abs/extra/xmms/xmms-1.2.11-CVE-2007-0653.0654.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43

--- xmms-1.2.11/xmms/bmp.c.CVE-2007-0653.0654	2006-07-16 15:40:04.000000000 +0200
+++ xmms-1.2.11/xmms/bmp.c	2007-11-18 21:23:11.000000000 +0100
@@ -19,6 +19,12 @@
  */
 #include "xmms.h"
 
+#if HAVE_STDINT_H
+#include <stdint.h>
+#elif !defined(UINT32_MAX)
+#define UINT32_MAX 0xffffffffU
+#endif
+
 struct rgb_quad
 {
 	guchar rgbBlue;
@@ -183,7 +189,7 @@ GdkPixmap *read_bmp(gchar * filename)
 	}
 	else if (bitcount != 24 && bitcount != 16 && bitcount != 32)
 	{
-		gint ncols, i;
+		guint32 ncols, i;
 
 		ncols = offset - headSize - 14;
 		if (headSize == 12)
@@ -201,9 +207,17 @@ GdkPixmap *read_bmp(gchar * filename)
 		}
 	}
 	fseek(file, offset, SEEK_SET);
+	/* verify buffer size */
+	if (!h || !w ||
+	    w > (((UINT32_MAX - 3) / 3) / h) ||
+	    h > (((UINT32_MAX - 3) / 3) / w)) {
+		g_warning("read_bmp(): width(%u)*height(%u) too large", w, h);
+		fclose(file);
+		return NULL;
+	}
+	data = g_malloc0((w * 3 * h) + 3);	/* +3 is just for safety */
 	buffer = g_malloc(imgsize);
 	fread(buffer, imgsize, 1, file);
-	data = g_malloc0((w * 3 * h) + 3);	/* +3 is just for safety */
 
 	if (bitcount == 1)
 		read_1b_rgb(buffer, imgsize, data, w, h, rgb_quads);