Sophie: imlib2-1.4.1.000-3.1mdv2009.0 src

imlib2-1.4.1.000-3.1mdv2009.0.src.rpm

Index: src/modules/loaders/loader_argb.c
===================================================================
--- src/modules/loaders/loader_argb.c
+++ src/modules/loaders/loader_argb.c	2007-09-14 08:55:01.000000000 +0200
@@ -10,7 +10,7 @@
 load(ImlibImage * im, ImlibProgressFunction progress,
      char progress_granularity, char immediate_load)
 {
-   int                 w, h, alpha;
+   int                 w=0, h=0, alpha;
    FILE               *f;
 
    if (im->data)
@@ -23,13 +23,15 @@
    {
       char                buf[256], buf2[256];
 
+      memset(buf, 0, sizeof(buf));
+      memset(buf2, 0, sizeof(buf2));
       if (!fgets(buf, 255, f))
         {
            fclose(f);
            return 0;
         }
       sscanf(buf, "%s %i %i %i", buf2, &w, &h, &alpha);
-      if (strcmp(buf2, "ARGB"))
+      if (strcmp(buf2, "ARGB") || CHKIMGSZ(w, h))
         {
            fclose(f);
            return 0;
Index: src/modules/loaders/loader_jpeg.c
===================================================================
--- src/modules/loaders/loader_jpeg.c
+++ src/modules/loaders/loader_jpeg.c	2007-09-14 08:55:01.000000000 +0200
@@ -94,8 +94,9 @@
         im->w = w = cinfo.output_width;
         im->h = h = cinfo.output_height;
 
-        if (cinfo.rec_outbuf_height > 16)
+        if (cinfo.rec_outbuf_height > 16 || CHKIMGSZ(w, h))
           {
+             im->w = im->h = 0;
              jpeg_destroy_decompress(&cinfo);
              fclose(f);
              return 0;
Index: src/modules/loaders/loader_lbm.c
===================================================================
--- src/modules/loaders/loader_lbm.c
+++ src/modules/loaders/loader_lbm.c	2007-09-14 08:59:20.000000000 +0200
@@ -402,10 +402,7 @@
 
         im->w = L2RWORD(ilbm.bmhd.data);
         im->h = L2RWORD(ilbm.bmhd.data + 2);
-	if ((im->w < 1) || (im->h < 1) || (im->w > 8192) || (im->h > 8192))
-	  {
-	     ok = 0;
-	  }
+        if CHKIMGSZ(im->w, im->h) ok = 0;
 
         ilbm.depth = ilbm.bmhd.data[8];
         if (ilbm.depth < 1 || (ilbm.depth > 8 && ilbm.depth != 24 && ilbm.depth != 32)) ok = 0; /* Only 1 to 8, 24, or 32 planes. */
@@ -437,6 +434,7 @@
         }
     }
     if (!full || !ok) {
+        im->w = im->h = 0;
         freeilbm(&ilbm);
         return ok;
     }
@@ -451,12 +449,13 @@
     cancel = 0;
     plane[0] = NULL;
 
-    im->data = malloc(im->w * im->h * sizeof(DATA32));
-    if (im->data) {
         n = ilbm.depth;
         if (ilbm.mask == 1) n++;
 
+    im->data = malloc(im->w * im->h * sizeof(DATA32));
         plane[0] = malloc(((im->w + 15) / 16) * 2 * n);
+
+    if (im->data && plane[0]) {
         for (i = 1; i < n; i++) plane[i] = plane[i - 1] + ((im->w + 15) / 16) * 2;
 
         z = ((im->w + 15) / 16) * 2 * n;
@@ -492,9 +491,10 @@
 
   /*----------
    * We either had a successful decode, the user cancelled, or we couldn't get
-   * the memory for im->data.
+   * the memory for im->data or plane[0].
    *----------*/
     if (!ok) {
+        im->w = im->h = 0;
         if (im->data) free(im->data);
         im->data = NULL;
     }
Index: src/modules/loaders/loader_png.c
===================================================================
--- src/modules/loaders/loader_png.c
+++ src/modules/loaders/loader_png.c	2007-09-14 08:55:01.000000000 +0200
@@ -69,6 +69,12 @@
         png_get_IHDR(png_ptr, info_ptr, (png_uint_32 *) (&w32),
                      (png_uint_32 *) (&h32), &bit_depth, &color_type,
                      &interlace_type, NULL, NULL);
+        if CHKIMGSZ(w32, h32)
+          {
+             png_destroy_read_struct(&png_ptr, NULL, NULL);
+             fclose(f);
+             return 0;
+          }  
         im->w = (int)w32;
         im->h = (int)h32;
         if ((w32 < 1) || (h32 < 1) || (w32 > 8192) || (h32 > 8192))
Index: src/modules/loaders/loader_tiff.c
===================================================================
--- src/modules/loaders/loader_tiff.c
+++ src/modules/loaders/loader_tiff.c	2007-09-14 09:01:13.000000000 +0200
@@ -183,14 +183,16 @@
      }
    
    rgba_image.image = im;
-   im->w = width = rgba_image.rgba.width;
-   im->h = height = rgba_image.rgba.height;
-   if ((width < 1) || (height < 1) || (width > 8192) || (height > 8192))
+   width = rgba_image.rgba.width;
+   height = rgba_image.rgba.height;
+   if CHKIMGSZ(width, height)
      {
 	TIFFRGBAImageEnd((TIFFRGBAImage *) & rgba_image);
         TIFFClose(tif);
         return 0;
      }
+   im->w = width;
+   im->h = height;
    rgba_image.num_pixels = num_pixels = width * height;
    if (rgba_image.rgba.alpha != EXTRASAMPLE_UNSPECIFIED)
       SET_FLAG(im->flags, F_HAS_ALPHA);
Index: src/lib/common.h
===================================================================
--- src/lib/common.h
+++ src/lib/common.h	2007-09-14 08:55:01.000000000 +0200
@@ -44,6 +44,10 @@
 
 #define round(x) ((x)>=0?(int)((x)+0.5):(int)((x)-0.5))
 
+/* used to check image size for CVE-2006-4806 */
+#define CHKIMGSZ(w, h) \
+(w < 1 || h < 1 || w > 16383 || h > 16383)
+
 #ifdef __EMX__
 extern char *__XOS2RedirRoot(const char *);
 #endif