35 lines
1.2 KiB
Diff
35 lines
1.2 KiB
Diff
From: Debian Science Maintainers
|
|
<debian-science-maintainers@lists.alioth.debian.org>
|
|
Date: Mon, 10 Oct 2016 08:22:44 +0100
|
|
Subject: CVE-2016-5684
|
|
|
|
---
|
|
Source/FreeImage/PluginXPM.cpp | 7 ++++++-
|
|
1 file changed, 6 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/Source/FreeImage/PluginXPM.cpp b/Source/FreeImage/PluginXPM.cpp
|
|
index a698321..cc7bd07 100644
|
|
--- a/Source/FreeImage/PluginXPM.cpp
|
|
+++ b/Source/FreeImage/PluginXPM.cpp
|
|
@@ -181,6 +181,11 @@ Load(FreeImageIO *io, fi_handle handle, int page, int flags, void *data) {
|
|
}
|
|
free(str);
|
|
|
|
+ // check info string
|
|
+ if((width <= 0) || (height <= 0) || (colors <= 0) || (cpp <= 0)) {
|
|
+ throw "Improperly formed info string";
|
|
+ }
|
|
+
|
|
if (colors > 256) {
|
|
dib = FreeImage_AllocateHeader(header_only, width, height, 24, FI_RGBA_RED_MASK, FI_RGBA_GREEN_MASK, FI_RGBA_BLUE_MASK);
|
|
} else {
|
|
@@ -193,7 +198,7 @@ Load(FreeImageIO *io, fi_handle handle, int page, int flags, void *data) {
|
|
FILE_RGBA rgba;
|
|
|
|
str = ReadString(io, handle);
|
|
- if(!str)
|
|
+ if(!str || (strlen(str) < (size_t)cpp))
|
|
throw "Error reading color strings";
|
|
|
|
std::string chrs(str,cpp); //create a string for the color chars using the first cpp chars
|