hyprwm
/
wlroots-hyprland
mirror of https://github.com/hyprwm/wlroots-hyprland.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1358 from emersion/xcursor-heap 

xcursor: Fix heap overflows when parsing malicious files
This commit is contained in:
Drew DeVault 2018-11-06 09:24:25 -05:00 committed by GitHub
parent 2bf482e90f de0a032d8e
commit bcd19a8824
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 9 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
xcursor/xcursor.c
View File

@ -203,6 +203,11 @@ XcursorImageCreate (int width, int height)
{
XcursorImage *image;
if (width < 0 || height < 0)
return NULL;
if (width > XCURSOR_IMAGE_MAX_SIZE || height > XCURSOR_IMAGE_MAX_SIZE)
return NULL;
image = malloc (sizeof (XcursorImage) +
width * height * sizeof (XcursorPixel));
if (!image)
@ -483,7 +488,8 @@ _XcursorReadImage (XcursorFile *file,
if (!_XcursorReadUInt (file, &head.delay))
return NULL;
/* sanity check data */
if (head.width >= 0x10000 || head.height > 0x10000)
if (head.width > XCURSOR_IMAGE_MAX_SIZE ||
head.height > XCURSOR_IMAGE_MAX_SIZE)
return NULL;
if (head.width == 0 || head.height == 0)
return NULL;
@ -877,9 +883,11 @@ load_all_cursors_from_dir(const char *path, int size,
return;
for(ent = readdir(dir); ent; ent = readdir(dir)) {
#ifdef _DIRENT_HAVE_D_TYPE
if (ent->d_type != DT_UNKNOWN &&
(ent->d_type != DT_REG && ent->d_type != DT_LNK))
continue;
#endif
full = _XcursorBuildFullname(path, "", ent->d_name);
if (!full)