1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
|
--- xvbmp.c
+++ xvbmp.c Tue Aug 24 12:42:52 2004
@@ -129,7 +129,9 @@
/* error checking */
if ((biBitCount!=1 && biBitCount!=4 && biBitCount!=8 &&
biBitCount!=24 && biBitCount!=32) ||
- biPlanes!=1 || biCompression>BI_RLE4) {
+ biPlanes!=1 || biCompression>BI_RLE4 ||
+ biWidth<= 0 || biHeight <= 0 ||
+ (biClrUsed && biClrUsed > (1 << biBitCount))) {
sprintf(buf,"Bogus BMP File! (bitCount=%d, Planes=%d, Compression=%d)",
biBitCount, biPlanes, biCompression);
@@ -159,6 +161,9 @@
bPad = bfOffBits - (biSize + 14);
}
+
+ if (biClrUsed > (1 << biBitCount))
+ biClrUsed = (1 << biBitCount);
/* load up colormap, if any */
if (biBitCount!=24 && biBitCount!=32) {
--- xviris.c
+++ xviris.c Tue Aug 24 13:01:42 2004
@@ -267,6 +267,12 @@
rlebuflen = 2 * xsize + 10;
tablen = ysize * zsize;
+
+ if (rlebuflen <= 0 || tablen <= 0 || (tablen * sizeof(long)) < 0) {
+ loaderr = "Bogus IRIS File!";
+ return (byte *)NULL;
+ }
+
starttab = (u_long *) malloc((size_t) tablen * sizeof(long));
lengthtab = (u_long *) malloc((size_t) tablen * sizeof(long));
rledat = (byte *) malloc((size_t) rlebuflen);
--- xvpcx.c
+++ xvpcx.c Tue Aug 24 13:12:15 2004
@@ -222,7 +222,14 @@
byte *image;
/* note: overallocation to make life easier... */
- image = (byte *) malloc((size_t) (pinfo->h + 1) * pinfo->w + 16);
+ int count = (pinfo->h + 1) * pinfo->w + 16;
+
+ if (count <= 0 || pinfo->h <= 0 || pinfo->w <= 0) {
+ pcxError(fname, "Bogus PCX file!!");
+ return (0);
+ }
+
+ image = (byte *) malloc((size_t) count);
if (!image) FatalError("Can't alloc 'image' in pcxLoadImage8()");
xvbzero((char *) image, (size_t) ((pinfo->h+1) * pinfo->w + 16));
@@ -250,17 +257,25 @@
{
byte *pix, *pic24, scale[256];
int c, i, j, w, h, maxv, cnt, planes, bperlin, nbytes;
+ int count;
w = pinfo->w; h = pinfo->h;
planes = (int) hdr[PCX_PLANES];
bperlin = hdr[PCX_BPRL] + ((int) hdr[PCX_BPRH]<<8);
+ count = w*h*planes;
+
+ if (count <= 0 || planes <= 0 || w <= 0 || h <= 0) {
+ pcxError(fname, "Bogus PCX file!!");
+ return (0);
+ }
+
/* allocate 24-bit image */
- pic24 = (byte *) malloc((size_t) w*h*planes);
+ pic24 = (byte *) malloc((size_t) count);
if (!pic24) FatalError("couldn't malloc 'pic24'");
- xvbzero((char *) pic24, (size_t) w*h*planes);
+ xvbzero((char *) pic24, (size_t) count);
maxv = 0;
pix = pinfo->pic = pic24;
@@ -268,6 +283,12 @@
j = 0; /* bytes per line, in this while loop */
nbytes = bperlin*h*planes;
+ if (nbytes < 0) {
+ pcxError(fname, "Bogus PCX file!!");
+ free(pic24);
+ return (0);
+ }
+
while (nbytes > 0 && (c = getc(fp)) != EOF) {
if ((c & 0xC0) == 0xC0) { /* have a rep. count */
cnt = c & 0x3F;
--- xvpm.c
+++ xvpm.c Tue Aug 24 13:16:43 2004
@@ -119,6 +119,9 @@
isize = pm_isize(&thePic);
+ if (isize <= 0)
+ return pmError(bname, "Bogus PM file!!");
+
if (DEBUG)
fprintf(stderr,"%s: LoadPM() - loading a %dx%d %s pic, %d planes\n",
cmd, w, h, (thePic.pm_form==PM_I) ? "PM_I" : "PM_C",
@@ -135,6 +138,8 @@
return( pmError(bname, "file read error") );
}
+ if (thePic.pm_cmtsize+1 <= 0)
+ return pmError(bname, "Bogus PM file!!");
/* alloc and read in comment, if any */
if (thePic.pm_cmtsize>0) {
@@ -155,6 +160,9 @@
int *intptr;
byte *pic24, *picptr;
+ if (w <= 0 || h <= 0 || w*h*3 <= 0)
+ return pmError(bname, "Bogus PM file!!");
+
if ((pic24 = (byte *) malloc((size_t) w*h*3))==NULL) {
if (thePic.pm_cmt) free(thePic.pm_cmt);
return( pmError(bname, "unable to malloc 24-bit picture") );
@@ -189,6 +197,9 @@
else if (thePic.pm_form == PM_C && thePic.pm_np>1) {
byte *pic24, *picptr, *rptr, *gptr, *bptr;
+
+ if (w <= 0 || h <= 0 || w*h*3 <= 0)
+ return pmError(bname, "Bogus PM file!!");
if ((pic24 = (byte *) malloc((size_t) w*h*3))==NULL) {
if (thePic.pm_cmt) free(thePic.pm_cmt);
|