media-libs/libpng/files/libpng-1.2.49-pnm2png-truncate-get-token.patch - mirrors/cros/chromiumos/overlays/chromiumos-overlay - Git at Google

 Truncate the null-terminated string from get_token to the size
 of the input string.  This involves passing  the input string
 size to get_token(), and prevents it from overwriting past
 the end of that string.

 --- libpng-1.2.49/contrib/pngminus/pnm2png.c.orig	2013-05-07 18:50:45.271320496 -0700
 +++ libpng-1.2.49/contrib/pngminus/pnm2png.c	2013-05-07 18:58:38.881218666 -0700
 @@ -50,7 +50,7 @@
  int  main (int argc, char *argv[]);
  void usage ();
  BOOL pnm2png (FILE *pnm_file, FILE *png_file, FILE *alpha_file, BOOL interlace, BOOL alpha);
 -void get_token(FILE *pnm_file, char *token);
 +void get_token(FILE *pnm_file, char *token, int token_size);
  png_uint_32 get_data (FILE *pnm_file, int depth);
  png_uint_32 get_value (FILE *pnm_file, int depth);

 @@ -212,7 +212,7 @@

    /* read header of PNM file */

 -  get_token(pnm_file, type_token);
 +  get_token(pnm_file, type_token, sizeof(type_token));
    if (type_token[0] != 'P')
    {
      return FALSE;
 @@ -221,9 +221,9 @@
    {
      raw = (type_token[1] == '4');
      color_type = PNG_COLOR_TYPE_GRAY;
 -    get_token(pnm_file, width_token);
 +    get_token(pnm_file, width_token, sizeof(width_token));
      sscanf (width_token, "%lu", &width);
 -    get_token(pnm_file, height_token);
 +    get_token(pnm_file, height_token, sizeof(height_token));
      sscanf (height_token, "%lu", &height);
      bit_depth = 1;
      packed_bitmap = TRUE;
 @@ -232,11 +232,11 @@
    {
      raw = (type_token[1] == '5');
      color_type = PNG_COLOR_TYPE_GRAY;
 -    get_token(pnm_file, width_token);
 +    get_token(pnm_file, width_token, sizeof(width_token));
      sscanf (width_token, "%lu", &width);
 -    get_token(pnm_file, height_token);
 +    get_token(pnm_file, height_token, sizeof(height_token));
      sscanf (height_token, "%lu", &height);
 -    get_token(pnm_file, maxval_token);
 +    get_token(pnm_file, maxval_token, sizeof(maxval_token));
      sscanf (maxval_token, "%lu", &maxval);
      if (maxval <= 1)
        bit_depth = 1;
 @@ -253,11 +253,11 @@
    {
      raw = (type_token[1] == '6');
      color_type = PNG_COLOR_TYPE_RGB;
 -    get_token(pnm_file, width_token);
 +    get_token(pnm_file, width_token, sizeof(width_token));
      sscanf (width_token, "%lu", &width);
 -    get_token(pnm_file, height_token);
 +    get_token(pnm_file, height_token, sizeof(height_token));
      sscanf (height_token, "%lu", &height);
 -    get_token(pnm_file, maxval_token);
 +    get_token(pnm_file, maxval_token, sizeof(maxval_token));
      sscanf (maxval_token, "%lu", &maxval);
      if (maxval <= 1)
        bit_depth = 1;
 @@ -284,7 +284,7 @@
      if (color_type == PNG_COLOR_TYPE_RGB)
        color_type = PNG_COLOR_TYPE_RGB_ALPHA;

 -    get_token(alpha_file, type_token);
 +    get_token(alpha_file, type_token, sizeof(type_token));
      if (type_token[0] != 'P')
      {
        return FALSE;
 @@ -292,15 +292,15 @@
      else if ((type_token[1] == '2') || (type_token[1] == '5'))
      {
        alpha_raw = (type_token[1] == '5');
 -      get_token(alpha_file, width_token);
 +      get_token(alpha_file, width_token, sizeof(width_token));
        sscanf (width_token, "%lu", &alpha_width);
        if (alpha_width != width)
          return FALSE;
 -      get_token(alpha_file, height_token);
 +      get_token(alpha_file, height_token, sizeof(height_token));
        sscanf (height_token, "%lu", &alpha_height);
        if (alpha_height != height)
          return FALSE;
 -      get_token(alpha_file, maxval_token);
 +      get_token(alpha_file, maxval_token, sizeof(maxval_token));
        sscanf (maxval_token, "%lu", &maxval);
        if (maxval <= 1)
          alpha_depth = 1;
 @@ -464,7 +464,7 @@
   * get_token() - gets the first string after whitespace
   */

 -void get_token(FILE *pnm_file, char *token)
 +void get_token(FILE *pnm_file, char *token, int token_size)
  {
    int i = 0;
    int ret;
 @@ -491,7 +491,7 @@
    {
      ret = fgetc(pnm_file);
      if (ret == EOF) break;
 -    i++;
 +    if (i < token_size - 1) i++;
      token[i] = (unsigned char) ret;
    }
    while ((token[i] != '\n') && (token[i] != '\r') && (token[i] != ' '));
 @@ -551,7 +551,7 @@
      for (i = 0; i < depth; i++)
        mask = (mask << 1) | 0x01;

 -  get_token (pnm_file, (char *) token);
 +  get_token (pnm_file, (char *) token, sizeof(token));
    sscanf ((const char *) token, "%lu", &ret_value);

    ret_value &= mask;
	Truncate the null-terminated string from get_token to the size
	of the input string. This involves passing the input string
	size to get_token(), and prevents it from overwriting past
	the end of that string.

