diff -Naur imlib-1.9.15/Imlib/load.c imlib-1.9.15-magellan/Imlib/load.c --- imlib-1.9.15/Imlib/load.c 2004-09-21 02:23:20.000000000 +0200 +++ imlib-1.9.15-magellan/Imlib/load.c 2011-05-03 18:02:14.000000000 +0200 @@ -4,6 +4,8 @@ #include "Imlib_private.h" #include +#define G_MAXINT ((int) 0x7fffffff) + /* Split the ID - damages input */ static char * @@ -41,13 +43,17 @@ /* * Make sure we don't wrap on our memory allocations + * we check G_MAXINT/4 because rend.c malloc's w * h * bpp + * + 3 is safety margin */ void * _imlib_malloc_image(unsigned int w, unsigned int h) { - if( w > 32767 || h > 32767) + if (w <= 0 || w > 32767 || + h <= 0 || h > 32767 || + h >= (G_MAXINT/4 - 1) / w) return NULL; - return malloc(w * h * 3); + return malloc(w * h * 3 + 3); } #ifdef HAVE_LIBJPEG @@ -191,12 +197,12 @@ png_destroy_read_struct(&png_ptr, NULL, NULL); return NULL; } - if (setjmp(png_ptr->jmpbuf)) + if (setjmp(png_jmpbuf(png_ptr))) { png_destroy_read_struct(&png_ptr, &info_ptr, NULL); return NULL; } - if (info_ptr->color_type == PNG_COLOR_TYPE_RGB_ALPHA) + if (png_get_color_type(png_ptr, info_ptr) == PNG_COLOR_TYPE_RGB_ALPHA) { png_destroy_read_struct(&png_ptr, &info_ptr, NULL); return NULL; @@ -254,7 +260,8 @@ png_read_image(png_ptr, lines); png_destroy_read_struct(&png_ptr, &info_ptr, NULL); ptr = data; - if (color_type == PNG_COLOR_TYPE_GRAY_ALPHA) + if (color_type == PNG_COLOR_TYPE_GRAY + || color_type == PNG_COLOR_TYPE_GRAY_ALPHA) { for (y = 0; y < *h; y++) { @@ -279,6 +286,7 @@ } } } +#if 0 else if (color_type == PNG_COLOR_TYPE_GRAY) { for (y = 0; y < *h; y++) @@ -294,6 +302,7 @@ } } } +#endif else { for (y = 0; y < *h; y++) @@ -360,7 +369,9 @@ npix = ww * hh; *w = (int)ww; *h = (int)hh; - if(ww > 32767 || hh > 32767) + if (ww <= 0 || ww > 32767 || + hh <= 0 || hh > 32767 || + hh >= (G_MAXINT/sizeof(uint32)) / ww) { TIFFClose(tif); return NULL; @@ -463,7 +474,7 @@ } *w = gif->Image.Width; *h = gif->Image.Height; - if (*h > 32767 || *w > 32767) + if (*h <= 0 || *h > 32767 || *w <= 0 || *w > 32767) { return NULL; } @@ -1000,7 +1011,12 @@ comment = 0; quote = 0; context = 0; + memset(lookup, 0, sizeof(lookup)); + line = malloc(lsz); + if (!line) + return NULL; + while (!done) { pc = c; @@ -1029,25 +1045,25 @@ { /* Header */ sscanf(line, "%i %i %i %i", w, h, &ncolors, &cpp); - if (ncolors > 32766) + if (ncolors <= 0 || ncolors > 32766) { fprintf(stderr, "IMLIB ERROR: XPM files wth colors > 32766 not supported\n"); free(line); return NULL; } - if (cpp > 5) + if (cpp <= 0 || cpp > 5) { fprintf(stderr, "IMLIB ERROR: XPM files with characters per pixel > 5 not supported\n"); free(line); return NULL; } - if (*w > 32767) + if (*w <= 0 || *w > 32767) { fprintf(stderr, "IMLIB ERROR: Image width > 32767 pixels for file\n"); free(line); return NULL; } - if (*h > 