check dimensions for safety

author Carsten Haitzler <raster@rasterman.com>

Sun, 5 Nov 2006 05:07:53 +0000 (05:07 +0000)

committer Carsten Haitzler <raster@rasterman.com>

Sun, 5 Nov 2006 05:07:53 +0000 (05:07 +0000)
author Carsten Haitzler <raster@rasterman.com>
Sun, 5 Nov 2006 05:07:53 +0000 (05:07 +0000)
committer Carsten Haitzler <raster@rasterman.com>
Sun, 5 Nov 2006 05:07:53 +0000 (05:07 +0000)
diff --git a/legacy/evas/src/modules/loaders/edb/evas_image_load_edb.c b/legacy/evas/src/modules/loaders/edb/evas_image_load_edb.c

index 6c1039a..6462fab 100644 (file)
--- a/legacy/evas/src/modules/loaders/edb/evas_image_load_edb.c
+++ b/legacy/evas/src/modules/loaders/edb/evas_image_load_edb.c
@@ -57,14 +57,15 @@ evas_image_load_file_head_edb(RGBA_Image *im, const char *file, const char *key)
       }
     w = header[1];
     h = header[2];
-   alpha = header[3];
-   compression = header[4];
-   if ((w > 8192) || (h > 8192))
+   if ((w < 1) || (h < 1) || (w > 8192) || (h > 8192))
       {
         free(ret);
         e_db_close(db);
         return 0;
       }
+   alpha = header[3];
+   compression = header[4];
+   
     if ((compression == 0) && (size < ((w * h * 4) + 32)))
       {
         free(ret);
@@ -127,14 +128,16 @@ evas_image_load_file_data_edb(RGBA_Image *im, const char *file, const char *key)
       }
     w = header[1];
     h = header[2];
-   alpha = header[3];
-   compression = header[4];
-   if ((w > 8192) || (h > 8192))
+   if ((w < 1) || (h < 1) || (w > 8192) || (h > 8192))
       {
         free(ret);
         e_db_close(db);
         return 0;
       }
+   
+   alpha = header[3];
+   compression = header[4];
+   
     if ((compression == 0) && (size < ((w * h * 4) + 32)))
       {
         free(ret);
diff --git a/legacy/evas/src/modules/loaders/eet/evas_image_load_eet.c b/legacy/evas/src/modules/loaders/eet/evas_image_load_eet.c

index a88b606..4c99d02 100644 (file)
--- a/legacy/evas/src/modules/loaders/eet/evas_image_load_eet.c
+++ b/legacy/evas/src/modules/loaders/eet/evas_image_load_eet.c
@@ -32,7 +32,7 @@ evas_image_load_file_head_eet(RGBA_Image *im, const char *file, const char *key)
         eet_close(ef);
         return 0;
       }
-   if ((w > 8192) || (h > 8192))
+   if ((w < 1) || (h < 1) || (w > 8192) || (h > 8192))
       {
         eet_close(ef);
         return 0;
@@ -71,7 +71,7 @@ evas_image_load_file_data_eet(RGBA_Image *im, const char *file, const char *key)
         eet_close(ef);
         return 0;
       }
-   if ((w > 8192) || (h > 8192))
+   if ((w < 1) || (h < 1) || (w > 8192) || (h > 8192))
       {
         free(body);
         eet_close(ef);
diff --git a/legacy/evas/src/modules/loaders/gif/evas_image_load_gif.c b/legacy/evas/src/modules/loaders/gif/evas_image_load_gif.c

index 2bb99a4..197bf30 100644 (file)
--- a/legacy/evas/src/modules/loaders/gif/evas_image_load_gif.c
+++ b/legacy/evas/src/modules/loaders/gif/evas_image_load_gif.c
@@ -67,13 +67,18 @@ evas_image_load_file_head_gif(RGBA_Image *im, const char *file, const char *key)
                 }
               w = gif->Image.Width;
               h = gif->Image.Height;
-             done = 1;
+            if ((w < 1) || (h < 1) || (w > 8192) || (h > 8192))
+              {
+                 DGifCloseFile(gif);
+                 return 0;
+              }
+            done = 1;
            }
          else if (rec == EXTENSION_RECORD_TYPE)
            {
               int                 ext_code;
               GifByteType        *ext;
-
+            
               ext = NULL;
               DGifGetExtension(gif, &ext_code, &ext);
               while (ext)
diff --git a/legacy/evas/src/modules/loaders/jpeg/evas_image_load_jpeg.c b/legacy/evas/src/modules/loaders/jpeg/evas_image_load_jpeg.c

index 846a6cf..8f43352 100644 (file)
--- a/legacy/evas/src/modules/loaders/jpeg/evas_image_load_jpeg.c
+++ b/legacy/evas/src/modules/loaders/jpeg/evas_image_load_jpeg.c
@@ -101,6 +101,11 @@ evas_image_load_file_head_jpeg_internal(RGBA_Image *im, FILE *f)
       }
     w = cinfo.output_width;
     h = cinfo.output_height;
+   if ((w < 1) || (h < 1) || (w > 8192) || (h > 8192))
+     {  
+        jpeg_destroy_decompress(&cinfo);
+       return 0;
+     }
     if (im->load_opts.scale_down_by > 1)
       {
         w /= im->load_opts.scale_down_by;
diff --git a/legacy/evas/src/modules/loaders/png/evas_image_load_png.c b/legacy/evas/src/modules/loaders/png/evas_image_load_png.c

