diff options
| -rw-r--r-- | FL/Fl_Image.H | 17 | ||||
| -rw-r--r-- | src/Fl_BMP_Image.cxx | 6 | ||||
| -rw-r--r-- | src/Fl_Image.cxx | 2 | ||||
| -rw-r--r-- | src/Fl_JPEG_Image.cxx | 5 | ||||
| -rw-r--r-- | src/Fl_PNG_Image.cxx | 3 | ||||
| -rw-r--r-- | src/Fl_PNM_Image.cxx | 5 |
6 files changed, 37 insertions, 1 deletions
diff --git a/FL/Fl_Image.H b/FL/Fl_Image.H index 61a426054..357982e63 100644 --- a/FL/Fl_Image.H +++ b/FL/Fl_Image.H @@ -23,6 +23,7 @@ # define Fl_Image_H # include "Enumerations.H" +#include <stdlib.h> class Fl_Widget; struct Fl_Menu_Item; @@ -167,6 +168,7 @@ class FL_EXPORT Fl_RGB_Image : public Fl_Image { friend class Fl_Quartz_Graphics_Driver; friend class Fl_GDI_Graphics_Driver; friend class Fl_Xlib_Graphics_Driver; + static size_t max_size_; public: const uchar *array; @@ -211,6 +213,21 @@ public: virtual void label(Fl_Widget*w); virtual void label(Fl_Menu_Item*m); virtual void uncache(); + /** Sets the maximum allowed image size in bytes when creating an Fl_RGB_Image object. + + The image size in bytes of an Fl_RGB_Image object is the value of the product w() * h() * d(). + If this product exceeds size, the created object of a derived class of Fl_RGB_Image + won't be loaded with the image data. + This does not apply to direct RGB image creation with + Fl_RGB_Image::Fl_RGB_Image(const uchar *bits, int W, int H, int D, int LD). + The default max_size() value is essentially infinite. + */ + static void max_size(size_t size) { max_size_ = size;} + /** Returns the maximum allowed image size in bytes when creating an Fl_RGB_Image object. + + \sa void Fl_RGB_Image::max_size(size_t) + */ + static size_t max_size() {return max_size_;} }; #endif // !Fl_Image_H diff --git a/src/Fl_BMP_Image.cxx b/src/Fl_BMP_Image.cxx index f9dd18b38..8542763be 100644 --- a/src/Fl_BMP_Image.cxx +++ b/src/Fl_BMP_Image.cxx @@ -27,6 +27,7 @@ #include <FL/Fl_BMP_Image.H> #include <FL/fl_utf8.h> +#include <FL/Fl.H> #include <config.h> #include <stdio.h> #include <stdlib.h> @@ -187,6 +188,11 @@ Fl_BMP_Image::Fl_BMP_Image(const char *bmp) // I - File to read d(bDepth); if (offbits) fseek(fp, offbits, SEEK_SET); + if (((size_t)w()) * h() * d() > max_size() ) { + Fl::warning("BMP file \"%s\" is too large!\n", bmp); + fclose(fp); + return; + } array = new uchar[w() * h() * d()]; alloc_array = 1; diff --git a/src/Fl_Image.cxx b/src/Fl_Image.cxx index 4bf41f888..317fbc30d 100644 --- a/src/Fl_Image.cxx +++ b/src/Fl_Image.cxx @@ -163,6 +163,8 @@ Fl_Image::measure(const Fl_Label *lo, // I - Label // // RGB image class... // +size_t Fl_RGB_Image::max_size_ = ~((size_t)0); + /** The destructor free all memory and server resources that are used by the image. */ Fl_RGB_Image::~Fl_RGB_Image() { uncache(); diff --git a/src/Fl_JPEG_Image.cxx b/src/Fl_JPEG_Image.cxx index f8e9a6192..ade8df56e 100644 --- a/src/Fl_JPEG_Image.cxx +++ b/src/Fl_JPEG_Image.cxx @@ -28,6 +28,7 @@ #include <FL/Fl_JPEG_Image.H> #include <FL/Fl_Shared_Image.H> #include <FL/fl_utf8.h> +#include <FL/Fl.H> #include <config.h> #include <stdio.h> #include <stdlib.h> @@ -126,6 +127,7 @@ Fl_JPEG_Image::Fl_JPEG_Image(const char *filename) // I - File to load if (setjmp(jerr.errhand_)) { // JPEG error handling... + Fl::warning("JPEG file \"%s\" is too large or contains errors!\n", filename); // if any of the cleanup routines hits another error, we would end up // in a loop. So instead, we decrement max_err for some upper cleanup limit. if ( ((*max_finish_decompress_err)-- > 0) && array) @@ -166,6 +168,7 @@ Fl_JPEG_Image::Fl_JPEG_Image(const char *filename) // I - File to load h(dinfo.output_height); d(dinfo.output_components); + if (((size_t)w()) * h() * d() > max_size() ) longjmp(jerr.errhand_, 1); array = new uchar[w() * h() * d()]; alloc_array = 1; @@ -304,6 +307,7 @@ Fl_JPEG_Image::Fl_JPEG_Image(const char *name, const unsigned char *data) if (setjmp(jerr.errhand_)) { // JPEG error handling... + Fl::warning("JPEG data is too large or contains errors!\n"); // if any of the cleanup routines hits another error, we would end up // in a loop. So instead, we decrement max_err for some upper cleanup limit. if ( ((*max_finish_decompress_err)-- > 0) && array) @@ -342,6 +346,7 @@ Fl_JPEG_Image::Fl_JPEG_Image(const char *name, const unsigned char *data) h(dinfo.output_height); d(dinfo.output_components); + if (((size_t)w()) * h() * d() > max_size() ) longjmp(jerr.errhand_, 1); array = new uchar[w() * h() * d()]; alloc_array = 1; diff --git a/src/Fl_PNG_Image.cxx b/src/Fl_PNG_Image.cxx index 5a295c87f..d6261c9ce 100644 --- a/src/Fl_PNG_Image.cxx +++ b/src/Fl_PNG_Image.cxx @@ -130,7 +130,7 @@ void Fl_PNG_Image::load_png_(const char *name_png, const unsigned char *buffer_p { png_destroy_read_struct(&pp, &info, NULL); if (!from_memory) fclose(fp); - Fl::warning("PNG file or data \"%s\" contains errors!\n", name_png); + Fl::warning("PNG file or data \"%s\" is too large or contains errors!\n", name_png); return; } @@ -178,6 +178,7 @@ void Fl_PNG_Image::load_png_(const char *name_png, const unsigned char *buffer_p png_set_tRNS_to_alpha(pp); # endif // HAVE_PNG_GET_VALID && HAVE_PNG_SET_TRNS_TO_ALPHA + if (((size_t)w()) * h() * d() > max_size() ) longjmp(png_jmpbuf(pp), 1); array = new uchar[w() * h() * d()]; alloc_array = 1; diff --git a/src/Fl_PNM_Image.cxx b/src/Fl_PNM_Image.cxx index eb4c8b7ee..bfd97d65d 100644 --- a/src/Fl_PNM_Image.cxx +++ b/src/Fl_PNM_Image.cxx @@ -119,6 +119,11 @@ Fl_PNM_Image::Fl_PNM_Image(const char *name) // I - File to read // printf("%s = %dx%dx%d\n", name, w(), h(), d()); + if (((size_t)w()) * h() * d() > max_size() ) { + Fl::warning("PNM file \"%s\" is too large!\n", name); + fclose(fp); + return; + } array = new uchar[w() * h() * d()]; alloc_array = 1; |