[gimp] Issue #4627 - memory corruption when open crafted sgi
- From: Ell <ell src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [gimp] Issue #4627 - memory corruption when open crafted sgi
- Date: Mon, 17 Feb 2020 15:02:24 +0000 (UTC)
commit 15438c58d2a2625c40b33536910e2823b696b617
Author: Ell <ell_se yahoo com>
Date: Mon Feb 17 16:58:26 2020 +0200
Issue #4627 - memory corruption when open crafted sgi
In the file-sgi plug-in, check for failure when allocating buffers
of user-controlled size.
plug-ins/file-sgi/sgi-lib.c | 29 +++++++++++++++++++++++++++++
1 file changed, 29 insertions(+)
---
diff --git a/plug-ins/file-sgi/sgi-lib.c b/plug-ins/file-sgi/sgi-lib.c
index 330b66c6e6..5f98b5ea23 100644
--- a/plug-ins/file-sgi/sgi-lib.c
+++ b/plug-ins/file-sgi/sgi-lib.c
@@ -333,7 +333,18 @@ sgiOpenFile(FILE *file, /* I - File to open */
fseek(sgip->file, 512, SEEK_SET);
sgip->table = calloc(sgip->zsize, sizeof(long *));
+ if (sgip->table == NULL)
+ {
+ free(sgip);
+ return (NULL);
+ }
sgip->table[0] = calloc(sgip->ysize * sgip->zsize, sizeof(long));
+ if (sgip->table[0] == NULL)
+ {
+ free(sgip->table);
+ free(sgip);
+ return (NULL);
+ }
for (i = 1; i < sgip->zsize; i ++)
sgip->table[i] = sgip->table[0] + i * sgip->ysize;
@@ -403,6 +414,11 @@ sgiOpenFile(FILE *file, /* I - File to open */
case SGI_COMP_ARLE : /* Aggressive RLE */
sgip->arle_row = (unsigned short *)calloc(xsize, sizeof(unsigned short));
+ if (sgip->arle_row == NULL)
+ {
+ free(sgip);
+ return (NULL);
+ }
sgip->arle_offset = 0;
case SGI_COMP_RLE : /* Run-Length Encoding */
@@ -416,7 +432,20 @@ sgiOpenFile(FILE *file, /* I - File to open */
sgip->firstrow = ftell(sgip->file);
sgip->nextrow = ftell(sgip->file);
sgip->table = calloc(sgip->zsize, sizeof(long *));
+ if (sgip->table == NULL)
+ {
+ free(sgip->arle_row);
+ free(sgip);
+ return (NULL);
+ }
sgip->table[0] = calloc(sgip->ysize * sgip->zsize, sizeof(long));
+ if (sgip->table[0] == NULL)
+ {
+ free(sgip->table);
+ free(sgip->arle_row);
+ free(sgip);
+ return (NULL);
+ }
for (i = 1; i < sgip->zsize; i ++)
sgip->table[i] = sgip->table[0] + i * sgip->ysize;
sgip->length = calloc(sgip->zsize, sizeof(long *));
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]