Commit c83b05d5 authored by Øyvind "pippin" Kolås's avatar Øyvind "pippin" Kolås
Browse files

ppm-load: limit max permitted buffer allocation to 2GB

Fixing bug #795248
parent 69766eee
......@@ -94,6 +94,7 @@ ppm_load_read_header(FILE *fp,
/* Get Width and Height */
errno = 0;
img->width = strtol (header, &ptr, 10);
if (errno)
{
......@@ -144,15 +145,19 @@ ppm_load_read_header(FILE *fp,
}
/* Later on, img->numsamples is multiplied with img->bpc to allocate
* memory. Ensure it doesn't overflow. */
* memory. Ensure it doesn't overflow. G_MAXSIZE might have been
good enough on 32bit, for now lets just fail if the size is beyond
2GB
*/
#define MAX_PPM_SIZE (1<<31)
if (!img->width || !img->height ||
G_MAXSIZE / img->width / img->height / CHANNEL_COUNT < img->bpc)
MAX_PPM_SIZE / img->width / img->height / CHANNEL_COUNT < img->bpc)
{
g_warning ("Illegal width/height: %ld/%ld", img->width, img->height);
return FALSE;
}
img->channels = channel_count;
img->numsamples = img->width * img->height * channel_count;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment