diff options
Diffstat (limited to 'gfx/cairo/cairo/src/cairo-image-info.c')
| -rw-r--r-- | gfx/cairo/cairo/src/cairo-image-info.c | 32 |
1 files changed, 22 insertions, 10 deletions
diff --git a/gfx/cairo/cairo/src/cairo-image-info.c b/gfx/cairo/cairo/src/cairo-image-info.c index d147e37239..9693e487f6 100644 --- a/gfx/cairo/cairo/src/cairo-image-info.c +++ b/gfx/cairo/cairo/src/cairo-image-info.c @@ -90,7 +90,7 @@ _jpeg_extract_info (cairo_image_info_t *info, const unsigned char *p) cairo_int_status_t _cairo_image_info_get_jpeg_info (cairo_image_info_t *info, const unsigned char *data, - long length) + unsigned long length) { const unsigned char *p = data; @@ -162,9 +162,15 @@ static const unsigned char _jpx_signature[] = { }; static const unsigned char * -_jpx_next_box (const unsigned char *p) +_jpx_next_box (const unsigned char *p, const unsigned char *end) { - return p + get_unaligned_be32 (p); + if (p + 4 < end) { + uint32_t length = get_unaligned_be32 (p); + if (p + length < end) + return p + length; + } + + return end; } static const unsigned char * @@ -193,19 +199,25 @@ _jpx_find_box (const unsigned char *p, const unsigned char *end, uint32_t type) while (p < end) { if (_jpx_match_box (p, end, type)) return p; - p = _jpx_next_box (p); + p = _jpx_next_box (p, end); } return NULL; } -static void -_jpx_extract_info (const unsigned char *p, cairo_image_info_t *info) +static cairo_int_status_t +_jpx_extract_info (const unsigned char *p, cairo_image_info_t *info, const unsigned char *end) { + if (p + 11 >= end) { + return CAIRO_INT_STATUS_UNSUPPORTED; + } + info->height = get_unaligned_be32 (p); info->width = get_unaligned_be32 (p + 4); info->num_components = (p[8] << 8) + p[9]; info->bits_per_component = p[10]; + + return CAIRO_STATUS_SUCCESS; } cairo_int_status_t @@ -227,7 +239,7 @@ _cairo_image_info_get_jpx_info (cairo_image_info_t *info, if (! _jpx_match_box (p, end, JPX_FILETYPE)) return CAIRO_INT_STATUS_UNSUPPORTED; - p = _jpx_next_box (p); + p = _jpx_next_box (p, end); /* Locate the JP2 header box. */ p = _jpx_find_box (p, end, JPX_JP2_HEADER); @@ -242,9 +254,7 @@ _cairo_image_info_get_jpx_info (cairo_image_info_t *info, /* Get the image info */ p = _jpx_get_box_contents (p); - _jpx_extract_info (p, info); - - return CAIRO_STATUS_SUCCESS; + return _jpx_extract_info (p, info, end); } /* PNG (image/png) @@ -348,6 +358,8 @@ _jbig2_get_next_segment (const unsigned char *p, num_segs = p[0] >> 5; if (num_segs == 7) { + if (p + 4 >= end) + return NULL; num_segs = get_unaligned_be32 (p) & 0x1fffffff; ref_seg_bytes = 4 + ((num_segs + 1)/8); } else { |