjmp_buffer,1);
+
 if((*imagep=image=malloc(width*height*3))==NULL)
   longjmp(jerr.setjmp_buffer,1);
 
 jpeg_start_decompress(&cinfo);
 
 /* read the image */
+if ((height <= 0) ||
+    (height > (SIZE_T_MAX/sizeof(unsigned char *))))
+  longjmp(jerr.setjmp_buffer,1);
+
 if((lineptrs=malloc(height*sizeof(unsigned char *)))==NULL)
   longjmp(jerr.setjmp_buffer,1);
 
diff -Nur ../xzgv-0.8/src/readmrf.c ./src/readmrf.c
--- ../xzgv-0.8/src/readmrf.c	2000-10-07 15:26:55.000000000 +0200
+++ ./src/readmrf.c	2004-11-03 17:52:49.000000000 +0100
@@ -8,7 +8,7 @@
 #include <string.h>
 #include <stdlib.h>
 #include "readmrf.h"
-
+#include "sizetmax.h"
 
 static int bitbox,bitsleft;
 
@@ -91,6 +91,15 @@
 w64=(w+63)/64;
 h64=(h+63)/64;
 
+if ((w <= 0) || (h <=0 ) || 
+    (w > (SIZE_T_MAX/h)) || ((w * h) > SIZE_T_MAX/3) ||
+    (w64<=0) || (h64<=0) || (w64>(SIZE_T_MAX/h64)) ||
+    (w64*h64) > SIZE_T_MAX/(64*64))
+    {
+    return(0);
+    }
+
+
 if((*bmap=malloc(w*h*3))==NULL ||
    (image=calloc(w64*h64*64*64,1))==NULL)
   {
diff -Nur ../xzgv-0.8/src/readpng.c ./src/readpng.c
--- ../xzgv-0.8/src/readpng.c	2003-07-10 17:13:43.000000000 +0200
+++ ./src/readpng.c	2004-11-03 18:12:21.465865773 +0100
@@ -17,6 +17,7 @@
 #include <png.h>
 #include <setjmp.h>	/* after png.h to avoid horrible thing in pngconf.h */
 #include "readpng.h"
+#include "sizetmax.h"
 
 
 /* must be global to allow aborting in mid-read */
@@ -129,6 +130,14 @@
   }
 
 /* allocate image memory */
+if((width <= 0) || (height <=0 ) ||
+   (width > (SIZE_T_MAX/height)) ||
+   ((width * height) > SIZE_T_MAX/3))
+    {
+    fclose(in);
+    return(0);
+    }
+
 if((*theimageptr=theimage=malloc(width*height*3))==NULL)
   {
   png_read_end(png_ptr,info_ptr);
diff -Nur ../xzgv-0.8/src/readprf.c ./src/readprf.c
--- ../xzgv-0.8/src/readprf.c	2001-04-09 20:08:19.000000000 +0200
+++ ./src/readprf.c	2004-11-03 17:57:10.000000000 +0100
@@ -8,6 +8,7 @@
 #include <string.h>
 #include <stdlib.h>
 #include "readprf.h"
+#include "sizetmax.h"
 
 #define squaresize	64
 
@@ -163,6 +164,12 @@
 if(planes==1)
   bytepp=1;
 
+if((width <= 0) || (width > (SIZE_T_MAX/squaresize)))
+    {
+    fclose(in);
+    return(0);
+    }
+
 n=width*squaresize;
 if((planebuf[0]=calloc(n,planes))==NULL)
   {
@@ -173,6 +180,13 @@
 for(f=1;f<planes;f++)
   planebuf[f]=planebuf[f-1]+n;
 
+if((height <= 0 ) ||
+  (width > (SIZE_T_MAX/height)) || ((width * height) > SIZE_T_MAX/3))
+    {
+    fclose(in);
+    return(0);
+    }
+
 if((*theimageptr=malloc(width*height*3))==NULL)
   {
   free(planebuf[0]);
diff -Nur ../xzgv-0.8/src/readtiff.c ./src/readtiff.c
--- ../xzgv-0.8/src/readtiff.c	2000-12-28 04:20:55.000000000 +0100
+++ ./src/readtiff.c	2004-11-03 18:02:49.000000000 +0100
@@ -11,7 +11,7 @@
 #include <setjmp.h>
 #include <sys/file.h>  /* for open et al */
 #include <tiffio.h>
-
+#include "sizetmax.h"
 #include "readtiff.h"
 
 
@@ -32,10 +32,26 @@
 TIFFGetField(in,TIFFTAG_IMAGEWIDTH,&width);
 TIFFGetField(in,TIFFTAG_IMAGELENGTH,&height);
 
+if((width <= 0) || (height <=0 ) ||
+   (width > (SIZE_T_MAX/height)) ||
+   ((width * height) > SIZE_T_MAX/sizeof(uint32)))
+    {
+    TIFFClose(in);
+    return(0);
+    }
+
+
 /* the width*3 guarantees there'll be at least one line
  * spare for the flip afterwards.
  */
 numpix=width*height;
+
+if((width > (SIZE_T_MAX/3)) || (numpix*sizeof(uint32) > SIZE_T_MAX-width*3))
+   {
+   TIFFClose(in);
+   return(0);
+   }
+
 if((image=malloc(numpix*sizeof(uint32)+width*3))==NULL)
   {
   TIFFClose(in);
diff -Nur ../xzgv-0.8/src/sizetmax.h ./src/sizetmax.h
--- ../xzgv-0.8/src/sizetmax.h	1970-01-01 01:00:00.000000000 +0100
+++ ./src/sizetmax.h	2004-11-03 18:11:55.000000000 +0100
@@ -0,0 +1,8 @@
+/* unfortunately, there is no ANSI-C constant that holds the size of
+ * size_t. The only thing we know is that it is "the largest unsigned
+ * integer type on the platform" (usually unsigned long int, but not
+ * always, cf. 31-bit mode S/390.) At least we can rely on it being
+ * unsigned, hence the following should always work.
+ */ 
+
+#define SIZE_T_MAX (~((size_t) 0))
openSUSE Build Service is sponsored by
Places