|
1 Security fix, which we should be able to drop once it's packaged in a tarball |
|
2 |
|
3 From 9ad72875e9f08e4c519ef63d44cdbd94aa9504f7 Mon Sep 17 00:00:00 2001 |
|
4 From: Ignacio Casal Quinteiro <[email protected]> |
|
5 Date: Sun, 16 Apr 2017 13:56:09 +0200 |
|
6 Subject: tknzr: support only max long rgb values |
|
7 |
|
8 This fixes a possible out of bound when reading rgbs which |
|
9 are longer than the support MAXLONG |
|
10 --- |
|
11 src/cr-tknzr.c | 10 ++++++++++ |
|
12 1 file changed, 10 insertions(+) |
|
13 |
|
14 diff --git a/src/cr-tknzr.c b/src/cr-tknzr.c |
|
15 index 1a7cfeb..1548c35 100644 |
|
16 --- a/src/cr-tknzr.c |
|
17 +++ b/src/cr-tknzr.c |
|
18 @@ -1279,6 +1279,11 @@ cr_tknzr_parse_rgb (CRTknzr * a_this, CRRgb ** a_rgb) |
|
19 status = cr_tknzr_parse_num (a_this, &num); |
|
20 ENSURE_PARSING_COND ((status == CR_OK) && (num != NULL)); |
|
21 |
|
22 + if (num->val > G_MAXLONG) { |
|
23 + status = CR_PARSING_ERROR; |
|
24 + goto error; |
|
25 + } |
|
26 + |
|
27 red = num->val; |
|
28 cr_num_destroy (num); |
|
29 num = NULL; |
|
30 @@ -1298,6 +1303,11 @@ cr_tknzr_parse_rgb (CRTknzr * a_this, CRRgb ** a_rgb) |
|
31 status = cr_tknzr_parse_num (a_this, &num); |
|
32 ENSURE_PARSING_COND ((status == CR_OK) && (num != NULL)); |
|
33 |
|
34 + if (num->val > G_MAXLONG) { |
|
35 + status = CR_PARSING_ERROR; |
|
36 + goto error; |
|
37 + } |
|
38 + |
|
39 PEEK_BYTE (a_this, 1, &next_bytes[0]); |
|
40 if (next_bytes[0] == '%') { |
|
41 SKIP_CHARS (a_this, 1); |
|
42 -- |