diff options
Diffstat (limited to 'app-editors/xemacs/files/xemacs-21.5.29-large-images.patch')
| -rw-r--r-- | app-editors/xemacs/files/xemacs-21.5.29-large-images.patch | 96 |
1 files changed, 96 insertions, 0 deletions
diff --git a/app-editors/xemacs/files/xemacs-21.5.29-large-images.patch b/app-editors/xemacs/files/xemacs-21.5.29-large-images.patch new file mode 100644 index 000000000000..535c871865fa --- /dev/null +++ b/app-editors/xemacs/files/xemacs-21.5.29-large-images.patch @@ -0,0 +1,96 @@ +APPROVE COMMIT 21.5 + +This patch has been committed. When trying to open very large image +files (or image files with header files that claim the image is very +large), we multiply length times width to get the number of pixels in +the image (and possibly multiply that number if a pixel occupies more +than 1 byte). The multiplication can overflow, resulting in passing +negative or insufficiently positive size values to malloc. This patch +checks whether the multiplication will overflow. If so, XEmacs +refuses to attempt to load the image. + +(Patch taken from upstream, already applied there) + +--- a/src/glyphs-eimage.c Mon Jun 29 08:20:47 2009 -0600 ++++ b/src/glyphs-eimage.c Wed Jul 01 15:42:54 2009 -0600 +@@ -409,6 +409,7 @@ + */ + + { ++ UINT_64_BIT pixels_sq; + int jpeg_gray = 0; /* if we're dealing with a grayscale */ + /* Step 4: set parameters for decompression. */ + +@@ -431,7 +432,10 @@ + jpeg_start_decompress (&cinfo); + + /* Step 6: Read in the data and put into EImage format (8bit RGB triples)*/ +- ++ pixels_sq = ++ (UINT_64_BIT) cinfo.output_width * (UINT_64_BIT) cinfo.output_height; ++ if (pixels_sq > ((size_t) -1) / 3) ++ signal_image_error ("JPEG image too large to instantiate", instantiator); + unwind.eimage = + xnew_binbytes (cinfo.output_width * cinfo.output_height * 3); + if (!unwind.eimage) +@@ -677,6 +681,7 @@ + { + ColorMapObject *cmo = unwind.giffile->SColorMap; + int i, j, row, pass, interlace, slice; ++ UINT_64_BIT pixels_sq; + Binbyte *eip; + /* interlaced gifs have rows in this order: + 0, 8, 16, ..., 4, 12, 20, ..., 2, 6, 10, ..., 1, 3, 5, ... */ +@@ -685,6 +690,9 @@ + + height = unwind.giffile->SHeight; + width = unwind.giffile->SWidth; ++ pixels_sq = (UINT_64_BIT) width * (UINT_64_BIT) height; ++ if (pixels_sq > ((size_t) -1) / (3 * unwind.giffile->ImageCount)) ++ signal_image_error ("GIF image too large to instantiate", instantiator); + unwind.eimage = + xnew_binbytes (width * height * 3 * unwind.giffile->ImageCount); + if (!unwind.eimage) +@@ -948,11 +956,15 @@ + { + int y; + Binbyte **row_pointers; ++ UINT_64_BIT pixels_sq; + height = info_ptr->height; + width = info_ptr->width; ++ pixels_sq = (UINT_64_BIT) width * (UINT_64_BIT) height; ++ if (pixels_sq > ((size_t) -1) / 3) ++ signal_image_error ("PNG image too large to instantiate", instantiator); + + /* Wow, allocate all the memory. Truly, exciting. */ +- unwind.eimage = xnew_array_and_zero (Binbyte, width * height * 3); ++ unwind.eimage = xnew_array_and_zero (Binbyte, (size_t) (pixels_sq * 3)); + /* libpng expects that the image buffer passed in contains a + picture to draw on top of if the png has any transparencies. + This could be a good place to pass that in... */ +@@ -1299,6 +1311,7 @@ + + uint32 *raster; + Binbyte *ep; ++ UINT_64_BIT pixels_sq; + + assert (!NILP (data)); + +@@ -1321,12 +1334,15 @@ + + TIFFGetField (unwind.tiff, TIFFTAG_IMAGEWIDTH, &width); + TIFFGetField (unwind.tiff, TIFFTAG_IMAGELENGTH, &height); +- unwind.eimage = xnew_binbytes (width * height * 3); ++ pixels_sq = (UINT_64_BIT) width * (UINT_64_BIT) height; ++ if (pixels_sq >= 1 << 29) ++ signal_image_error ("TIFF image too large to instantiate", instantiator); ++ unwind.eimage = xnew_binbytes (pixels_sq * 3); + + /* #### This is little more than proof-of-concept/function testing. + It needs to be reimplemented via scanline reads for both memory + compactness. */ +- raster = (uint32*) _TIFFmalloc (width * height * sizeof (uint32)); ++ raster = (uint32*) _TIFFmalloc ((tsize_t) (pixels_sq * sizeof (uint32))); + if (raster != NULL) + { + int i, j; |