From: Stefan Kangas Date: Mon, 22 Jul 2024 16:23:01 +0000 (+0200) Subject: Fix integer overflow when reading XPM X-Git-Url: http://git.eshelyaron.com/gitweb/?a=commitdiff_plain;h=a599d64722a93fa27bad550a8ebf558bfd0cdfc7;p=emacs.git Fix integer overflow when reading XPM * src/image.c (xpm_str_to_int): New function. (xpm_load_image): Replace sscanf with strtol, to correctly handle integer overflow when reading a malformed XPM file. (Bug#72245) (cherry picked from commit 73277a4097bb6c0d7c9ec1042f053584b28af1dd) --- diff --git a/src/image.c b/src/image.c index 48694a13341..41eeebff36e 100644 --- a/src/image.c +++ b/src/image.c @@ -19,6 +19,7 @@ along with GNU Emacs. If not, see . */ #include +#include #include #include #include @@ -6244,6 +6245,26 @@ xpm_str_to_color_key (const char *s) return -1; } +static int +xpm_str_to_int (char **buf) +{ + char *p; + + errno = 0; + long result = strtol (*buf, &p, 10); + if (errno || p == *buf || result < INT_MIN || result > INT_MAX) + return -1; + + /* Error out if we see something like "12x3xyz". */ + if (!c_isspace (*p) && *p != '\0') + return -1; + + /* Update position to read next integer. */ + *buf = p; + + return result; +} + static bool xpm_load_image (struct frame *f, struct image *img, @@ -6301,10 +6322,14 @@ xpm_load_image (struct frame *f, goto failure; memcpy (buffer, beg, len); buffer[len] = '\0'; - if (sscanf (buffer, "%d %d %d %d", &width, &height, - &num_colors, &chars_per_pixel) != 4 - || width <= 0 || height <= 0 - || num_colors <= 0 || chars_per_pixel <= 0) + char *next_int = buffer; + if ((width = xpm_str_to_int (&next_int)) <= 0) + goto failure; + if ((height = xpm_str_to_int (&next_int)) <= 0) + goto failure; + if ((num_colors = xpm_str_to_int (&next_int)) <= 0) + goto failure; + if ((chars_per_pixel = xpm_str_to_int (&next_int)) <= 0) goto failure; if (!check_image_size (f, width, height))