blob: 44c4eb8da4b9212b1c98eb9f4b801e0a3fd6a842 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
|
--- gdk-pixbuf/io-ico.c.orig Mon Oct 11 15:44:43 2004
+++ gdk-pixbuf/io-ico.c Mon Oct 11 15:47:29 2004
@@ -330,6 +330,10 @@
State->HeaderSize+=I;
+ if (State->HeaderSize < 0) {
+ return FALSE;
+ }
+
if (State->HeaderSize>State->BytesInHeaderBuf) {
guchar *tmp=realloc(State->HeaderBuf,State->HeaderSize);
if (!tmp)
--- gdk-pixbuf/io-xpm.c.orig Mon Oct 11 15:47:42 2004
+++ gdk-pixbuf/io-xpm.c Mon Oct 11 16:01:13 2004
@@ -352,16 +352,33 @@
return NULL;
}
sscanf (buffer, "%d %d %d %d", &w, &h, &n_col, &cpp);
- if (cpp >= 32) {
- g_warning ("XPM has more than 31 chars per pixel.");
+ if (cpp <= 0 || cpp >= 32) {
+ g_warning ("XPM has invalid number of chars per pixel");
+ return NULL;
+ }
+
+ if (n_col <= 0 || n_col >= G_MAXINT / (cpp + 1)) {
+ g_warning ("XPM file has invalid number of colors");
return NULL;
}
/* The hash is used for fast lookups of color from chars */
color_hash = g_hash_table_new (g_str_hash, g_str_equal);
- name_buf = g_new (gchar, n_col * (cpp + 1));
- colors = g_new (_XPMColor, n_col);
+ name_buf = (gchar *) g_try_malloc (n_col * (cpp + 1));
+ if (!name_buf) {
+ g_warning ("Cannot allocate memory for loading XPM image");
+ g_hash_table_destroy (color_hash);
+ return NULL;
+ }
+
+ colors = (_XPMColor *) g_try_malloc (sizeof (_XPMColor) * n_col);
+ if (!colors) {
+ g_warning ("Cannot allocate memory for loading XPM image");
+ g_hash_table_destroy (color_hash);
+ g_free (name_buf);
+ return NULL;
+ }
for (cnt = 0; cnt < n_col; cnt++) {
gchar *color_name;
|
