1626ccb155
Fix - double free() in BMP handler (CVE-2005-0891), - endless loop (CVE-2005-2975) and - integer overflows in XPM loader (CVE-2005-2976, CVE-2005-3186). From Ubuntu.
33 lines
865 B
Plaintext
33 lines
865 B
Plaintext
$OpenBSD: patch-gdk-pixbuf_io-bmp_c,v 1.2 2005/11/21 20:20:54 naddy Exp $
|
|
--- gdk-pixbuf/io-bmp.c.orig Fri Sep 27 23:12:40 2002
|
|
+++ gdk-pixbuf/io-bmp.c Sat Nov 19 18:23:36 2005
|
|
@@ -245,7 +245,15 @@ lsb_16 (guchar *src)
|
|
static gboolean
|
|
grow_buffer (struct bmp_progressive_state *State)
|
|
{
|
|
- guchar *tmp = realloc (State->buff, State->BufferSize);
|
|
+ guchar *tmp;
|
|
+
|
|
+ if (State->BufferSize == 0) {
|
|
+ State->read_state = READ_STATE_ERROR;
|
|
+ return FALSE;
|
|
+ }
|
|
+
|
|
+ tmp = realloc (State->buff, State->BufferSize);
|
|
+
|
|
if (!tmp) {
|
|
State->read_state = READ_STATE_ERROR;
|
|
return FALSE;
|
|
@@ -870,8 +878,10 @@ DoCompressed(struct bmp_progressive_stat
|
|
guchar c;
|
|
gint idx;
|
|
|
|
- if (context->compr.y >= context->Header.height)
|
|
+ if (context->compr.y >= context->Header.height) {
|
|
+ context->BufferDone = 0;
|
|
return TRUE;
|
|
+ }
|
|
|
|
y = context->compr.y;
|
|
|