Commit 4757cdf7 authored by Nils Philippsen's avatar Nils Philippsen
Browse files

ppm-load: CVE-2012-4433: add plausibility checks for header fields

Refuse values that are non-decimal, negative or overflow the target
type.
parent 1e92e523
...@@ -36,6 +36,7 @@ gegl_chant_file_path (path, _("File"), "", _("Path of file to load.")) ...@@ -36,6 +36,7 @@ gegl_chant_file_path (path, _("File"), "", _("Path of file to load."))
#include "gegl-chant.h" #include "gegl-chant.h"
#include <stdio.h> #include <stdio.h>
#include <stdlib.h> #include <stdlib.h>
#include <errno.h>
typedef enum { typedef enum {
PIXMAP_ASCII = 51, PIXMAP_ASCII = 51,
...@@ -44,8 +45,8 @@ typedef enum { ...@@ -44,8 +45,8 @@ typedef enum {
typedef struct { typedef struct {
map_type type; map_type type;
gint width; glong width;
gint height; glong height;
gsize numsamples; /* width * height * channels */ gsize numsamples; /* width * height * channels */
gsize bpc; /* bytes per channel */ gsize bpc; /* bytes per channel */
guchar *data; guchar *data;
...@@ -82,11 +83,33 @@ ppm_load_read_header(FILE *fp, ...@@ -82,11 +83,33 @@ ppm_load_read_header(FILE *fp,
} }
/* Get Width and Height */ /* Get Width and Height */
img->width = strtol (header,&ptr,0); errno = 0;
img->height = atoi (ptr); img->width = strtol (header,&ptr,10);
if (errno)
{
g_warning ("Error reading width: %s", strerror(errno));
return FALSE;
}
else if (img->width < 0)
{
g_warning ("Error: width is negative");
return FALSE;
}
img->height = strtol (ptr,&ptr,10);
if (errno)
{
g_warning ("Error reading height: %s", strerror(errno));
return FALSE;
}
else if (img->width < 0)
{
g_warning ("Error: height is negative");
return FALSE;
}
fgets (header,MAX_CHARS_IN_ROW,fp); fgets (header,MAX_CHARS_IN_ROW,fp);
maxval = strtol (header,&ptr,0); maxval = strtol (header,&ptr,10);
if ((maxval != 255) && (maxval != 65535)) if ((maxval != 255) && (maxval != 65535))
{ {
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment