Merge pull request #1358 from emersion/xcursor-heap

xcursor: Fix heap overflows when parsing malicious files
This commit is contained in:
Drew DeVault 2018-11-06 09:24:25 -05:00 committed by GitHub
commit bcd19a8824
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 9 additions and 1 deletions

View File

@ -203,6 +203,11 @@ XcursorImageCreate (int width, int height)
{ {
XcursorImage *image; XcursorImage *image;
if (width < 0 || height < 0)
return NULL;
if (width > XCURSOR_IMAGE_MAX_SIZE || height > XCURSOR_IMAGE_MAX_SIZE)
return NULL;
image = malloc (sizeof (XcursorImage) + image = malloc (sizeof (XcursorImage) +
width * height * sizeof (XcursorPixel)); width * height * sizeof (XcursorPixel));
if (!image) if (!image)
@ -483,7 +488,8 @@ _XcursorReadImage (XcursorFile *file,
if (!_XcursorReadUInt (file, &head.delay)) if (!_XcursorReadUInt (file, &head.delay))
return NULL; return NULL;
/* sanity check data */ /* sanity check data */
if (head.width >= 0x10000 || head.height > 0x10000) if (head.width > XCURSOR_IMAGE_MAX_SIZE ||
head.height > XCURSOR_IMAGE_MAX_SIZE)
return NULL; return NULL;
if (head.width == 0 || head.height == 0) if (head.width == 0 || head.height == 0)
return NULL; return NULL;
@ -877,9 +883,11 @@ load_all_cursors_from_dir(const char *path, int size,
return; return;
for(ent = readdir(dir); ent; ent = readdir(dir)) { for(ent = readdir(dir); ent; ent = readdir(dir)) {
#ifdef _DIRENT_HAVE_D_TYPE
if (ent->d_type != DT_UNKNOWN && if (ent->d_type != DT_UNKNOWN &&
(ent->d_type != DT_REG && ent->d_type != DT_LNK)) (ent->d_type != DT_REG && ent->d_type != DT_LNK))
continue; continue;
#endif
full = _XcursorBuildFullname(path, "", ent->d_name); full = _XcursorBuildFullname(path, "", ent->d_name);
if (!full) if (!full)