fixed buffer overrun bug in wrlib when creating or loading images

2025-12-19 12:28:22 +01:00 · 2002-11-07 17:18:41 +00:00
parent 4f80ec9178
commit 60ee69979f
2 changed files with 9 additions and 1 deletions
--- a/3
+++ b/3
@@ -20,7 +20,7 @@ Changes since version 0.80.1:
  transparency. Details in WINGs/ChangeLog.
 - Fixed problem with long, preset workspace names (Wanderlei Antonio Cavassin 
  <cavassin@conectiva.com.br>)
- Added kinput2 bug workaround in stock WMWindowAttributes (Seiichi SATO 
+- Added kinput2 bug workaround to stock WMWindowAttributes (Seiichi SATO 
  <sato@cvs-net.co.jp>)
 - Added Belarusian translation (Ihar Viarheichyk <iverg@mail.ru>)
 - Fixed wrlib not to load braindead images with 0 sized width or height
@@ -28,6 +28,7 @@ Changes since version 0.80.1:
  with Shift key while moving windows.
 - Changed the default position display while moving a window to 'Center'.
 - Better outline when drawing balloons.
+- Fixed wrlib to not accept too large images (fixes buffer overflow)


 Changes since version 0.80.0:
--- a/wrlib/raster.c
+++ b/wrlib/raster.c
@@ -24,6 +24,7 @@
 #include <stdlib.h>
 #include <stdio.h>
 #include <string.h>
+#include <limits.h>
 #include <X11/Xlib.h>
 #include "wraster.h"

@@ -45,6 +46,12 @@ RCreateImage(unsigned width, unsigned height, int alpha)
    
    assert(width>0 && height>0);
    
+    /* check for too large images (cap on INT_MAX just to be sure :P) */
+    if (width > (INT_MAX/4)/height+4) {
+	RErrorCode = RERR_NOMEMORY;
+	return NULL;
+    }
+
    image = malloc(sizeof(RImage));
    if (!image) {
 	RErrorCode = RERR_NOMEMORY;