Merge pull request #1358 from emersion/xcursor-heap
xcursor: Fix heap overflows when parsing malicious files
This commit is contained in:
commit
bcd19a8824
|
@ -203,6 +203,11 @@ XcursorImageCreate (int width, int height)
|
||||||
{
|
{
|
||||||
XcursorImage *image;
|
XcursorImage *image;
|
||||||
|
|
||||||
|
if (width < 0 || height < 0)
|
||||||
|
return NULL;
|
||||||
|
if (width > XCURSOR_IMAGE_MAX_SIZE || height > XCURSOR_IMAGE_MAX_SIZE)
|
||||||
|
return NULL;
|
||||||
|
|
||||||
image = malloc (sizeof (XcursorImage) +
|
image = malloc (sizeof (XcursorImage) +
|
||||||
width * height * sizeof (XcursorPixel));
|
width * height * sizeof (XcursorPixel));
|
||||||
if (!image)
|
if (!image)
|
||||||
|
@ -483,7 +488,8 @@ _XcursorReadImage (XcursorFile *file,
|
||||||
if (!_XcursorReadUInt (file, &head.delay))
|
if (!_XcursorReadUInt (file, &head.delay))
|
||||||
return NULL;
|
return NULL;
|
||||||
/* sanity check data */
|
/* sanity check data */
|
||||||
if (head.width >= 0x10000 || head.height > 0x10000)
|
if (head.width > XCURSOR_IMAGE_MAX_SIZE ||
|
||||||
|
head.height > XCURSOR_IMAGE_MAX_SIZE)
|
||||||
return NULL;
|
return NULL;
|
||||||
if (head.width == 0 || head.height == 0)
|
if (head.width == 0 || head.height == 0)
|
||||||
return NULL;
|
return NULL;
|
||||||
|
@ -877,9 +883,11 @@ load_all_cursors_from_dir(const char *path, int size,
|
||||||
return;
|
return;
|
||||||
|
|
||||||
for(ent = readdir(dir); ent; ent = readdir(dir)) {
|
for(ent = readdir(dir); ent; ent = readdir(dir)) {
|
||||||
|
#ifdef _DIRENT_HAVE_D_TYPE
|
||||||
if (ent->d_type != DT_UNKNOWN &&
|
if (ent->d_type != DT_UNKNOWN &&
|
||||||
(ent->d_type != DT_REG && ent->d_type != DT_LNK))
|
(ent->d_type != DT_REG && ent->d_type != DT_LNK))
|
||||||
continue;
|
continue;
|
||||||
|
#endif
|
||||||
|
|
||||||
full = _XcursorBuildFullname(path, "", ent->d_name);
|
full = _XcursorBuildFullname(path, "", ent->d_name);
|
||||||
if (!full)
|
if (!full)
|
||||||
|
|
Loading…
Reference in New Issue