f564d4c27b
Fix rhbz#1834969 - CVE-2020-12761 integer overflow in ICO color maps handling
31 lines
1.1 KiB
Diff
31 lines
1.1 KiB
Diff
diff -up imlib2-1.6.1/src/modules/loaders/loader_ico.c.overflow imlib2-1.6.1/src/modules/loaders/loader_ico.c
|
|
--- imlib2-1.6.1/src/modules/loaders/loader_ico.c.overflow 2020-05-21 09:42:21.592650197 +0200
|
|
+++ imlib2-1.6.1/src/modules/loaders/loader_ico.c 2020-05-21 09:45:06.339214806 +0200
|
|
@@ -8,6 +8,7 @@
|
|
#include "loader_common.h"
|
|
|
|
#include <string.h>
|
|
+#include <limits.h>
|
|
|
|
#define DEBUG 0
|
|
#if DEBUG
|
|
@@ -168,6 +169,8 @@ ico_read_icon(ico_t * ico, int ino)
|
|
case 4:
|
|
case 8:
|
|
D("Allocating a %d slot colormap\n", ie->bih.colors);
|
|
+ if (UINT_MAX / sizeof(DATA32) < ie->bih.colors)
|
|
+ goto bail;
|
|
size = ie->bih.colors * sizeof(DATA32);
|
|
ie->cmap = malloc(size);
|
|
nr = fread(ie->cmap, 1, size, ico->fp);
|
|
@@ -183,6 +186,9 @@ ico_read_icon(ico_t * ico, int ino)
|
|
}
|
|
|
|
size = ((ie->bih.bpp * ie->w + 31) / 32 * 4) * ie->h;
|
|
+ if (!IMAGE_DIMENSIONS_OK(ie->w, ie->h) || ie->bih.bpp == 0 ||
|
|
+ UINT_MAX / ie->bih.bpp < ie->w * ie->h)
|
|
+ goto bail;
|
|
ie->pxls = malloc(size);
|
|
nr = fread(ie->pxls, 1, size, ico->fp);
|
|
if (nr != size)
|