From bb321cfff3b1ab969c4cf1b692473c78672fa4ad Mon Sep 17 00:00:00 2001 From: Jason Summers Date: Wed, 12 Apr 2017 09:42:55 -0400 Subject: [PATCH] Fixed a PAM decoding bug (buffer overrun) Fixes issue #13 --- src/imagew-pnm.c | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/src/imagew-pnm.c b/src/imagew-pnm.c index 3c04b00..b05dc0a 100644 --- a/src/imagew-pnm.c +++ b/src/imagew-pnm.c @@ -264,7 +264,8 @@ static int iwpnm_read_pnm_header(struct iwpnmrcontext *rctx) // Read a token from a NUL-terminated string. static int read_next_pam_token(struct iwpnmrcontext *rctx, - const char *linebuf, char *tokenbuf, int tokenbuflen, int *curpos) + const char *linebuf, int linebuflen, + char *tokenbuf, int tokenbuflen, int *curpos) { iw_byte b; int token_len = 0; @@ -279,6 +280,9 @@ static int read_next_pam_token(struct iwpnmrcontext *rctx, return 0; } + if(linepos>=linebuflen) { + return 0; + } b = linebuf[linepos++]; if(b==0) break; // End of line @@ -346,7 +350,11 @@ static int iwpnm_read_pam_header(struct iwpnmrcontext *rctx) // Read first token in that header line curpos = 0; - if(!read_next_pam_token(rctx, linebuf, tokenbuf, sizeof(tokenbuf), &curpos)) goto done; + if(!read_next_pam_token(rctx, linebuf, (int)sizeof(linebuf), + tokenbuf, (int)sizeof(tokenbuf), &curpos)) + { + goto done; + } if(!strcmp(tokenbuf,"ENDHDR")) { break; @@ -358,7 +366,11 @@ static int iwpnm_read_pam_header(struct iwpnmrcontext *rctx) } // Read second token - if(!read_next_pam_token(rctx, linebuf, token2buf, sizeof(token2buf), &curpos)) goto done; + if(!read_next_pam_token(rctx, linebuf, (int)sizeof(linebuf), + token2buf, (int)sizeof(token2buf), &curpos)) + { + goto done; + } if(!strcmp(tokenbuf,"WIDTH")) { rctx->img->width = atoi(token2buf); } @@ -443,7 +455,10 @@ IW_IMPL(int) iw_read_pnm_file(struct iw_context *ctx, struct iw_iodescr *iodescr rctx->img = img; rctx->iodescr = iodescr; - if(!iwpnm_read_header(rctx)) goto done; + if(!iwpnm_read_header(rctx)) { + iw_set_error(ctx, "Error parsing header"); + goto done; + } if(!iw_check_image_dimensions(rctx->ctx,rctx->img->width,rctx->img->height)) goto done;