32767) + if (*h <= 0 || *h > 32767) { fprintf(stderr, "IMLIB ERROR: Image height > 32767 pixels for file\n"); free(line); @@ -1080,11 +1096,13 @@ { int slen; int hascolor, iscolor; + int space; iscolor = 0; hascolor = 0; tok[0] = 0; col[0] = 0; + space = sizeof(col) - 1; s[0] = 0; len = strlen(line); strncpy(cmap[j].str, line, cpp); @@ -1107,11 +1125,10 @@ { if (k >= len) { - if (col[0]) - strcat(col, " "); - if (strlen(col) + strlen(s) < sizeof(col)) - strcat(col, s); - } + if (col[0] && space > 0) + strcat(col, " "), space -= 1; + if (slen <= space) + strcat(col, s), space -= slen; } if (col[0]) { if (!strcasecmp(col, "none")) @@ -1140,15 +1157,17 @@ } } } + if (slen < sizeof(tok)); strcpy(tok, s); col[0] = 0; + space = sizeof(col) - 1; } else { - if (col[0]) - strcat(col, " "); - strcat(col, s); - } + if (col[0] && space > 0) + strcat(col, " "), space -=1; + if (slen <= space) + strcat(col, s), space -= slen; } } } } @@ -1376,12 +1395,12 @@ sscanf(s, "%i %i", w, h); a = *w; b = *h; - if (a > 32767) + if (a <= 0 || a > 32767) { fprintf(stderr, "IMLIB ERROR: Image width > 32767 pixels for file\n"); return NULL; } - if (b > 32767) + if (b <= 0 || b > 32767) { fprintf(stderr, "IMLIB ERROR: Image height > 32767 pixels for file\n"); return NULL; diff -Naur imlib-1.9.15/Imlib/save.c imlib-1.9.15-magellan/Imlib/save.c --- imlib-1.9.15/Imlib/save.c 2004-09-21 02:22:59.000000000 +0200 +++ imlib-1.9.15-magellan/Imlib/save.c 2011-05-03 18:03:59.000000000 +0200 @@ -342,7 +342,7 @@ png_destroy_write_struct(&png_ptr, (png_infopp) NULL); return 0; } - if (setjmp(png_ptr->jmpbuf)) + if (setjmp(png_jmpbuf(png_ptr))) { fclose(f); png_destroy_write_struct(&png_ptr, (png_infopp) NULL); diff -Naur imlib-1.9.15/Imlib/utils.c imlib-1.9.15-magellan/Imlib/utils.c --- imlib-1.9.15/Imlib/utils.c 2004-09-21 02:22:59.000000000 +0200 +++ imlib-1.9.15-magellan/Imlib/utils.c 2011-05-03 18:06:41.000000000 +0200 @@ -1496,36 +1496,56 @@ context = 0; ptr = NULL; end = NULL; + memset(lookup, 0, sizeof(lookup)); while (!done) { line = data[count++]; + if (!line) + break; + line = strdup(line); + if (!line) + break; + len = strlen(line); + for (i = 0; i < len; ++i) + { + c = line[i]; + if (c < 32) + line[i] = 32; + else if (c > 127) + line[i] = 127; + } + if (context == 0) { /* Header */ sscanf(line, "%i %i %i %i", &w, &h, &ncolors, &cpp); - if (ncolors > 32766) + if (ncolors <= 0 || ncolors > 32766) { fprintf(stderr, "IMLIB ERROR: XPM data wth colors > 32766 not supported\n"); free(im); + free(line); return NULL; } - if (cpp > 5) + if (cpp <= 0 || cpp > 5) { fprintf(stderr, "IMLIB ERROR: XPM data with characters per pixel > 5 not supported\n"); free(im); + free(line); return NULL; } - if (w > 32767) + if (w <= 0 || w > 32767) { fprintf(stderr, "IMLIB ERROR: Image width > 32767 pixels