Adding length checks for in-memory image data (see #542) (#592)

SVG is now decompressed in memory
Bitmap invalid array length handling to return an error
RGB Image data reader to return error if image data is too short
FLUID: Add size argument to bitmap and JPEG data

1 files changed, 11 insertions, 6 deletions

diff --git a/src/Fl_JPEG_Image.cxx b/src/Fl_JPEG_Image.cxx
index 808461c3e..e8e32c6db 100644
--- a/src/Fl_JPEG_Image.cxx
+++ b/src/Fl_JPEG_Image.cxx
@@ -123,14 +123,16 @@ Fl_JPEG_Image::Fl_JPEG_Image(const char *filename)
 
  \param name A unique name or NULL
  \param data A pointer to the memory location of the JPEG image
+ \param data_length optional length of \c data. This will protect memory outside
+        of the \c data array from illegal read operations
 
  \see Fl_JPEG_Image::Fl_JPEG_Image(const char *filename)
  \see Fl_Shared_Image
  */
-Fl_JPEG_Image::Fl_JPEG_Image(const char *name, const unsigned char *data)
+Fl_JPEG_Image::Fl_JPEG_Image(const char *name, const unsigned char *data, int data_length)
 : Fl_RGB_Image(0,0,0)
 {
-  load_jpg_(0L, name, data);
+  load_jpg_(0L, name, data, data_length);
 }
 
 
@@ -188,7 +190,7 @@ extern "C" {
 
 } // extern "C"
 
-static void jpeg_mem_src(j_decompress_ptr cinfo, const unsigned char *data)
+static void jpeg_unprotected_mem_src(j_decompress_ptr cinfo, const unsigned char *data)
 {
   my_src_ptr src = (my_source_mgr*)malloc(sizeof(my_source_mgr));
   cinfo->src = &(src->pub);
@@ -209,9 +211,9 @@ static void jpeg_mem_src(j_decompress_ptr cinfo, const unsigned char *data)
  This method reads JPEG image data and creates an RGB or grayscale image.
  To avoid code duplication, we set filename if we want to read form a file or
  data to read from memory instead. Sharename can be set if the image is
- supposed to be added to teh Fl_Shared_Image list.
+ supposed to be added to the Fl_Shared_Image list.
  */
-void Fl_JPEG_Image::load_jpg_(const char *filename, const char *sharename, const unsigned char *data)
+void Fl_JPEG_Image::load_jpg_(const char *filename, const char *sharename, const unsigned char *data, int data_length)
 {
 #ifdef HAVE_LIBJPEG
   jpeg_decompress_struct  dinfo;    // Decompressor info
@@ -299,7 +301,10 @@ void Fl_JPEG_Image::load_jpg_(const char *filename, const char *sharename, const
   if (*fp) {
     jpeg_stdio_src(&dinfo, *fp);
   } else {
-    jpeg_mem_src(&dinfo, data);
+    if (data_length==-1)
+      jpeg_unprotected_mem_src(&dinfo, data);
+    else
+      jpeg_mem_src(&dinfo, data, (size_t)data_length);
   }
   jpeg_read_header(&dinfo, TRUE);