This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project gfxprim.git.
The branch, master has been updated via e9d8edec450a97a0b8741273bb5d5e90fb94c821 (commit) via ffbfb62987085873f5996218fdf3fbb7ae0390e4 (commit) from 01cb569b20ec2962ccb1f4b845d2f396ad8b08df (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- http://repo.or.cz/gfxprim.git/commit/e9d8edec450a97a0b8741273bb5d5e90fb94c82...
commit e9d8edec450a97a0b8741273bb5d5e90fb94c821 Author: Cyril Hrubis metan@ucw.cz Date: Wed Dec 9 14:47:15 2015 +0100
loaders: JPG: Fix read callback
Apparently when I/O read callback returns buffer of size 0 the libjpeg segfaults. So we now return FALSE from the callback even when read returns 0, which means end of the file when the underlying I/O is file based.
Special thanks to the american fuzzy lop (afl).
Signed-off-by: Cyril Hrubis metan@ucw.cz
diff --git a/libs/loaders/GP_JPG.c b/libs/loaders/GP_JPG.c index 4921f24..9ac4630 100644 --- a/libs/loaders/GP_JPG.c +++ b/libs/loaders/GP_JPG.c @@ -156,8 +156,8 @@ static boolean fill_input_buffer(struct jpeg_decompress_struct *cinfo)
ret = GP_IORead(src->io, src->buffer, src->size);
- if (ret < 0) { - GP_WARN("Failed to fill buffer"); + if (ret <= 0) { + GP_WARN("Failed to fill buffer, IORead returned %i", ret); return FALSE; }
http://repo.or.cz/gfxprim.git/commit/ffbfb62987085873f5996218fdf3fbb7ae0390e...
commit ffbfb62987085873f5996218fdf3fbb7ae0390e4 Author: Cyril Hrubis metan@ucw.cz Date: Wed Dec 9 14:11:17 2015 +0100
loaders: PCX: Make sure w < bytes_per_line * 8 / bpp
Fixes crash on inconsistent header where w > bytes_per_line * 8 / bpp.
Special thanks to the american fuzzy lop (afl).
Signed-off-by: Cyril Hrubis metan@ucw.cz
diff --git a/libs/loaders/GP_PCX.c b/libs/loaders/GP_PCX.c index 20c6b20..2304bbd 100644 --- a/libs/loaders/GP_PCX.c +++ b/libs/loaders/GP_PCX.c @@ -292,7 +292,7 @@ static int read_16_palette(GP_IO *io, struct pcx_header *header, unsigned int i; uint8_t b[header->bytes_per_line]; GP_Pixel palette[16]; - uint8_t idx=0, mask, mod; + uint8_t idx = 0, mask, mod;
for (i = 0; i < 16; i++) { palette[i] = (GP_Pixel)header->palette[3*i] << 16; @@ -543,6 +543,14 @@ int GP_ReadPCXEx(GP_IO *io, GP_Context **img, GP_DataStorage *storage, w = header.xe - header.xs + 1; h = header.ye - header.ys + 1;
+ uint32_t max_w = ((uint32_t)header.bytes_per_line * 8) / header.bpp; + + if (w > max_w) { + GP_WARN("Truncating image width (%u) to " + "bytes_per_line * 8 / bpp (%"PRIu32")", w, max_w); + w = max_w; + } + res = GP_ContextAlloc(w, h, pixel_type);
if (!res) {
-----------------------------------------------------------------------
Summary of changes: libs/loaders/GP_JPG.c | 4 ++-- libs/loaders/GP_PCX.c | 10 +++++++++- 2 files changed, 11 insertions(+), 3 deletions(-)
repo.or.cz automatic notification. Contact project admin jiri.bluebear.dluhos@gmail.com if you want to unsubscribe, or site admin admin@repo.or.cz if you receive no reply.