Sanity checks in load_info_about_label_surface()

Avoid crashes when coming across unexpected Label data stored within a saved PNG image. (h/t Donny Sianipar for the report & sample image)
2022-04-02 17:29:22 -07:00 · 2022-04-02 17:29:22 -07:00 · 347a9b5cc8
commit 347a9b5cc8
parent b8429734de
2 changed files with 184 additions and 150 deletions
--- a/docs/CHANGES.txt
+++ b/docs/CHANGES.txt
@ -7,7 +7,7 @@ Various contributors (see below, and AUTHORS.txt)
 http://www.tuxpaint.org/


-2022.March.30 (0.9.28)
+2022.April.2 (0.9.28)
  * Improvements to "Paint" and "Lines" tools:
    ------------------------------------------
    * Brush spacing may now be altered within Tux Paint.
@ -188,6 +188,11 @@ http://www.tuxpaint.org/
      saved drawing. (Affected Windows only.)
      Bill Kendrick <bill@newbreedsoftware.com>

+    * Avoid crashes when coming across unexpected Label data stored within
+      a saved PNG image.
+      (h/t Donny Sianipar for the report & sample image)
+      Bill Kendrick <bill@newbreedsoftware.com>
+
  * Ports & Building:
    -----------------
    * Windows
--- a/src/tuxpaint.c
+++ b/src/tuxpaint.c
@ -22,7 +22,7 @@
  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  (See COPYING.txt)

-  June 14, 2002 - March 17, 2022
+  June 14, 2002 - April 2, 2022
 */

 #include "platform.h"
@ -24168,12 +24168,12 @@ static void load_info_about_label_surface(FILE * lfi)
  int tmp_fscanf_return;
  char *tmp_fgets_return;
  Uint8 a;
+  wchar_t *wtmpstr;
+  size_t nwchar;
 #ifdef WIN32
  char *tmpstr;
-  wchar_t *wtmpstr;
 #endif

-
  /* Clear label surface */

  SDL_FillRect(label, NULL, SDL_MapRGBA(label->format, 0, 0, 0, 0));
@ -24194,6 +24194,13 @@ static void load_info_about_label_surface(FILE * lfi)
  /* Read count of label nodes: */
  tmp_fscanf_return = fscanf(lfi, "%d\n", &list_ctr);

+  if (list_ctr <= 0)
+    {
+      fprintf(stderr, "Unexpected! Count of label notes is <= 0 (%d)!\n", list_ctr);
+      fclose(lfi);
+      return;
+    }
+
  /* Read saved canvas width/height, so we can scale to the current canvas
     (in case it changed due to window size / fullscreen resolution changes,
     larger UI button size, etc. */
@ -24201,6 +24208,13 @@ static void load_info_about_label_surface(FILE * lfi)
  tmp_fscanf_return = fscanf(lfi, "%d\n\n", &tmp_scale_h);
  (void)tmp_fscanf_return;

+  if (tmp_scale_w <= 0 || tmp_scale_h <= 0)
+    {
+      fprintf(stderr, "Unexpected! Saved canvas dimensions %d x %d!\n", tmp_scale_w, tmp_scale_h);
+      fclose(lfi);
+      return;
+    }
+
  /* Calculate canvas aspect ratios & such */
  old_width = tmp_scale_w;
  old_height = tmp_scale_h;
@ -24214,15 +24228,16 @@ static void load_info_about_label_surface(FILE * lfi)
    new_to_old_ratio = (float)new_height / old_height;


-  /* Read the labels' text: */
-
-  size_t nwchar;
+  wtmpstr = malloc(1024);

 #ifdef WIN32
  tmpstr = malloc(1024);
-  wtmpstr = malloc(1024);
 #endif

+
+
+  /* Read the labels' text: */
+
  for (k = 0; k < list_ctr; k++)
    {
      new_node = malloc(sizeof(struct label_node));
@ -24233,6 +24248,19 @@ static void load_info_about_label_surface(FILE * lfi)
      printf("Reading %d wide chars\n", new_node->save_texttool_len); fflush(stdout);
 #endif

+      if (new_node->save_texttool_len >= 1024)
+        {
+          fprintf(stderr, "Unexpected! Saved text length is >= 1024 (%u!)\n", new_node->save_texttool_len);
+          free(new_node);
+          free(wtmpstr);
+#ifdef WIN32
+          free(tmpstr);
+#endif
+          fclose(lfi);
+          return;
+        }
+      else
+        {
 #ifdef WIN32
          /* Using fancy "%[]" operator to scan until the end of a line */
          tmp_fscanf_return = fscanf(lfi, "%[^\n]\n", tmpstr);
@ -24254,12 +24282,12 @@ static void load_info_about_label_surface(FILE * lfi)
          nwchar = wcslen(new_node->save_texttool_str);
          if (nwchar < new_node->save_texttool_len)
            {
-          wchar_t *wtmpstr;
              size_t diff, i;

-          wtmpstr = malloc(1024);
              diff = new_node->save_texttool_len - nwchar;

+printf("diff = %d\n", diff); fflush(stdout);
+
              for (i = 0; i < diff; i++)
                wtmpstr[i] = L' ';

@ -24267,7 +24295,6 @@ static void load_info_about_label_surface(FILE * lfi)
                wtmpstr[i + diff] = new_node->save_texttool_str[i];

              memcpy(new_node->save_texttool_str, wtmpstr, sizeof(wchar_t) * (new_node->save_texttool_len + 1));
-          free(wtmpstr);

 #ifdef DEBUG
              printf("Fixed \"%ls\"\n", new_node->save_texttool_str); fflush(stdout);
@ -24317,6 +24344,7 @@ static void load_info_about_label_surface(FILE * lfi)

          /* Read the label's font */
          tmp_fscanf_return = fscanf(lfi, "%d\n", &new_node->save_cur_font);
+          /* FIXME: This seems wrong! -bjk 2022.04.02 */
          new_node->save_cur_font = 0;

          new_node->save_font_type = malloc(64);
@ -24392,16 +24420,17 @@ static void load_info_about_label_surface(FILE * lfi)
          highlighted_label_node = current_label_node;
          simply_render_node(current_label_node);
        }
+    }

  first_label_node_in_redo_stack = NULL;
  fclose(lfi);

-
+  free(wtmpstr);
 #ifdef WIN32
  free(tmpstr);
-  free(wtmpstr);
 #endif

+
  if (font_thread_done)
    set_label_fonts();
 }