for data\n"); free(im); + free(line); return NULL; } - if (h > 32767) + if (h <= 0 || h > 32767) { fprintf(stderr, "IMLIB ERROR: Image height > 32767 pixels for data\n"); free(im); + free(line); return NULL; } cmap = malloc(sizeof(struct _cmap) * ncolors); @@ -1533,6 +1553,7 @@ if (!cmap) { free(im); + free(line); return NULL; } im->rgb_width = w; @@ -1542,6 +1563,7 @@ { free(cmap); free(im); + free(line); return NULL; } im->alpha_data = NULL; @@ -1817,6 +1839,7 @@ } if ((ptr) && ((ptr - im->rgb_data) >= w * h * 3)) done = 1; + free(line); } if (!transp) { @@ -1959,13 +1982,13 @@ return NULL; } - if (setjmp(png_ptr->jmpbuf)) + if (setjmp(png_jmpbuf(png_ptr))) { png_destroy_read_struct(&png_ptr, &info_ptr, NULL); return NULL; } - if (info_ptr->color_type == PNG_COLOR_TYPE_RGB_ALPHA) + if (png_get_color_type(png_ptr, info_ptr) == PNG_COLOR_TYPE_RGB_ALPHA) { png_destroy_read_struct(&png_ptr, &info_ptr, NULL); return NULL; diff -Naur imlib-1.9.15/gdk_imlib/io-png.c imlib-1.9.15-magellan/gdk_imlib/io-png.c --- imlib-1.9.15/gdk_imlib/io-png.c 2002-03-04 18:06:29.000000000 +0100 +++ imlib-1.9.15-magellan/gdk_imlib/io-png.c 2011-05-03 17:56:26.000000000 +0200 @@ -40,13 +40,13 @@ return NULL; } - if (setjmp(png_ptr->jmpbuf)) + if (setjmp(png_jmpbuf(png_ptr))) { png_destroy_read_struct(&png_ptr, &info_ptr, NULL); return NULL; } - if (info_ptr->color_type == PNG_COLOR_TYPE_RGB_ALPHA) + if (png_get_color_type(png_ptr, info_ptr) == PNG_COLOR_TYPE_RGB_ALPHA) { png_destroy_read_struct(&png_ptr, &info_ptr, NULL); return NULL; @@ -275,13 +275,13 @@ return NULL; } - if (setjmp(png_ptr->jmpbuf)) + if (setjmp(png_jmpbuf(png_ptr))) { png_destroy_read_struct(&png_ptr, &info_ptr, NULL); return NULL; } - if (info_ptr->color_type == PNG_COLOR_TYPE_RGB_ALPHA) + if (png_get_color_type(png_ptr, info_ptr) == PNG_COLOR_TYPE_RGB_ALPHA) { png_destroy_read_struct(&png_ptr, &info_ptr, NULL); return NULL; @@ -301,6 +301,9 @@ /* Setup Translators */ if (color_type == PNG_COLOR_TYPE_PALETTE) png_set_expand(png_ptr); + if (color_type == PNG_COLOR_TYPE_GRAY && bit_depth < 8) + png_set_expand(png_ptr); + png_set_strip_16(png_ptr); png_set_packing(png_ptr); if (png_get_valid(png_ptr, info_ptr, PNG_INFO_tRNS)) @@ -440,13 +443,13 @@ return NULL; } - if (setjmp(png_ptr->jmpbuf)) + if (setjmp(png_jmpbuf(png_ptr))) { png_destroy_read_struct(&png_ptr, &info_ptr, NULL); return NULL; } - if (info_ptr->color_type == PNG_COLOR_TYPE_RGB_ALPHA) + if (png_get_color_type(png_ptr, info_ptr) == PNG_COLOR_TYPE_RGB_ALPHA) { png_destroy_read_struct(&png_ptr, &info_ptr, NULL); return NULL; @@ -635,7 +638,7 @@ png_destroy_write_struct(&png_ptr, (png_infopp) NULL); return 0; } - if (setjmp(png_ptr->jmpbuf)) + if (setjmp(png_jmpbuf(png_ptr))) { fclose(f); png_destroy_write_struct(&png_ptr, (png_infopp) NULL);