hyprwm/wlroots-hyprland
1
0
Fork 0
mirror of https://github.com/hyprwm/wlroots-hyprland.git synced 2024-11-22 12:55:58 +01:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #1358 from emersion/xcursor-heap

Browse source 
xcursor: Fix heap overflows when parsing malicious files
This commit is contained in:
Drew DeVault 2018-11-06 09:24:25 -05:00 committed by GitHub
commit bcd19a8824
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 9 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
xcursor/xcursor.c
View file

@ -203,6 +203,11 @@ XcursorImageCreate (int width, int height)
{
XcursorImage *image;
if (width < 0 || height < 0)
return NULL;
if (width > XCURSOR_IMAGE_MAX_SIZE || height > XCURSOR_IMAGE_MAX_SIZE)
return NULL;
image = malloc (sizeof (XcursorImage) +
width * height * sizeof (XcursorPixel));
if (!image)
@ -483,7 +488,8 @@ _XcursorReadImage (XcursorFile *file,
if (!_XcursorReadUInt (file, &head.delay))
return NULL;
/* sanity check data */
if (head.width >= 0x10000 || head.height > 0x10000)
if (head.width > XCURSOR_IMAGE_MAX_SIZE ||
head.height > XCURSOR_IMAGE_MAX_SIZE)
return NULL;
if (head.width == 0 || head.height == 0)
return NULL;
@ -877,9 +883,11 @@ load_all_cursors_from_dir(const char *path, int size,
return;
for(ent = readdir(dir); ent; ent = readdir(dir)) {
#ifdef _DIRENT_HAVE_D_TYPE
if (ent->d_type != DT_UNKNOWN &&
(ent->d_type != DT_REG && ent->d_type != DT_LNK))
continue;
#endif
full = _XcursorBuildFullname(path, "", ent->d_name);
if (!full)