--- imlib2-1.2.2/src/lib/common.h.cve-2006-4806 2006-01-23 20:46:04.000000000 -0700 +++ imlib2-1.2.2/src/lib/common.h 2006-11-07 09:19:48.000000000 -0700 @@ -35,6 +35,10 @@ if ((y + h) > ((yy) + (hh))) {h = (hh) - #define MIN(a, b) (((a) < (b)) ? (a) : (b)) #define MAX(a, b) (((a) > (b)) ? (a) : (b)) +/* used to check image size for CVE-2006-4806 */ +#define CHKIMGSZ(w, h) \ +(w < 1 || h < 1 || w > 16383 || h > 16383) + #ifdef __EMX__ extern char *__XOS2RedirRoot(const char *); #endif --- imlib2-1.2.2/src/modules/loaders/loader_png.c.cve-2006-4806 2006-01-23 20:46:08.000000000 -0700 +++ imlib2-1.2.2/src/modules/loaders/loader_png.c 2006-11-07 09:19:48.000000000 -0700 @@ -83,6 +83,12 @@ load(ImlibImage * im, ImlibProgressFunct png_get_IHDR(png_ptr, info_ptr, (png_uint_32 *) (&w32), (png_uint_32 *) (&h32), &bit_depth, &color_type, &interlace_type, NULL, NULL); + if CHKIMGSZ(w32, h32) + { + png_destroy_read_struct(&png_ptr, NULL, NULL); + fclose(f); + return 0; + } im->w = (int)w32; im->h = (int)h32; if (color_type == PNG_COLOR_TYPE_PALETTE) --- imlib2-1.2.2/src/modules/loaders/loader_lbm.c.cve-2006-4806 2006-01-23 20:46:08.000000000 -0700 +++ imlib2-1.2.2/src/modules/loaders/loader_lbm.c 2006-11-07 09:19:48.000000000 -0700 @@ -421,7 +421,7 @@ ILBM ilbm; im->w = L2RWORD(ilbm.bmhd.data); im->h = L2RWORD(ilbm.bmhd.data + 2); - if (im->w <= 0 || im->h <= 0) ok = 0; + if CHKIMGSZ(im->w, im->h) ok = 0; ilbm.depth = ilbm.bmhd.data[8]; if (ilbm.depth < 1 || (ilbm.depth > 8 && ilbm.depth != 24 && ilbm.depth != 32)) ok = 0; /* Only 1 to 8, 24, or 32 planes. */ @@ -453,6 +453,7 @@ ILBM ilbm; } } if (!full || !ok) { + im->w = im->h = 0; freeilbm(&ilbm); return ok; } @@ -467,12 +468,13 @@ ILBM ilbm; cancel = 0; plane[0] = NULL; - im->data = malloc(im->w * im->h * sizeof(DATA32)); - if (im->data) { n = ilbm.depth; if (ilbm.mask == 1) n++; + im->data = malloc(im->w * im->h * sizeof(DATA32)); plane[0] = malloc(((im->w + 15) / 16) * 2 * n); + + if (im->data && plane[0]) { for (i = 1; i < n; i++) plane[i] = plane[i - 1] + ((im->w + 15) / 16) * 2; z = ((im->w + 15) / 16) * 2 * n; @@ -508,9 +510,10 @@ ILBM ilbm; /*---------- * We either had a successful decode, the user cancelled, or we couldn't get - * the memory for im->data. + * the memory for im->data or plane[0]. *----------*/ if (!ok) { + im->w = im->h = 0; if (im->data) free(im->data); im->data = NULL; } --- imlib2-1.2.2/src/modules/loaders/loader_tiff.c.cve-2006-4806 2006-11-07 09:19:48.000000000 -0700 +++ imlib2-1.2.2/src/modules/loaders/loader_tiff.c 2006-11-07 09:19:48.000000000 -0700 @@ -213,8 +213,16 @@ load(ImlibImage * im, ImlibProgressFunct } rgba_image.image = im; - im->w = width = rgba_image.rgba.width; - im->h = height = rgba_image.rgba.height; + width = rgba_image.rgba.width; + height = rgba_image.rgba.height; + if CHKIMGSZ(width, height) + { + TIFFRGBAImageEnd((TIFFRGBAImage *) &rgba_image); + TIFFClose(tif); + return 0; + } + im->w = width; + im->h = height; rgba_image.num_pixels = num_pixels = width * height; if (rgba_image.rgba.alpha != EXTRASAMPLE_UNSPECIFIED) SET_FLAG(im->flags, F_HAS_ALPHA); --- imlib2-1.2.2/src/modules/loaders/loader_argb.c.cve-2006-4806 2006-01-23 20:46:08.000000000 -0700 +++ imlib2-1.2.2/src/modules/loaders/loader_argb.c 2006-11-07 09:19:48.000000000 -0700 @@ -23,7 +23,7 @@ char load(ImlibImage * im, ImlibProgressFunction progress, char progress_granularity, char immediate_load) { - int w, h, alpha; + int w=0, h=0, alpha; FILE *f; if (im->data) @@ -36,13 +36,15 @@ load(ImlibImage * im, ImlibProgressFunct { char buf[256], buf2[256]; + memset(buf, 0, sizeof(buf)); + memset(buf2, 0, sizeof(buf2)); if (!fgets(buf, 255, f)) { fclose(f); return 0; } sscanf(buf, "%s %i %i %i", buf2, &w, &h, &alpha); - if (strcmp(buf2, "ARGB")) + if (strcmp(buf2, "ARGB") || CHKIMGSZ(w, h)) { fclose(f); return 0; --- imlib2-1.2.2/src/modules/loaders/loader_jpeg.c.cve-2006-4806 2006-01-23 20:46:08.000000000 -0700 +++ imlib2-1.2.2/src/modules/loaders/loader_jpeg.c 2006-11-07 09:26:17.000000000 -0700 @@ -104,8 +104,9 @@ load(ImlibImage * im, ImlibProgressFunct im->w = w = cinfo.output_width; im->h = h = cinfo.output_height; - if (cinfo.rec_outbuf_height > 16) + if (cinfo.rec_outbuf_height > 16 || CHKIMGSZ(w, h)) { + im->w = im->h = 0; jpeg_destroy_decompress(&cinfo); fclose(f); return 0;