diff -Nur imlib2-1.2.1/src/modules/loaders/loader_argb.c imlib2-1.2.1.new/src/modules/loaders/loader_argb.c --- imlib2-1.2.1/src/modules/loaders/loader_argb.c 2004-12-13 19:50:46.000000000 -0800 +++ imlib2-1.2.1.new/src/modules/loaders/loader_argb.c 2006-11-03 12:00:55.434893245 -0800 @@ -23,7 +23,7 @@ load(ImlibImage * im, ImlibProgressFunction progress, char progress_granularity, char immediate_load) { - int w, h, alpha; + int w=0, h=0, alpha=0; FILE *f; if (im->data) @@ -36,13 +36,15 @@ { char buf[256], buf2[256]; + memset(buf, 0, sizeof(buf)); + memset(buf2, 0, sizeof(buf)); if (!fgets(buf, 255, f)) { fclose(f); return 0; } sscanf(buf, "%s %i %i %i", buf2, &w, &h, &alpha); - if (strcmp(buf2, "ARGB")) + if (strcmp(buf2, "ARGB") || w < 1 || h < 1 || w > 16383 || h > 16383) { fclose(f); return 0; diff -Nur imlib2-1.2.1/src/modules/loaders/loader_jpeg.c imlib2-1.2.1.new/src/modules/loaders/loader_jpeg.c --- imlib2-1.2.1/src/modules/loaders/loader_jpeg.c 2004-12-13 19:50:46.000000000 -0800 +++ imlib2-1.2.1.new/src/modules/loaders/loader_jpeg.c 2006-11-03 12:00:55.434893245 -0800 @@ -95,6 +95,13 @@ UNSET_FLAG(im->flags, F_HAS_ALPHA); im->format = strdup("jpeg"); } + if (w < 1 || h < 1 || w > 16383 || h > 16383) + { + im->w = im->h = 0; + jpeg_destroy_decompress(&cinfo); + fclose(f); + return 0; + } if (((!im->data) && (im->loader)) || (immediate_load) || (progress)) { DATA8 *ptr, *line[16], *data; diff -Nur imlib2-1.2.1/src/modules/loaders/loader_lbm.c imlib2-1.2.1.new/src/modules/loaders/loader_lbm.c --- imlib2-1.2.1/src/modules/loaders/loader_lbm.c 2004-11-01 01:45:31.000000000 -0800 +++ imlib2-1.2.1.new/src/modules/loaders/loader_lbm.c 2006-11-03 12:00:55.434893245 -0800 @@ -421,7 +421,7 @@ im->w = L2RWORD(ilbm.bmhd.data); im->h = L2RWORD(ilbm.bmhd.data + 2); - if (im->w <= 0 || im->h <= 0) ok = 0; + if (im->w <= 0 || im->h <= 0 || im->w > 16383 || im->h > 16383) ok = 0; ilbm.depth = ilbm.bmhd.data[8]; if (ilbm.depth < 1 || (ilbm.depth > 8 && ilbm.depth != 24 && ilbm.depth != 32)) ok = 0; /* Only 1 to 8, 24, or 32 planes. */ @@ -453,6 +453,7 @@ } } if (!full || !ok) { + im->w = im->h = 0; freeilbm(&ilbm); return ok; } @@ -467,12 +468,13 @@ cancel = 0; plane[0] = NULL; + n = ilbm.depth; + if (ilbm.mask == 1) n++; + im->data = malloc(im->w * im->h * sizeof(DATA32)); - if (im->data) { - n = ilbm.depth; - if (ilbm.mask == 1) n++; + plane[0] = malloc(((im->w + 15) / 16) * 2 * n); + if (im->data && plane[0]) { - plane[0] = malloc(((im->w + 15) / 16) * 2 * n); for (i = 1; i < n; i++) plane[i] = plane[i - 1] + ((im->w + 15) / 16) * 2; z = ((im->w + 15) / 16) * 2 * n; @@ -511,6 +513,7 @@ * the memory for im->data. *----------*/ if (!ok) { + im->w = im->h = 0; if (im->data) free(im->data); im->data = NULL; } diff -Nur imlib2-1.2.1/src/modules/loaders/loader_png.c imlib2-1.2.1.new/src/modules/loaders/loader_png.c --- imlib2-1.2.1/src/modules/loaders/loader_png.c 2004-12-13 19:50:46.000000000 -0800 +++ imlib2-1.2.1.new/src/modules/loaders/loader_png.c 2006-11-03 12:00:55.434893245 -0800 @@ -83,6 +83,13 @@ png_get_IHDR(png_ptr, info_ptr, (png_uint_32 *) (&w32), (png_uint_32 *) (&h32), &bit_depth, &color_type, &interlace_type, NULL, NULL); + if (w32 < 1 || h32 < 1 || w32 > 16383 || h32 > 16383) + { + png_read_end(png_ptr, info_ptr); + png_destroy_read_struct(&png_ptr, &info_ptr, (png_infopp) NULL); + fclose(f); + return 0; + } im->w = (int)w32; im->h = (int)h32; if (color_type == PNG_COLOR_TYPE_PALETTE) diff -Nur imlib2-1.2.1/src/modules/loaders/loader_pnm.c