blob: 86370cbc4ce6c4992ba2734d92f7fe331e04b048 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
|
# HG changeset patch
# User Ryan C. Gordon <icculus@icculus.org>
# Date 1518038991 18000
# Node ID fb643e371806910f1973abfdfe7f981e8dba60f5
# Parent c5f9cbb5d2bbcb2150ba0596ea56b49efeed660d
xcf: check for some potential integer overflows.
diff -r c5f9cbb5d2bb -r fb643e371806 IMG_xcf.c
--- a/IMG_xcf.c Wed Feb 07 16:18:54 2018 -0500
+++ b/IMG_xcf.c Wed Feb 07 16:29:51 2018 -0500
@@ -595,6 +595,18 @@
SDL_RWseek(src, layer->hierarchy_file_offset, RW_SEEK_SET);
hierarchy = read_xcf_hierarchy(src);
+ if (hierarchy->bpp > 4) { /* unsupported. */
+ SDL_Log("Unknown Gimp image bpp (%u)\n", (unsigned int) hierarchy->bpp);
+ free_xcf_hierarchy(hierarchy);
+ return 1;
+ }
+
+ if ((hierarchy->width > 20000) || (hierarchy->height > 20000)) { /* arbitrary limit to avoid integer overflow. */
+ SDL_Log("Gimp image too large (%ux%u)\n", (unsigned int) hierarchy->width, (unsigned int) hierarchy->height);
+ free_xcf_hierarchy(hierarchy);
+ return 1;
+ }
+
level = NULL;
for (i = 0; hierarchy->level_file_offsets[i]; i++) {
SDL_RWseek(src, hierarchy->level_file_offsets[i], RW_SEEK_SET);
|