From cff894183660e222605b945d841a3cb580082201 Mon Sep 17 00:00:00 2001
From: Manolo Gouy <Manolo>
Date: Fri, 9 Nov 2012 16:02:08 +0000
Subject: Fix STR#2881: the new static function Fl_RGB_Image::max_size(size)
 allows to control the maximum memory size allowed when creating an
 Fl_RGB_Image.

git-svn-id: file:///fltk/svn/fltk/branches/branch-1.3@9709 ea41ed52-d2ee-0310-a9c1-e6b18d33e121
---
 src/Fl_BMP_Image.cxx  | 6 ++++++
 src/Fl_Image.cxx      | 2 ++
 src/Fl_JPEG_Image.cxx | 5 +++++
 src/Fl_PNG_Image.cxx  | 3 ++-
 src/Fl_PNM_Image.cxx  | 5 +++++
 5 files changed, 20 insertions(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/Fl_BMP_Image.cxx b/src/Fl_BMP_Image.cxx
index f9dd18b38..8542763be 100644
--- a/src/Fl_BMP_Image.cxx
+++ b/src/Fl_BMP_Image.cxx
@@ -27,6 +27,7 @@
 
 #include <FL/Fl_BMP_Image.H>
 #include <FL/fl_utf8.h>
+#include <FL/Fl.H>
 #include <config.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -187,6 +188,11 @@ Fl_BMP_Image::Fl_BMP_Image(const char *bmp) // I - File to read
   d(bDepth);
   if (offbits) fseek(fp, offbits, SEEK_SET);
 
+  if (((size_t)w()) * h() * d() > max_size() ) {
+    Fl::warning("BMP file \"%s\" is too large!\n", bmp);
+    fclose(fp);
+    return;
+  }
   array = new uchar[w() * h() * d()];
   alloc_array = 1;
 
diff --git a/src/Fl_Image.cxx b/src/Fl_Image.cxx
index 4bf41f888..317fbc30d 100644
--- a/src/Fl_Image.cxx
+++ b/src/Fl_Image.cxx
@@ -163,6 +163,8 @@ Fl_Image::measure(const Fl_Label *lo,		// I - Label
 //
 // RGB image class...
 //
+size_t Fl_RGB_Image::max_size_ = ~((size_t)0);
+
 /**  The destructor free all memory and server resources that are used by  the image. */
 Fl_RGB_Image::~Fl_RGB_Image() {
   uncache();
diff --git a/src/Fl_JPEG_Image.cxx b/src/Fl_JPEG_Image.cxx
index f8e9a6192..ade8df56e 100644
--- a/src/Fl_JPEG_Image.cxx
+++ b/src/Fl_JPEG_Image.cxx
@@ -28,6 +28,7 @@
 #include <FL/Fl_JPEG_Image.H>
 #include <FL/Fl_Shared_Image.H>
 #include <FL/fl_utf8.h>
+#include <FL/Fl.H>
 #include <config.h>
 #include <stdio.h>
 #include <stdlib.h>
@@ -126,6 +127,7 @@ Fl_JPEG_Image::Fl_JPEG_Image(const char *filename)	// I - File to load
   if (setjmp(jerr.errhand_))
   {
     // JPEG error handling...
+    Fl::warning("JPEG file \"%s\" is too large or contains errors!\n", filename);
     // if any of the cleanup routines hits another error, we would end up 
     // in a loop. So instead, we decrement max_err for some upper cleanup limit.
     if ( ((*max_finish_decompress_err)-- > 0) && array)
@@ -166,6 +168,7 @@ Fl_JPEG_Image::Fl_JPEG_Image(const char *filename)	// I - File to load
   h(dinfo.output_height);
   d(dinfo.output_components);
   
+  if (((size_t)w()) * h() * d() > max_size() ) longjmp(jerr.errhand_, 1);
   array = new uchar[w() * h() * d()];
   alloc_array = 1;
   
@@ -304,6 +307,7 @@ Fl_JPEG_Image::Fl_JPEG_Image(const char *name, const unsigned char *data)
   if (setjmp(jerr.errhand_))
   {
     // JPEG error handling...
+    Fl::warning("JPEG data is too large or contains errors!\n");
     // if any of the cleanup routines hits another error, we would end up 
     // in a loop. So instead, we decrement max_err for some upper cleanup limit.
     if ( ((*max_finish_decompress_err)-- > 0) && array)
@@ -342,6 +346,7 @@ Fl_JPEG_Image::Fl_JPEG_Image(const char *name, const unsigned char *data)
   h(dinfo.output_height);
   d(dinfo.output_components);
   
+  if (((size_t)w()) * h() * d() > max_size() ) longjmp(jerr.errhand_, 1);
   array = new uchar[w() * h() * d()];
   alloc_array = 1;
   
diff --git a/src/Fl_PNG_Image.cxx b/src/Fl_PNG_Image.cxx
index 5a295c87f..d6261c9ce 100644
--- a/src/Fl_PNG_Image.cxx
+++ b/src/Fl_PNG_Image.cxx
@@ -130,7 +130,7 @@ void Fl_PNG_Image::load_png_(const char *name_png, const unsigned char *buffer_p
   {
     png_destroy_read_struct(&pp, &info, NULL);
     if (!from_memory) fclose(fp);
-    Fl::warning("PNG file or data \"%s\" contains errors!\n", name_png);
+    Fl::warning("PNG file or data \"%s\" is too large or contains errors!\n", name_png);
     return;
   }
 
@@ -178,6 +178,7 @@ void Fl_PNG_Image::load_png_(const char *name_png, const unsigned char *buffer_p
     png_set_tRNS_to_alpha(pp);
 #  endif // HAVE_PNG_GET_VALID && HAVE_PNG_SET_TRNS_TO_ALPHA
 
+  if (((size_t)w()) * h() * d() > max_size() ) longjmp(png_jmpbuf(pp), 1);
   array = new uchar[w() * h() * d()];
   alloc_array = 1;
 
diff --git a/src/Fl_PNM_Image.cxx b/src/Fl_PNM_Image.cxx
index eb4c8b7ee..bfd97d65d 100644
--- a/src/Fl_PNM_Image.cxx
+++ b/src/Fl_PNM_Image.cxx
@@ -119,6 +119,11 @@ Fl_PNM_Image::Fl_PNM_Image(const char *name)	// I - File to read
 
 //  printf("%s = %dx%dx%d\n", name, w(), h(), d());
 
+  if (((size_t)w()) * h() * d() > max_size() ) {
+    Fl::warning("PNM file \"%s\" is too large!\n", name);
+    fclose(fp);
+    return;
+  }
   array       = new uchar[w() * h() * d()];
   alloc_array = 1;
 
-- 
cgit v1.2.3