index 276c6ae..41f7f36 100644 (file)
--- a/legacy/evas/src/modules/loaders/png/evas_image_load_png.c
+++ b/legacy/evas/src/modules/loaders/png/evas_image_load_png.c
@@ -71,6 +71,12 @@ evas_image_load_file_head_png(RGBA_Image *im, const char *file, const char *key)
     png_get_IHDR(png_ptr, info_ptr, (png_uint_32 *) (&w32),
                 (png_uint_32 *) (&h32), &bit_depth, &color_type,
                 &interlace_type, NULL, NULL);
+   if ((w32 < 1) || (h32 < 1) || (w32 > 8192) || (h32 > 8192))
+     {
+       png_destroy_read_struct(&png_ptr, &info_ptr, (png_infopp) NULL);
+       fclose(f);
+       return 0;
+     }
     if (!im->image)
       im->image = evas_common_image_surface_new(im);
     if (!im->image)
@@ -152,8 +158,12 @@ evas_image_load_file_data_png(RGBA_Image *im, const char *file, const char *key)
     png_get_IHDR(png_ptr, info_ptr, (png_uint_32 *) (&w32),
                 (png_uint_32 *) (&h32), &bit_depth, &color_type,
                 &interlace_type, NULL, NULL);
-   im->image->w = (int) w32;
-   im->image->h = (int) h32;
+   if ((w32 != im->image->w) || (h32 != im->image->h))
+     {
+       png_destroy_read_struct(&png_ptr, &info_ptr, (png_infopp) NULL);
+       fclose(f);
+       return 0;
+     }
     if (color_type == PNG_COLOR_TYPE_PALETTE) png_set_expand(png_ptr);
     if (info_ptr->color_type == PNG_COLOR_TYPE_RGB_ALPHA) hasa = 1;
     if (info_ptr->color_type == PNG_COLOR_TYPE_GRAY_ALPHA)
diff --git a/legacy/evas/src/modules/loaders/svg/evas_image_load_svg.c b/legacy/evas/src/modules/loaders/svg/evas_image_load_svg.c

index 7151224..19c8157 100644 (file)
--- a/legacy/evas/src/modules/loaders/svg/evas_image_load_svg.c
+++ b/legacy/evas/src/modules/loaders/svg/evas_image_load_svg.c
@@ -73,6 +73,12 @@ evas_image_load_file_head_svg(RGBA_Image *im, const char *file, const char *key)
     rsvg_handle_get_dimensions(rsvg, &dim);
     w = dim.width;
     h = dim.height;
+   if ((w < 1) || (h < 1) || (w > 8192) || (h > 8192))
+     {
+       rsvg_handle_free(rsvg);
+       chdir(pcwd);
+       return 0;
+     }
     if (im->load_opts.scale_down_by > 1)
       {
         w /= im->load_opts.scale_down_by;
@@ -143,6 +149,12 @@ evas_image_load_file_data_svg(RGBA_Image *im, const char *file, const char *key)
     rsvg_handle_get_dimensions(rsvg, &dim);
     w = dim.width;
     h = dim.height;
+   if ((w < 1) || (h < 1) || (w > 8192) || (h > 8192))
+     {
+       rsvg_handle_free(rsvg);
+       chdir(pcwd);
+       return 0;
+     }
     if (im->load_opts.scale_down_by > 1)
       {
         w /= im->load_opts.scale_down_by;
diff --git a/legacy/evas/src/modules/loaders/tiff/evas_image_load_tiff.c b/legacy/evas/src/modules/loaders/tiff/evas_image_load_tiff.c

index 48e257f..d7505ca 100644 (file)
--- a/legacy/evas/src/modules/loaders/tiff/evas_image_load_tiff.c
+++ b/legacy/evas/src/modules/loaders/tiff/evas_image_load_tiff.c
@@ -66,11 +66,11 @@ static void
  raster(TIFFRGBAImage_Extra * img, uint32 * rast,
         uint32 x, uint32 y, uint32 w, uint32 h)
  {
-   uint32              image_width, image_height;
+   int                 image_width, image_height;
     uint32             *pixel, pixel_value;
     int                 i, j, dy, rast_offset;
     DATA32             *buffer_pixel, *buffer = img->image->image->data;
-   int                 alpha_premult = (EXTRASAMPLE_UNASSALPHA==img->rgba.alpha);
+   int                 alpha_premult;
  
     image_width = img->image->image->w;
     image_height = img->image->image->h;
@@ -82,6 +82,8 @@ raster(TIFFRGBAImage_Extra * img, uint32 * rast,
     /* I don't understand why, but that seems to be what's going on. */
     /* libtiff needs better docs! */
  