	--- libpng-1.2.49/contrib/pngminus/pnm2png.c.orig 2013-05-07 18:50:45.271320496 -0700
	+++ libpng-1.2.49/contrib/pngminus/pnm2png.c 2013-05-07 18:58:38.881218666 -0700
	@@ -50,7 +50,7 @@
	int main (int argc, char *argv[]);
	void usage ();
	BOOL pnm2png (FILE pnm_file, FILE png_file, FILE *alpha_file, BOOL interlace, BOOL alpha);
	-void get_token(FILE pnm_file, char token);
	+void get_token(FILE pnm_file, char token, int token_size);
	png_uint_32 get_data (FILE *pnm_file, int depth);
	png_uint_32 get_value (FILE *pnm_file, int depth);

	@@ -212,7 +212,7 @@

	/* read header of PNM file */

	- get_token(pnm_file, type_token);
	+ get_token(pnm_file, type_token, sizeof(type_token));
	if (type_token[0] != 'P')
	{
	return FALSE;
	@@ -221,9 +221,9 @@
	{
	raw = (type_token[1] == '4');
	color_type = PNG_COLOR_TYPE_GRAY;
	- get_token(pnm_file, width_token);
	+ get_token(pnm_file, width_token, sizeof(width_token));
	sscanf (width_token, "%lu", &width);
	- get_token(pnm_file, height_token);
	+ get_token(pnm_file, height_token, sizeof(height_token));
	sscanf (height_token, "%lu", &height);
	bit_depth = 1;
	packed_bitmap = TRUE;
	@@ -232,11 +232,11 @@
	{
	raw = (type_token[1] == '5');
	color_type = PNG_COLOR_TYPE_GRAY;
	- get_token(pnm_file, width_token);
	+ get_token(pnm_file, width_token, sizeof(width_token));
	sscanf (width_token, "%lu", &width);
	- get_token(pnm_file, height_token);
	+ get_token(pnm_file, height_token, sizeof(height_token));
	sscanf (height_token, "%lu", &height);
	- get_token(pnm_file, maxval_token);
	+ get_token(pnm_file, maxval_token, sizeof(maxval_token));
	sscanf (maxval_token, "%lu", &maxval);
	if (maxval <= 1)
	bit_depth = 1;
	@@ -253,11 +253,11 @@
	{
	raw = (type_token[1] == '6');
	color_type = PNG_COLOR_TYPE_RGB;
	- get_token(pnm_file, width_token);
	+ get_token(pnm_file, width_token, sizeof(width_token));
	sscanf (width_token, "%lu", &width);
	- get_token(pnm_file, height_token);
	+ get_token(pnm_file, height_token, sizeof(height_token));
	sscanf (height_token, "%lu", &height);
	- get_token(pnm_file, maxval_token);
	+ get_token(pnm_file, maxval_token, sizeof(maxval_token));
	sscanf (maxval_token, "%lu", &maxval);
	if (maxval <= 1)
	bit_depth = 1;
	@@ -284,7 +284,7 @@
	if (color_type == PNG_COLOR_TYPE_RGB)
	color_type = PNG_COLOR_TYPE_RGB_ALPHA;

	- get_token(alpha_file, type_token);
	+ get_token(alpha_file, type_token, sizeof(type_token));
	if (type_token[0] != 'P')
	{
	return FALSE;
	@@ -292,15 +292,15 @@
	else if ((type_token[1] == '2') \|\| (type_token[1] == '5'))
	{
	alpha_raw = (type_token[1] == '5');
	- get_token(alpha_file, width_token);
	+ get_token(alpha_file, width_token, sizeof(width_token));
	sscanf (width_token, "%lu", &alpha_width);
	if (alpha_width != width)
	return FALSE;
	- get_token(alpha_file, height_token);
	+ get_token(alpha_file, height_token, sizeof(height_token));
	sscanf (height_token, "%lu", &alpha_height);
	if (alpha_height != height)
	return FALSE;
	- get_token(alpha_file, maxval_token);
	+ get_token(alpha_file, maxval_token, sizeof(maxval_token));
	sscanf (maxval_token, "%lu", &maxval);
	if (maxval <= 1)
	alpha_depth = 1;
	@@ -464,7 +464,7 @@
	* get_token() - gets the first string after whitespace
	*/

	-void get_token(FILE pnm_file, char token)
	+void get_token(FILE pnm_file, char token, int token_size)
	{
	int i = 0;
	int ret;
	@@ -491,7 +491,7 @@
	{
	ret = fgetc(pnm_file);
	if (ret == EOF) break;
	- i++;
	+ if (i < token_size - 1) i++;
	token[i] = (unsigned char) ret;
	}
	while ((token[i] != '\n') && (token[i] != '\r') && (token[i] != ' '));
	@@ -551,7 +551,7 @@
	for (i = 0; i < depth; i++)
	mask = (mask << 1) \| 0x01;

	- get_token (pnm_file, (char *) token);
	+ get_token (pnm_file, (char *) token, sizeof(token));
	sscanf ((const char *) token, "%lu", &ret_value);

	ret_value &= mask;