Index: src/modules/loaders/loader_argb.c =================================================================== --- src/modules/loaders/loader_argb.c +++ src/modules/loaders/loader_argb.c 2007-09-14 08:55:01.000000000 +0200 @@ -10,7 +10,7 @@ load(ImlibImage * im, ImlibProgressFunction progress, char progress_granularity, char immediate_load) { - int w, h, alpha; + int w=0, h=0, alpha; FILE *f; if (im->data) @@ -23,13 +23,15 @@ { char buf[256], buf2[256]; + memset(buf, 0, sizeof(buf)); + memset(buf2, 0, sizeof(buf2)); if (!fgets(buf, 255, f)) { fclose(f); return 0; } sscanf(buf, "%s %i %i %i", buf2, &w, &h, &alpha); - if (strcmp(buf2, "ARGB")) + if (strcmp(buf2, "ARGB") || CHKIMGSZ(w, h)) { fclose(f); return 0; Index: src/modules/loaders/loader_jpeg.c =================================================================== --- src/modules/loaders/loader_jpeg.c +++ src/modules/loaders/loader_jpeg.c 2007-09-14 08:55:01.000000000 +0200 @@ -94,8 +94,9 @@ im->w = w = cinfo.output_width; im->h = h = cinfo.output_height; - if (cinfo.rec_outbuf_height > 16) + if (cinfo.rec_outbuf_height > 16 || CHKIMGSZ(w, h)) { + im->w = im->h = 0; jpeg_destroy_decompress(&cinfo); fclose(f); return 0; Index: src/modules/loaders/loader_lbm.c =================================================================== --- src/modules/loaders/loader_lbm.c +++ src/modules/loaders/loader_lbm.c 2007-09-14 08:59:20.000000000 +0200 @@ -402,10 +402,7 @@ im->w = L2RWORD(ilbm.bmhd.data); im->h = L2RWORD(ilbm.bmhd.data + 2); - if ((im->w < 1) || (im->h < 1) || (im->w > 8192) || (im->h > 8192)) - { - ok = 0; - } + if CHKIMGSZ(im->w, im->h) ok = 0; ilbm.depth = ilbm.bmhd.data[8]; if (ilbm.depth < 1 || (ilbm.depth > 8 && ilbm.depth != 24 && ilbm.depth != 32)) ok = 0; /* Only 1 to 8, 24, or 32 planes. */ @@ -437,6 +434,7 @@ } } if (!full || !ok) { + im->w = im->h = 0; freeilbm(&ilbm); return ok; } @@ -451,12 +449,13 @@ cancel = 0; plane[0] = NULL; - im->data = malloc(im->w * im->h * sizeof(DATA32)); - if (im->data) { n = ilbm.depth; if (ilbm.mask == 1) n++; + im->data = malloc(im->w * im->h * sizeof(DATA32)); plane[0] = malloc(((im->w + 15) / 16) * 2 * n); + + if (im->data && plane[0]) { for (i = 1; i < n; i++) plane[i] = plane[i - 1] + ((im->w + 15) / 16) * 2; z = ((im->w + 15) / 16) * 2 * n; @@ -492,9 +491,10 @@ /*---------- * We either had a successful decode, the user cancelled, or we couldn't get - * the memory for im->data. + * the memory for im->data or plane[0]. *----------*/ if (!ok) { + im->w = im->h = 0; if (im->data) free(im->data); im->data = NULL; } Index: src/modules/loaders/loader_png.c =================================================================== --- src/modules/loaders/loader_png.c +++ src/modules/loaders/loader_png.c 2007-09-14 08:55:01.000000000 +0200 @@ -69,6 +69,12 @@ png_get_IHDR(png_ptr, info_ptr, (png_uint_32 *) (&w32), (png_uint_32 *) (&h32), &bit_depth, &color_type, &interlace_type, NULL, NULL); + if CHKIMGSZ(w32, h32) + { + png_destroy_read_struct(&png_ptr, NULL, NULL); + fclose(f); + return 0; + } im->w = (int)w32; im->h = (int)h32; if ((w32 < 1) || (h32 < 1) || (w32 > 8192) || (h32 > 8192)) Index: src/modules/loaders/loader_tiff.c =================================================================== --- src/modules/loaders/loader_tiff.c +++ src/modules/loaders/loader_tiff.c 2007-09-14 09:01:13.000000000 +0200 @@ -183,14 +183,16 @@ } rgba_image.image = im; - im->w = width = rgba_image.rgba.width; - im->h = height = rgba_image.rgba.height; - if ((width < 1) || (height < 1) || (width > 8192) || (height > 8192)) + width = rgba_image.rgba.width; + height = rgba_image.rgba.height; + if CHKIMGSZ(width, height) { TIFFRGBAImageEnd((TIFFRGBAImage *) & rgba_image); TIFFClose(tif); return 0; } + im->w = width; + im->h = height; rgba_image.num_pixels = num_pixels = width * height; if (rgba_image.rgba.alpha != EXTRASAMPLE_UNSPECIFIED) SET_FLAG(im->flags, F_HAS_ALPHA); Index: src/lib/common.h =================================================================== --- src/lib/common.h +++ src/lib/common.h 2007-09-14 08:55:01.000000000 +0200 @@ -44,6 +44,10 @@ #define round(x) ((x)>=0?(int)((x)+0.5):(int)((x)-0.5)) +/* used to check image size for CVE-2006-4806 */ +#define CHKIMGSZ(w, h) \ +(w < 1 || h < 1 || w > 16383 || h > 16383) + #ifdef __EMX__ extern char *__XOS2RedirRoot(const char *); #endif