+   if (img->rgba.alpha == EXTRASAMPLE_UNASSALPHA)
+     alpha_premult = 1;
     for (i = y, rast_offset = 0; i > dy; i--, rast_offset--)
       {
          pixel = rast + (rast_offset * image_width);
@@ -166,6 +168,12 @@ evas_image_load_file_head_tiff(RGBA_Image *im, const char *file, const char *key
       }
     if (tiff_image.alpha != EXTRASAMPLE_UNSPECIFIED)
       im->flags |= RGBA_IMAGE_HAS_ALPHA;
+   if ((tiff_image.width < 1) || (tiff_image.height < 1) ||
+       (tiff_image.width > 8192) || (tiff_image.height > 8192))
+     {
+       TIFFClose(tif);
+       return 0;
+     }
     im->image->w = tiff_image.width;
     im->image->h = tiff_image.height;
  
@@ -235,6 +243,12 @@ evas_image_load_file_data_tiff(RGBA_Image *im, const char *file, const char *key
       }
     if (rgba_image.rgba.alpha != EXTRASAMPLE_UNSPECIFIED)
       im->flags |= RGBA_IMAGE_HAS_ALPHA;
+   if ((rgba_image.rgba.width != im->image->w) ||
+       (rgba_image.rgba.height != im->image->h))
+     {
+        TIFFClose(tif);
+       return 0;
+     }
     im->image->w = rgba_image.rgba.width;
     im->image->h = rgba_image.rgba.height;
     rgba_image.num_pixels = num_pixels = im->image->w * im->image->h;
diff --git a/legacy/evas/src/modules/loaders/xpm/evas_image_load_xpm.c b/legacy/evas/src/modules/loaders/xpm/evas_image_load_xpm.c

index c8bbfb5..6ed0fbb 100644 (file)
--- a/legacy/evas/src/modules/loaders/xpm/evas_image_load_xpm.c
+++ b/legacy/evas/src/modules/loaders/xpm/evas_image_load_xpm.c
@@ -213,19 +213,19 @@ evas_image_load_file_xpm(RGBA_Image *im, const char *file, const char *key, int
                              xpm_parse_done();
                              return 0;
                           }
-                       if ((w > 32767) || (w < 1))
+                       if ((w > 8192) || (w < 1))
                           {
                              fprintf(stderr,
-                                    "XPM ERROR: Image width > 32767 or < 1 pixels for file\n");
+                                    "XPM ERROR: Image width > 8192 or < 1 pixels for file\n");
                              free(line);
                              fclose(f);
                              xpm_parse_done();
                              return 0;
                           }
-                       if ((h > 32767) || (h < 1))
+                       if ((h > 8192) || (h < 1))
                           {
                              fprintf(stderr,
-                                    "XPM ERROR: Image height > 32767 or < 1 pixels for file\n");
+                                    "XPM ERROR: Image height > 8192 or < 1 pixels for file\n");
                              free(line);
                              fclose(f);
                              xpm_parse_done();
diff --git a/legacy/evas/src/modules/savers/tiff/evas_image_save_tiff.c b/legacy/evas/src/modules/savers/tiff/evas_image_save_tiff.c

index 59a42b1..7e6dd1c 100644 (file)
--- a/legacy/evas/src/modules/savers/tiff/evas_image_save_tiff.c
+++ b/legacy/evas/src/modules/savers/tiff/evas_image_save_tiff.c
@@ -49,8 +49,9 @@ save_image_tiff(RGBA_Image *im, const char *file, int compress, int interlace)
     
     if (has_alpha)
       {
+        uint16 extras[] = { EXTRASAMPLE_ASSOCALPHA };
          TIFFSetField(tif, TIFFTAG_SAMPLESPERPIXEL, 4);
-        TIFFSetField(tif, TIFFTAG_EXTRASAMPLES, EXTRASAMPLE_ASSOCALPHA);
+        TIFFSetField(tif, TIFFTAG_EXTRASAMPLES, 1, extras);
       }
     else
       {
author	Carsten Haitzler <raster@rasterman.com>
	Sun, 5 Nov 2006 05:07:53 +0000 (05:07 +0000)
committer	Carsten Haitzler <raster@rasterman.com>
	Sun, 5 Nov 2006 05:07:53 +0000 (05:07 +0000)
legacy/evas/src/modules/loaders/edb/evas_image_load_edb.c		patch \| blob \| history
legacy/evas/src/modules/loaders/eet/evas_image_load_eet.c		patch \| blob \| history
legacy/evas/src/modules/loaders/gif/evas_image_load_gif.c		patch \| blob \| history
legacy/evas/src/modules/loaders/jpeg/evas_image_load_jpeg.c		patch \| blob \| history
legacy/evas/src/modules/loaders/png/evas_image_load_png.c		patch \| blob \| history
legacy/evas/src/modules/loaders/svg/evas_image_load_svg.c		patch \| blob \| history
legacy/evas/src/modules/loaders/tiff/evas_image_load_tiff.c		patch \| blob \| history
legacy/evas/src/modules/loaders/xpm/evas_image_load_xpm.c		patch \| blob \| history
legacy/evas/src/modules/savers/tiff/evas_image_save_tiff.c		patch \| blob \| history