Fix null pointer dereference on very large images.

If xcursorgen encounters a PNG file which is larger than 32767 pixels in width or height, a null pointer dereference occurs because the return value of XcursorImageCreate is not checked. The largest possible value is 32767 for libXcursor, which is a hard coded limit due to a 16 bit integer used (0x7FFF). Fixes: https://gitlab.freedesktop.org/xorg/app/xcursorgen/issues/1 Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org> Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
author: Tobias Stoeckmann <tobias@stoeckmann.org> 2018-06-25 09:02:24 +0200
committer: Alan Coopersmith <alan.coopersmith@oracle.com> 2018-08-25 13:49:31 -0700
commit: f04b349f8dce94c7efaee48049829e6a17a3a60a (patch)
tree: 29b9f645cd4c5732efb656bae1f763556251b4ad /xcursorgen.c
parent: f66844351bbf5ca5c1697b2092941d4db65a9e87 (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/xcursorgen.c b/xcursorgen.c
index f292f19..d664799 100644
--- a/xcursorgen.c
+++ b/xcursorgen.c
@@ -262,6 +262,12 @@ load_image (struct flist *list, const char *prefix)
   png_read_update_info (png, info);
 
   image = XcursorImageCreate (width, height);
+  if (image == NULL)
+    {
+      fclose (fp);
+      png_destroy_read_struct (&png, &info, NULL);
+      return NULL;
+    }
 
   image->size = list->size;
   image->xhot = list->xhot;
author	Tobias Stoeckmann <tobias@stoeckmann.org>	2018-06-25 09:02:24 +0200
committer	Alan Coopersmith <alan.coopersmith@oracle.com>	2018-08-25 13:49:31 -0700
commit	f04b349f8dce94c7efaee48049829e6a17a3a60a (patch)
tree	29b9f645cd4c5732efb656bae1f763556251b4ad /xcursorgen.c
parent	f66844351bbf5ca5c1697b2092941d4db65a9e87 (diff)