From 60ee69979f224c99f7e7c333bb128c01aa4a11d1 Mon Sep 17 00:00:00 2001
From: kojima <kojima>
Date: Thu, 7 Nov 2002 17:18:41 +0000
Subject: [PATCH] fixed buffer overrun bug in wrlib when creating or loading
 images

---
 ChangeLog      | 3 ++-
 wrlib/raster.c | 7 +++++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 0d6ddfdd..abc40a86 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -20,7 +20,7 @@ Changes since version 0.80.1:
   transparency. Details in WINGs/ChangeLog.
 - Fixed problem with long, preset workspace names (Wanderlei Antonio Cavassin 
   <cavassin@conectiva.com.br>)
-- Added kinput2 bug workaround in stock WMWindowAttributes (Seiichi SATO 
+- Added kinput2 bug workaround to stock WMWindowAttributes (Seiichi SATO 
   <sato@cvs-net.co.jp>)
 - Added Belarusian translation (Ihar Viarheichyk <iverg@mail.ru>)
 - Fixed wrlib not to load braindead images with 0 sized width or height
@@ -28,6 +28,7 @@ Changes since version 0.80.1:
   with Shift key while moving windows.
 - Changed the default position display while moving a window to 'Center'.
 - Better outline when drawing balloons.
+- Fixed wrlib to not accept too large images (fixes buffer overflow)
 
 
 Changes since version 0.80.0:
diff --git a/wrlib/raster.c b/wrlib/raster.c
index 590d8ce8..bb885c80 100644
--- a/wrlib/raster.c
+++ b/wrlib/raster.c
@@ -24,6 +24,7 @@
 #include <stdlib.h>
 #include <stdio.h>
 #include <string.h>
+#include <limits.h>
 #include <X11/Xlib.h>
 #include "wraster.h"
 
@@ -44,6 +45,12 @@ RCreateImage(unsigned width, unsigned height, int alpha)
     RImage *image=NULL;
     
     assert(width>0 && height>0);
+    
+    /* check for too large images (cap on INT_MAX just to be sure :P) */
+    if (width > (INT_MAX/4)/height+4) {
+	RErrorCode = RERR_NOMEMORY;
+	return NULL;
+    }
 
     image = malloc(sizeof(RImage));
     if (!image) {
-- 
2.11.4.GIT