openbsd-ports/graphics/imlib/patches/patch-Imlib_load_c
robert c5ded5b610 SECURITY:
Marcus Meissner discovered that imlib's BMP decoder would crash
when loading the test BMP file created by Chris Evans for testing
a previous Qt vulnerability.
It is believed that this bug could be exploited for arbitrary code execution.

ok brad@
2004-09-15 19:41:44 +00:00

215 lines
5.6 KiB
Plaintext

$OpenBSD: patch-Imlib_load_c,v 1.5 2004/09/15 19:41:44 robert Exp $
--- Imlib/load.c.orig Fri Mar 22 15:43:04 2002
+++ Imlib/load.c Wed Sep 15 11:28:55 2004
@@ -254,7 +254,8 @@
png_read_image(png_ptr, lines);
png_destroy_read_struct(&png_ptr, &info_ptr, NULL);
ptr = data;
- if (color_type == PNG_COLOR_TYPE_GRAY_ALPHA)
+ if (color_type == PNG_COLOR_TYPE_GRAY
+ || color_type == PNG_COLOR_TYPE_GRAY_ALPHA)
{
for (y = 0; y < *h; y++)
{
@@ -279,6 +280,7 @@
}
}
}
+#if 0
else if (color_type == PNG_COLOR_TYPE_GRAY)
{
for (y = 0; y < *h; y++)
@@ -294,6 +296,7 @@
}
}
}
+#endif
else
{
for (y = 0; y < *h; y++)
@@ -631,12 +634,12 @@
fread(dbuf, 4, 2, file);
*w = (int)dbuf[0];
*h = (int)dbuf[1];
- if (*w > 32767)
+ if ((*w < 0) || (*w > 32767))
{
fprintf(stderr, "IMLIB ERROR: Image width > 32767 pixels for file\n");
return NULL;
}
- if (*h > 32767)
+ if ((*h < 0) || (*h > 32767))
{
fprintf(stderr, "IMLIB ERROR: Image height > 32767 pixels for file\n");
return NULL;
@@ -645,9 +648,9 @@
planes = (int)word;
fread(&word, 2, 1, file);
bpp = (int)word;
- if (bpp != 1 && bpp != 4 && bpp != 8 && bpp && 16 && bpp != 24 && bpp != 32)
+ if (bpp != 1 && bpp != 4 && bpp != 8 && bpp != 16 && bpp != 24 && bpp != 32)
{
- fprintf(stderr, "IMLIB ERROR: unknown bitdepth in file\n");
+ fprintf(stderr, "IMLIB ERROR: unknown bitdepth %d in file\n", bpp);
return NULL;
}
fread(dbuf, 4, 4, file);
@@ -661,6 +664,9 @@
ncolors = (int)dbuf[0];
if (ncolors == 0)
ncolors = 1 << bpp;
+ if ((ncolors < 0) || (ncolors > (1 << bpp)))
+ ncolors = 1 << bpp;
+
/* some more sanity checks */
if (((comp == BI_RLE4) && (bpp != 4)) || ((comp == BI_RLE8) && (bpp != 8)) || ((comp == BI_BITFIELDS) && (bpp != 16 && bpp != 32)))
{
@@ -786,9 +792,13 @@
for (bit = 0; bit < 8; bit++)
{
index = ((byte & (0x80 >> bit)) ? 1 : 0);
+ /* possibly corrupted file? */
+ if (index < ncolors && poffset < *w * *h * 3)
+ {
ptr[poffset] = cmap[index].r;
ptr[poffset + 1] = cmap[index].g;
ptr[poffset + 2] = cmap[index].b;
+ }
column++;
}
}
@@ -810,9 +820,13 @@
index = ((byte & (0xF0 >> nibble * 4)) >> (!nibble * 4));
if (index >= 16)
index = 15;
+ /* possibly corrupted file? */
+ if (index < ncolors && poffset < *w * *h * 3)
+ {
ptr[poffset] = cmap[index].r;
ptr[poffset + 1] = cmap[index].g;
ptr[poffset + 2] = cmap[index].b;
+ }
column++;
}
}
@@ -851,9 +865,13 @@
{
linepos++;
byte = getc(file);
+ /* possibly corrupted file? */
+ if (byte < ncolors && poffset < *w * *h * 3)
+ {
ptr[poffset] = cmap[byte].r;
ptr[poffset + 1] = cmap[byte].g;
ptr[poffset + 2] = cmap[byte].b;
+ }
column++;
}
if (absolute & 0x01)
@@ -864,9 +882,13 @@
{
for (i = 0; i < first; i++)
{
+ /* possibly corrupted file? */
+ if (byte < ncolors && poffset < *w * *h * 3)
+ {
ptr[poffset] = cmap[byte].r;
ptr[poffset + 1] = cmap[byte].g;
ptr[poffset + 2] = cmap[byte].b;
+ }
column++;
linepos++;
}
@@ -874,9 +896,13 @@
}
else
{
+ /* possibly corrupted file? */
+ if (byte < ncolors && poffset < *w * *h * 3)
+ {
ptr[poffset] = cmap[byte].r;
ptr[poffset + 1] = cmap[byte].g;
ptr[poffset + 2] = cmap[byte].b;
+ }
column++;
}
}
@@ -884,9 +910,12 @@
else if (bpp == 24)
{
linepos += fread(bbuf, 1, 3, file);
+ if (poffset< *w * *h * 3)
+ {
ptr[poffset] = (unsigned char)bbuf[2];
ptr[poffset + 1] = (unsigned char)bbuf[1];
ptr[poffset + 2] = (unsigned char)bbuf[0];
+ }
column++;
}
else if (bpp == 16)
@@ -894,12 +923,16 @@
unsigned char temp;
linepos += fread(&word, 2, 1, file);
+ /* possibly corrupted file? */
+ if (poffset < *w * *h * 3)
+ {
temp = (word & rmask) >> rshift;
ptr[poffset] = temp;
temp = (word & gmask) >> gshift;
ptr[poffset + 1] = temp;
temp = (word & bmask) >> gshift;
ptr[poffset + 2] = temp;
+ }
column++;
}
else
@@ -907,12 +940,16 @@
unsigned char temp;
linepos += fread(&dword, 4, 1, file);
+ /* possibly corrupted file? */
+ if (poffset < *w * *h * 3)
+ {
temp = (dword & rmask) >> rshift;
ptr[poffset] = temp;
temp = (dword & gmask) >> gshift;
ptr[poffset + 1] = temp;
temp = (dword & bmask) >> bshift;
ptr[poffset + 2] = temp;
+ }
column++;
}
}
@@ -1061,7 +1098,7 @@
if (line[k] != ' ')
{
s[0] = 0;
- sscanf(&line[k], "%256s", s);
+ sscanf(&line[k], "%255s", s);
slen = strlen(s);
k += slen;
if (!strcmp(s, "c"))
@@ -1861,7 +1898,7 @@
free(im);
return NULL;
}
- sscanf(s, "%256s %i", s1, &num);
+ sscanf(s, "%255s %i", s1, &num);
if (num <= 0)
{
fclose(p);
@@ -1870,10 +1907,10 @@
}
while (fgets(s, 4096, p))
{
- sscanf(s, "%256s", s1);
+ sscanf(s, "%255s", s1);
if (!strcmp("IMAGE", s1))
{
- sscanf(s, "%256s %i %256s %i %i %i %i %i %i %i %i %i", s1, &size,
+ sscanf(s, "%255s %i %255s %i %i %i %i %i %i %i %i %i", s1, &size,
s2, &w, &h, &r, &g, &b, &bl, &br, &bt, &bb);
if (!iden[0])
break;