[packages/gdk-pixbuf.git] / gdk-pixbuf-loaders.patch

--- gdk-pixbuf-0.22.0/gdk-pixbuf/io-ico.c.loaders	2004-09-15 13:32:28.397302000 -0400
+++ gdk-pixbuf-0.22.0/gdk-pixbuf/io-ico.c	2004-09-15 13:32:28.441258000 -0400
@@ -330,6 +330,9 @@
 
 	State->HeaderSize+=I;
 
+ 	if (State->HeaderSize < 0)
+ 		return FALSE;
+ 
  	if (State->HeaderSize>State->BytesInHeaderBuf) {
 		guchar *tmp=realloc(State->HeaderBuf,State->HeaderSize);
 		if (!tmp)
--- gdk-pixbuf-0.22.0/gdk-pixbuf/io-xpm.c.loaders	2001-03-01 15:16:28.000000000 -0500
+++ gdk-pixbuf-0.22.0/gdk-pixbuf/io-xpm.c	2004-09-15 13:41:09.804373000 -0400
@@ -243,8 +243,8 @@
 			break;
 		else {
 			if (numnames > 0) {
-				space -= 1;
-				strcat (color, " ");
+				strncat (color, " ", space);
+				space -= MIN (space, 1);
 			}
 
 			strncat (color, temp, space);
@@ -352,16 +352,31 @@
 		return NULL;
 	}
 	sscanf (buffer, "%d %d %d %d", &w, &h, &n_col, &cpp);
-	if (cpp >= 32) {
-		g_warning ("XPM has more than 31 chars per pixel.");
+	if (cpp <= 0 || cpp >= 32) {
+		g_warning ("XPM has invalid number of chars per pixel.");
 		return NULL;
 	}
+ 	if (n_col <= 0 || n_col >= G_MAXINT / (cpp + 1)) {
+		g_warning ("XPM file has invalid number of colors");
+  		return NULL;
+  	}
 
 	/* The hash is used for fast lookups of color from chars */
 	color_hash = g_hash_table_new (g_str_hash, g_str_equal);
 
-	name_buf = g_new (gchar, n_col * (cpp + 1));
-	colors = g_new (_XPMColor, n_col);
+ 	name_buf = malloc (n_col * (cpp + 1));
+ 	if (!name_buf) {
+		g_warning ("Cannot allocate memory for loading XPM image");
+ 		g_hash_table_destroy (color_hash);
+ 		return NULL;
+ 	}
+ 	colors = (_XPMColor *) malloc (sizeof (_XPMColor) * n_col);
+ 	if (!colors) {
+		g_warning ("Cannot allocate memory for loading XPM image");
+ 		g_hash_table_destroy (color_hash);
+ 		free (name_buf);
+ 		return NULL;
+ 	}
 
 	for (cnt = 0; cnt < n_col; cnt++) {
 		gchar *color_name;
@@ -404,8 +419,8 @@
 
 	if (!pixels) {
 		g_hash_table_destroy (color_hash);
-		g_free (colors);
-		g_free (name_buf);
+		free (colors);
+		free (name_buf);
 		return NULL;
 	}
 
@@ -440,8 +455,8 @@
 	}
 
 	g_hash_table_destroy (color_hash);
-	g_free (colors);
-	g_free (name_buf);
+	free (colors);
+	free (name_buf);
 
 	return gdk_pixbuf_new_from_data (pixels, GDK_COLORSPACE_RGB, is_trans, 8,
 					 w, h, is_trans ? (w * 4) : (w * 3),
Commit	Line	Data
bf5d54ea PG	1	--- gdk-pixbuf-0.22.0/gdk-pixbuf/io-ico.c.loaders 2004-09-15 13:32:28.397302000 -0400
	2	+++ gdk-pixbuf-0.22.0/gdk-pixbuf/io-ico.c 2004-09-15 13:32:28.441258000 -0400
	3	@@ -330,6 +330,9 @@
	4
	5	State->HeaderSize+=I;
	6
	7	+ if (State->HeaderSize < 0)
	8	+ return FALSE;
	9	+
	10	if (State->HeaderSize>State->BytesInHeaderBuf) {
	11	guchar *tmp=realloc(State->HeaderBuf,State->HeaderSize);
	12	if (!tmp)
	13	--- gdk-pixbuf-0.22.0/gdk-pixbuf/io-xpm.c.loaders 2001-03-01 15:16:28.000000000 -0500
	14	+++ gdk-pixbuf-0.22.0/gdk-pixbuf/io-xpm.c 2004-09-15 13:41:09.804373000 -0400
	15	@@ -243,8 +243,8 @@
	16	break;
	17	else {
	18	if (numnames > 0) {
	19	- space -= 1;
	20	- strcat (color, " ");
	21	+ strncat (color, " ", space);
	22	+ space -= MIN (space, 1);
	23	}
	24
	25	strncat (color, temp, space);
	26	@@ -352,16 +352,31 @@
	27	return NULL;
	28	}
	29	sscanf (buffer, "%d %d %d %d", &w, &h, &n_col, &cpp);
	30	- if (cpp >= 32) {
	31	- g_warning ("XPM has more than 31 chars per pixel.");
	32	+ if (cpp <= 0 \|\| cpp >= 32) {
	33	+ g_warning ("XPM has invalid number of chars per pixel.");
	34	return NULL;
	35	}
	36	+ if (n_col <= 0 \|\| n_col >= G_MAXINT / (cpp + 1)) {
	37	+ g_warning ("XPM file has invalid number of colors");
	38	+ return NULL;
	39	+ }
	40
	41	/* The hash is used for fast lookups of color from chars */
	42	color_hash = g_hash_table_new (g_str_hash, g_str_equal);
	43
	44	- name_buf = g_new (gchar, n_col * (cpp + 1));
	45	- colors = g_new (_XPMColor, n_col);
	46	+ name_buf = malloc (n_col * (cpp + 1));
	47	+ if (!name_buf) {
	48	+ g_warning ("Cannot allocate memory for loading XPM image");
	49	+ g_hash_table_destroy (color_hash);
	50	+ return NULL;
	51	+ }
	52	+ colors = (_XPMColor ) malloc (sizeof (_XPMColor) n_col);
	53	+ if (!colors) {
	54	+ g_warning ("Cannot allocate memory for loading XPM image");
	55	+ g_hash_table_destroy (color_hash);
	56	+ free (name_buf);
	57	+ return NULL;
	58	+ }
	59
	60	for (cnt = 0; cnt < n_col; cnt++) {
	61	gchar *color_name;
	62	@@ -404,8 +419,8 @@
	63
	64	if (!pixels) {
65	g_hash_table_destroy (color_hash);
66	- g_free (colors);
67	- g_free (name_buf);
68	+ free (colors);
69	+ free (name_buf);
70	return NULL;
71	}
72
73	@@ -440,8 +455,8 @@
74	}
75
76	g_hash_table_destroy (color_hash);
77	- g_free (colors);
78	- g_free (name_buf);
79	+ free (colors);
80	+ free (name_buf);
81
82	return gdk_pixbuf_new_from_data (pixels, GDK_COLORSPACE_RGB, is_trans, 8,
83	w, h, is_trans ? (w * 4) : (w * 3),