diff options
| author | Manolo Gouy <Manolo> | 2012-11-09 16:02:08 +0000 |
|---|---|---|
| committer | Manolo Gouy <Manolo> | 2012-11-09 16:02:08 +0000 |
| commit | cff894183660e222605b945d841a3cb580082201 (patch) | |
| tree | e5f6e96ecd4a03e29753703b379e4c51bf6437ff /src | |
| parent | 8701434312c150b4c07074feee008129c775ad71 (diff) | |
Fix STR#2881: the new static function Fl_RGB_Image::max_size(size) allows to control the maximum
memory size allowed when creating an Fl_RGB_Image.
git-svn-id: file:///fltk/svn/fltk/branches/branch-1.3@9709 ea41ed52-d2ee-0310-a9c1-e6b18d33e121
Diffstat (limited to 'src')
| -rw-r--r-- | src/Fl_BMP_Image.cxx | 6 | ||||
| -rw-r--r-- | src/Fl_Image.cxx | 2 | ||||
| -rw-r--r-- | src/Fl_JPEG_Image.cxx | 5 | ||||
| -rw-r--r-- | src/Fl_PNG_Image.cxx | 3 | ||||
| -rw-r--r-- | src/Fl_PNM_Image.cxx | 5 |
5 files changed, 20 insertions, 1 deletions
diff --git a/src/Fl_BMP_Image.cxx b/src/Fl_BMP_Image.cxx index f9dd18b38..8542763be 100644 --- a/src/Fl_BMP_Image.cxx +++ b/src/Fl_BMP_Image.cxx @@ -27,6 +27,7 @@ #include <FL/Fl_BMP_Image.H> #include <FL/fl_utf8.h> +#include <FL/Fl.H> #include <config.h> #include <stdio.h> #include <stdlib.h> @@ -187,6 +188,11 @@ Fl_BMP_Image::Fl_BMP_Image(const char *bmp) // I - File to read d(bDepth); if (offbits) fseek(fp, offbits, SEEK_SET); + if (((size_t)w()) * h() * d() > max_size() ) { + Fl::warning("BMP file \"%s\" is too large!\n", bmp); + fclose(fp); + return; + } array = new uchar[w() * h() * d()]; alloc_array = 1; diff --git a/src/Fl_Image.cxx b/src/Fl_Image.cxx index 4bf41f888..317fbc30d 100644 --- a/src/Fl_Image.cxx +++ b/src/Fl_Image.cxx @@ -163,6 +163,8 @@ Fl_Image::measure(const Fl_Label *lo, // I - Label // // RGB image class... // +size_t Fl_RGB_Image::max_size_ = ~((size_t)0); + /** The destructor free all memory and server resources that are used by the image. */ Fl_RGB_Image::~Fl_RGB_Image() { uncache(); diff --git a/src/Fl_JPEG_Image.cxx b/src/Fl_JPEG_Image.cxx index f8e9a6192..ade8df56e 100644 --- a/src/Fl_JPEG_Image.cxx +++ b/src/Fl_JPEG_Image.cxx @@ -28,6 +28,7 @@ #include <FL/Fl_JPEG_Image.H> #include <FL/Fl_Shared_Image.H> #include <FL/fl_utf8.h> +#include <FL/Fl.H> #include <config.h> #include <stdio.h> #include <stdlib.h> @@ -126,6 +127,7 @@ Fl_JPEG_Image::Fl_JPEG_Image(const char *filename) // I - File to load if (setjmp(jerr.errhand_)) { // JPEG error handling... + Fl::warning("JPEG file \"%s\" is too large or contains errors!\n", filename); // if any of the cleanup routines hits another error, we would end up // in a loop. So instead, we decrement max_err for some upper cleanup limit. if ( ((*max_finish_decompress_err)-- > 0) && array) @@ -166,6 +168,7 @@ Fl_JPEG_Image::Fl_JPEG_Image(const char *filename) // I - File to load h(dinfo.output_height); d(dinfo.output_components); + if (((size_t)w()) * h() * d() > max_size() ) longjmp(jerr.errhand_, 1); array = new uchar[w() * h() * d()]; alloc_array = 1; @@ -304,6 +307,7 @@ Fl_JPEG_Image::Fl_JPEG_Image(const char *name, const unsigned char *data) if (setjmp(jerr.errhand_)) { // JPEG error handling... + Fl::warning("JPEG data is too large or contains errors!\n"); // if any of the cleanup routines hits another error, we would end up // in a loop. So instead, we decrement max_err for some upper cleanup limit. if ( ((*max_finish_decompress_err)-- > 0) && array) @@ -342,6 +346,7 @@ Fl_JPEG_Image::Fl_JPEG_Image(const char *name, const unsigned char *data) h(dinfo.output_height); d(dinfo.output_components); + if (((size_t)w()) * h() * d() > max_size() ) longjmp(jerr.errhand_, 1); array = new uchar[w() * h() * d()]; alloc_array = 1; diff --git a/src/Fl_PNG_Image.cxx b/src/Fl_PNG_Image.cxx index 5a295c87f..d6261c9ce 100644 --- a/src/Fl_PNG_Image.cxx +++ b/src/Fl_PNG_Image.cxx @@ -130,7 +130,7 @@ void Fl_PNG_Image::load_png_(const char *name_png, const unsigned char *buffer_p { png_destroy_read_struct(&pp, &info, NULL); if (!from_memory) fclose(fp); - Fl::warning("PNG file or data \"%s\" contains errors!\n", name_png); + Fl::warning("PNG file or data \"%s\" is too large or contains errors!\n", name_png); return; } @@ -178,6 +178,7 @@ void Fl_PNG_Image::load_png_(const char *name_png, const unsigned char *buffer_p png_set_tRNS_to_alpha(pp); # endif // HAVE_PNG_GET_VALID && HAVE_PNG_SET_TRNS_TO_ALPHA + if (((size_t)w()) * h() * d() > max_size() ) longjmp(png_jmpbuf(pp), 1); array = new uchar[w() * h() * d()]; alloc_array = 1; diff --git a/src/Fl_PNM_Image.cxx b/src/Fl_PNM_Image.cxx index eb4c8b7ee..bfd97d65d 100644 --- a/src/Fl_PNM_Image.cxx +++ b/src/Fl_PNM_Image.cxx @@ -119,6 +119,11 @@ Fl_PNM_Image::Fl_PNM_Image(const char *name) // I - File to read // printf("%s = %dx%dx%d\n", name, w(), h(), d()); + if (((size_t)w()) * h() * d() > max_size() ) { + Fl::warning("PNM file \"%s\" is too large!\n", name); + fclose(fp); + return; + } array = new uchar[w() * h() * d()]; alloc_array = 1; |