diff options
author | Tobias Stoeckmann <tobias@stoeckmann.org> | 2018-06-25 09:02:24 +0200 |
---|---|---|
committer | Alan Coopersmith <alan.coopersmith@oracle.com> | 2018-08-25 13:49:31 -0700 |
commit | f04b349f8dce94c7efaee48049829e6a17a3a60a (patch) | |
tree | 29b9f645cd4c5732efb656bae1f763556251b4ad /xcursorgen.c | |
parent | f66844351bbf5ca5c1697b2092941d4db65a9e87 (diff) |
Fix null pointer dereference on very large images.
If xcursorgen encounters a PNG file which is larger than 32767 pixels
in width or height, a null pointer dereference occurs because the
return value of XcursorImageCreate is not checked.
The largest possible value is 32767 for libXcursor, which is a hard
coded limit due to a 16 bit integer used (0x7FFF).
Fixes: https://gitlab.freedesktop.org/xorg/app/xcursorgen/issues/1
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Diffstat (limited to 'xcursorgen.c')
-rw-r--r-- | xcursorgen.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/xcursorgen.c b/xcursorgen.c index f292f19..d664799 100644 --- a/xcursorgen.c +++ b/xcursorgen.c @@ -262,6 +262,12 @@ load_image (struct flist *list, const char *prefix) png_read_update_info (png, info); image = XcursorImageCreate (width, height); + if (image == NULL) + { + fclose (fp); + png_destroy_read_struct (&png, &info, NULL); + return NULL; + } image->size = list->size; image->xhot = list->xhot; |