Attachment #199108 for bug #276235

View | Details | Raw Unified | Return to bug 276235
Collapse All | Expand All

Lines 20-25 Link Here

(-)src/gifread.c (+5 lines)
20	#include <caml/memory.h>	20	#include <caml/memory.h>
21	#include <caml/fail.h>	21	#include <caml/fail.h>
22		22
		23	#include "oversized.h"
		24
23	#include <stdio.h>	25	#include <stdio.h>
24	#include <string.h>	26	#include <string.h>
25		27
Lines 191-196 value dGifGetLine( value hdl ) Link Here
191		193
192	GifFileType GifFile = (GifFileType) hdl;	194	GifFileType GifFile = (GifFileType) hdl;
193		195
		196	if( oversized( GifFile->Image.Width, sizeof(GifPixelType) ) ){
		197	failwith_oversized("gif");
		198	}
194	buf = alloc_string( GifFile->Image.Width * sizeof(GifPixelType) );	199	buf = alloc_string( GifFile->Image.Width * sizeof(GifPixelType) );
195		200
196	if( DGifGetLine(GifFile, String_val(buf), GifFile->Image.Width )	201	if( DGifGetLine(GifFile, String_val(buf), GifFile->Image.Width )

Lines 20-25 Link Here

(-)src/jpegread.c (+15 lines)
20	#include <caml/memory.h>	20	#include <caml/memory.h>
21	#include <caml/fail.h>	21	#include <caml/fail.h>
22		22
		23	#include "oversized.h"
		24
23	#include <stdio.h>	25	#include <stdio.h>
24	#include <string.h>	26	#include <string.h>
25		27
Lines 156-161 read_JPEG_file (value name) Link Here
156	*/	158	*/
157	/* JSAMPLEs per row in output buffer */	159	/* JSAMPLEs per row in output buffer */
158		160
		161	if( oversized(cinfo.output_width, cinfo.output_components) ){
		162	jpeg_destroy_decompress(&cinfo);
		163	fclose(infile);
		164	failwith_oversized("jpeg");
		165	}
		166
159	row_stride = cinfo.output_width * cinfo.output_components;	167	row_stride = cinfo.output_width * cinfo.output_components;
160		168
161	/* Make a one-row-high sample array that will go away when done with image */	169	/* Make a one-row-high sample array that will go away when done with image */
Lines 177-182 read_JPEG_file (value name) Link Here
177	jpeg_read_scanlines(&cinfo, buffer + cinfo.output_scanline, 1);	185	jpeg_read_scanlines(&cinfo, buffer + cinfo.output_scanline, 1);
178	}	186	}
179		187
		188	if( oversized(row_stride, cinfo.output_height) ){
		189	jpeg_destroy_decompress(&cinfo);
		190	fclose(infile);
		191	failwith_oversized("jpeg");
		192	}
		193
180	{	194	{
181	CAMLlocalN(r,3);	195	CAMLlocalN(r,3);
182	r[0] = Val_int(cinfo.output_width);	196	r[0] = Val_int(cinfo.output_width);
Lines 352-357 value open_jpeg_file_for_read_start( jpe Link Here
352		366
353	{	367	{
354	CAMLlocalN(r,3);	368	CAMLlocalN(r,3);
		369	// CR jfuruse: integer overflow
355	r[0] = Val_int(cinfop->output_width);	370	r[0] = Val_int(cinfop->output_width);
356	r[1] = Val_int(cinfop->output_height);	371	r[1] = Val_int(cinfop->output_height);
357	r[2] = alloc_tuple(3);	372	r[2] = alloc_tuple(3);

Line 0 Link Here

(-)src/oversized.h (+9 lines)
	1	#include <limits.h>
	2	/* Test if x or y are negative, or if multiplying x * y would cause an
	3	* arithmetic overflow.
	4	*/
	5	#define oversized(x, y) \
	6	((x) < 0 \|\| (y) < 0 \|\| ((y) != 0 && (x) > INT_MAX / (y)))
	7
	8	#define failwith_oversized(lib) \
	9	failwith("#lib error: image contains oversized or bogus width and height");

