--- xvbmp.c +++ xvbmp.c Tue Aug 24 12:42:52 2004 @@ -129,7 +129,9 @@ /* error checking */ if ((biBitCount!=1 && biBitCount!=4 && biBitCount!=8 && biBitCount!=24 && biBitCount!=32) || - biPlanes!=1 || biCompression>BI_RLE4) { + biPlanes!=1 || biCompression>BI_RLE4 || + biWidth<= 0 || biHeight <= 0 || + (biClrUsed && biClrUsed > (1 << biBitCount))) { sprintf(buf,"Bogus BMP File! (bitCount=%d, Planes=%d, Compression=%d)", biBitCount, biPlanes, biCompression); @@ -159,6 +161,9 @@ bPad = bfOffBits - (biSize + 14); } + + if (biClrUsed > (1 << biBitCount)) + biClrUsed = (1 << biBitCount); /* load up colormap, if any */ if (biBitCount!=24 && biBitCount!=32) { --- xviris.c +++ xviris.c Tue Aug 24 13:01:42 2004 @@ -267,6 +267,12 @@ rlebuflen = 2 * xsize + 10; tablen = ysize * zsize; + + if (rlebuflen <= 0 || tablen <= 0 || (tablen * sizeof(long)) < 0) { + loaderr = "Bogus IRIS File!"; + return (byte *)NULL; + } + starttab = (u_long *) malloc((size_t) tablen * sizeof(long)); lengthtab = (u_long *) malloc((size_t) tablen * sizeof(long)); rledat = (byte *) malloc((size_t) rlebuflen); --- xvpcx.c +++ xvpcx.c Tue Aug 24 13:12:15 2004 @@ -222,7 +222,14 @@ byte *image; /* note: overallocation to make life easier... */ - image = (byte *) malloc((size_t) (pinfo->h + 1) * pinfo->w + 16); + int count = (pinfo->h + 1) * pinfo->w + 16; + + if (count <= 0 || pinfo->h <= 0 || pinfo->w <= 0) { + pcxError(fname, "Bogus PCX file!!"); + return (0); + } + + image = (byte *) malloc((size_t) count); if (!image) FatalError("Can't alloc 'image' in pcxLoadImage8()"); xvbzero((char *) image, (size_t) ((pinfo->h+1) * pinfo->w + 16)); @@ -250,17 +257,25 @@ { byte *pix, *pic24, scale[256]; int c, i, j, w, h, maxv, cnt, planes, bperlin, nbytes; + int count; w = pinfo->w; h = pinfo->h; planes = (int) hdr[PCX_PLANES]; bperlin = hdr[PCX_BPRL] + ((int) hdr[PCX_BPRH]<<8); + count = w*h*planes; + + if (count <= 0 || planes <= 0 || w <= 0 || h <= 0) { + pcxError(fname, "Bogus PCX file!!"); + return (0); + } + /* allocate 24-bit image */ - pic24 = (byte *) malloc((size_t) w*h*planes); + pic24 = (byte *) malloc((size_t) count); if (!pic24) FatalError("couldn't malloc 'pic24'"); - xvbzero((char *) pic24, (size_t) w*h*planes); + xvbzero((char *) pic24, (size_t) count); maxv = 0; pix = pinfo->pic = pic24; @@ -268,6 +283,12 @@ j = 0; /* bytes per line, in this while loop */ nbytes = bperlin*h*planes; + if (nbytes < 0) { + pcxError(fname, "Bogus PCX file!!"); + free(pic24); + return (0); + } + while (nbytes > 0 && (c = getc(fp)) != EOF) { if ((c & 0xC0) == 0xC0) { /* have a rep. count */ cnt = c & 0x3F; --- xvpm.c +++ xvpm.c Tue Aug 24 13:16:43 2004 @@ -119,6 +119,9 @@ isize = pm_isize(&thePic); + if (isize <= 0) + return pmError(bname, "Bogus PM file!!"); + if (DEBUG) fprintf(stderr,"%s: LoadPM() - loading a %dx%d %s pic, %d planes\n", cmd, w, h, (thePic.pm_form==PM_I) ? "PM_I" : "PM_C", @@ -135,6 +138,8 @@ return( pmError(bname, "file read error") ); } + if (thePic.pm_cmtsize+1 <= 0) + return pmError(bname, "Bogus PM file!!"); /* alloc and read in comment, if any */ if (thePic.pm_cmtsize>0) { @@ -155,6 +160,9 @@ int *intptr; byte *pic24, *picptr; + if (w <= 0 || h <= 0 || w*h*3 <= 0) + return pmError(bname, "Bogus PM file!!"); + if ((pic24 = (byte *) malloc((size_t) w*h*3))==NULL) { if (thePic.pm_cmt) free(thePic.pm_cmt); return( pmError(bname, "unable to malloc 24-bit picture") ); @@ -189,6 +197,9 @@ else if (thePic.pm_form == PM_C && thePic.pm_np>1) { byte *pic24, *picptr, *rptr, *gptr, *bptr; + + if (w <= 0 || h <= 0 || w*h*3 <= 0) + return pmError(bname, "Bogus PM file!!"); if ((pic24 = (byte *) malloc((size_t) w*h*3))==NULL) { if (thePic.pm_cmt) free(thePic.pm_cmt);