imlib2-1.2.1.new/src/modules/loaders/loader_pnm.c --- imlib2-1.2.1/src/modules/loaders/loader_pnm.c 2004-12-27 13:05:31.000000000 -0800 +++ imlib2-1.2.1.new/src/modules/loaders/loader_pnm.c 2006-11-03 12:00:55.438893449 -0800 @@ -80,7 +80,7 @@ int i = 0; /* read numbers */ - while (c != EOF && !isspace(c)) + while (c != EOF && i+1 < sizeof(buf) && !isspace(c)) { buf[i++] = c; c = fgetc(f); diff -Nur imlib2-1.2.1/src/modules/loaders/loader_tga.c imlib2-1.2.1.new/src/modules/loaders/loader_tga.c --- imlib2-1.2.1/src/modules/loaders/loader_tga.c 2004-12-27 13:05:32.000000000 -0800 +++ imlib2-1.2.1.new/src/modules/loaders/loader_tga.c 2006-11-03 12:00:55.438893449 -0800 @@ -319,6 +319,7 @@ { unsigned long datasize; unsigned char *bufptr; + unsigned char *bufend; DATA32 *dataptr; int y, pl = 0; @@ -348,6 +349,9 @@ /* bufptr is the next byte to be read from the buffer */ bufptr = filedata; + /* bufend is one past the last byte to be read from the buffer */ + bufend = filedata + datasize; + /* dataptr is the next 32-bit pixel to be filled in */ dataptr = im->data; @@ -365,7 +369,9 @@ else dataptr = im->data + (y * im->w); - for (x = 0; x < im->w; x++) /* for each pixel in the row */ + for (x = 0; + x < im->w && bufptr+bpp/8 < bufend; + x++) /* for each pixel in the row */ { switch (bpp) { @@ -422,8 +428,8 @@ unsigned char curbyte, red, green, blue, alpha; DATA32 *final_pixel = dataptr + im->w * im->h; - /* loop until we've got all the pixels */ - while (dataptr < final_pixel) + /* loop until we've got all the pixels or run out of input */ + while (dataptr < final_pixel && bufptr+1+bpp/8 < bufend) { int count; @@ -441,7 +447,7 @@ green = *bufptr++; red = *bufptr++; alpha = *bufptr++; - for (i = 0; i < count; i++) + for (i = 0; i < count && dataptr < final_pixel; i++) { WRITE_RGBA(dataptr, red, green, blue, alpha); dataptr++; @@ -452,7 +458,7 @@ blue = *bufptr++; green = *bufptr++; red = *bufptr++; - for (i = 0; i < count; i++) + for (i = 0; i < count && dataptr < final_pixel; i++) { WRITE_RGBA(dataptr, red, green, blue, (char)0xff); @@ -462,7 +468,7 @@ case 8: alpha = *bufptr++; - for (i = 0; i < count; i++) + for (i = 0; i < count && dataptr < final_pixel; i++) { WRITE_RGBA(dataptr, alpha, alpha, alpha, (char)0xff); @@ -477,7 +483,7 @@ { int i; - for (i = 0; i < count; i++) + for (i = 0; i < count && dataptr < final_pixel; i++) { switch (bpp) { diff -Nur imlib2-1.2.1/src/modules/loaders/loader_tiff.c imlib2-1.2.1.new/src/modules/loaders/loader_tiff.c --- imlib2-1.2.1/src/modules/loaders/loader_tiff.c 2004-12-13 19:50:46.000000000 -0800 +++ imlib2-1.2.1.new/src/modules/loaders/loader_tiff.c 2006-11-03 12:01:29.544630496 -0800 @@ -75,7 +75,7 @@ raster(TIFFRGBAImage_Extra * img, uint32 * rast, uint32 x, uint32 y, uint32 w, uint32 h) { - uint32 image_width, image_height; + int image_width, image_height; uint32 *pixel, pixel_value; int i, j, dy, rast_offset; DATA32 *buffer_pixel, *buffer = img->image->data; @@ -192,8 +192,16 @@ } rgba_image.image = im; - im->w = width = rgba_image.rgba.width; - im->h = height = rgba_image.rgba.height; + width = rgba_image.rgba.width; + height = rgba_image.rgba.height; + if (width < 1 || height < 1 || width >= 16384 || height >= 16384) + { + TIFFRGBAImageEnd((TIFFRGBAImage *) & rgba_image); + TIFFClose(tif); + return 0; + } + im->w = width; + im->h = height; rgba_image.num_pixels = num_pixels = width * height; if (rgba_image.rgba.alpha != EXTRASAMPLE_UNSPECIFIED) SET_FLAG(im->flags, F_HAS_ALPHA);