Lines 17-22 Link Here

(-)src/pngread.c (+20 lines)
17		17
18	#include <png.h>	18	#include <png.h>
19		19
		20	#include "oversized.h"
		21
20	#include <caml/mlvalues.h>	22	#include <caml/mlvalues.h>
21	#include <caml/alloc.h>	23	#include <caml/alloc.h>
22	#include <caml/memory.h>	24	#include <caml/memory.h>
Lines 81-86 value read_png_file_as_rgb24( name ) Link Here
81	png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,	83	png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
82	&interlace_type, NULL, NULL);	84	&interlace_type, NULL, NULL);
83		85
		86	if (oversized (width, height))
		87	failwith_oversized("png");
		88
84	if ( color_type == PNG_COLOR_TYPE_GRAY \|\|	89	if ( color_type == PNG_COLOR_TYPE_GRAY \|\|
85	color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) {	90	color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) {
86	png_set_gray_to_rgb(png_ptr);	91	png_set_gray_to_rgb(png_ptr);
Lines 102-111 value read_png_file_as_rgb24( name ) Link Here
102		107
103	rowbytes = png_get_rowbytes(png_ptr, info_ptr);	108	rowbytes = png_get_rowbytes(png_ptr, info_ptr);
104		109
		110	if (oversized (rowbytes, height))
		111	failwith_oversized("png");
		112
105	{	113	{
106	int i;	114	int i;
107	png_bytep *row_pointers;	115	png_bytep *row_pointers;
108		116
		117	if (oversized (sizeof (png_bytep), height))
		118	failwith_oversized("png");
		119
109	row_pointers = (png_bytep) stat_alloc(sizeof(png_bytep) height);	120	row_pointers = (png_bytep) stat_alloc(sizeof(png_bytep) height);
110		121
111	res = alloc_tuple(3);	122	res = alloc_tuple(3);
Lines 235-240 value read_png_file( name ) Link Here
235	png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,	246	png_get_IHDR(png_ptr, info_ptr, &width, &height, &bit_depth, &color_type,
236	&interlace_type, NULL, NULL);	247	&interlace_type, NULL, NULL);
237		248
		249	if (oversized (width, height))
		250	failwith_oversized("png");
		251
238	if ( color_type == PNG_COLOR_TYPE_GRAY \|\|	252	if ( color_type == PNG_COLOR_TYPE_GRAY \|\|
239	color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) {	253	color_type == PNG_COLOR_TYPE_GRAY_ALPHA ) {
240	png_set_gray_to_rgb(png_ptr);	254	png_set_gray_to_rgb(png_ptr);
Lines 251-256 value read_png_file( name ) Link Here
251		265
252	rowbytes = png_get_rowbytes(png_ptr, info_ptr);	266	rowbytes = png_get_rowbytes(png_ptr, info_ptr);
253		267
		268	if (oversized (rowbytes, height))
		269	failwith_oversized("png");
		270
254	/*	271	/*
255	fprintf(stderr, "pngread.c: actual loading\n"); fflush(stderr);	272	fprintf(stderr, "pngread.c: actual loading\n"); fflush(stderr);
256	*/	273	*/
Lines 259-264 fprintf(stderr, "pngread.c: actual loadi Link Here
259	png_bytep *row_pointers;	276	png_bytep *row_pointers;
260	char mesg[256];	277	char mesg[256];
261		278
		279	if (oversized (sizeof (png_bytep), height))
		280	failwith_oversized("png");
		281
262	row_pointers = (png_bytep)stat_alloc(sizeof(png_bytep) height);	282	row_pointers = (png_bytep)stat_alloc(sizeof(png_bytep) height);
263	res = alloc_tuple(3);	283	res = alloc_tuple(3);
264		284

Return to bug 276235