Fix integer overflows in the xpm loader

diff --git a/gdk-pixbuf/ChangeLog b/gdk-pixbuf/ChangeLog
index 16df5ead2cc0b5847a588ed55a15ee434a9ad8e1..d6dc0421d5388b759f56c84c1a929d5eebcb6ae9 100644 (file)
--- a/gdk-pixbuf/ChangeLog
+++ b/gdk-pixbuf/ChangeLog
@@ -1,3 +1,8 @@
+2005-11-15  Matthias Clasen  <mclasen@redhat.com>
+
+       * io-xpm.c: Fix several integer overflows which have been
+       reported as CVE-2005-3186 and CVE-2005-2975.
+
 2005-10-12  Matthias Clasen  <mclasen@redhat.com>
 
        * gdk-pixbuf-loader.c (gdk_pixbuf_loader_write): Only call

diff --git a/gdk-pixbuf/io-xpm.c b/gdk-pixbuf/io-xpm.c
index 750307005de3b58821d904f7cf545b3795833004..7f020cd96427e151435218937a2609641a40e64c 100644 (file)
--- a/gdk-pixbuf/io-xpm.c
+++ b/gdk-pixbuf/io-xpm.c
@@ -405,7 +405,8 @@ file_buffer (enum buf_op op, gpointer handle)
                /* Fall through to the xpm_read_string. */
 
        case op_body:
-               xpm_read_string (h->infile, &h->buffer, &h->buffer_size);
+               if(!xpm_read_string (h->infile, &h->buffer, &h->buffer_size))
+                       return NULL;
                return h->buffer;
 
        default:
@@ -500,7 +501,9 @@ pixbuf_create_from_xpm (const gchar * (*get_buf) (enum buf_op op, gpointer handl
                              _("XPM has invalid number of chars per pixel"));
                return NULL;
        }
-       if (n_col <= 0 || n_col >= G_MAXINT / (cpp + 1)) {
+       if (n_col <= 0 || 
+           n_col >= G_MAXINT / (cpp + 1) || 
+           n_col >= G_MAXINT / sizeof (XPMColor)) {
                 g_set_error (error,
                              GDK_PIXBUF_ERROR,
                              GDK_PIXBUF_ERROR_CORRUPT_IMAGE,