From fb596fb88748eeb10301111186f7a50eb2945136 Mon Sep 17 00:00:00 2001 From: Bill Kendrick Date: Wed, 6 Apr 2022 01:32:21 -0700 Subject: [PATCH] Avoid crash on unexpected "saved dimensions" loading Labels --- docs/CHANGES.txt | 5 +++-- src/tuxpaint.c | 13 ++++++++++++- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/docs/CHANGES.txt b/docs/CHANGES.txt index b9efd2624..f75a54362 100644 --- a/docs/CHANGES.txt +++ b/docs/CHANGES.txt @@ -7,7 +7,7 @@ Various contributors (see below, and AUTHORS.txt) http://www.tuxpaint.org/ -2022.April.2 (0.9.28) +2022.April.6 (0.9.28) * Improvements to "Paint" and "Lines" tools: ------------------------------------------ * Brush spacing may now be altered within Tux Paint. @@ -197,7 +197,8 @@ http://www.tuxpaint.org/ * Avoid crashes when coming across unexpected Label data stored within a saved PNG image. - (h/t Donny Sianipar for the report & sample image) + (h/t Donny Sianipar for the report & sample image, + and Shin-Ichi TOYAMA for additional samples) Bill Kendrick * Ports & Building: diff --git a/src/tuxpaint.c b/src/tuxpaint.c index 6d35a8f27..9b8e316a6 100644 --- a/src/tuxpaint.c +++ b/src/tuxpaint.c @@ -22,7 +22,7 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA (See COPYING.txt) - June 14, 2002 - April 2, 2022 + June 14, 2002 - April 6, 2022 */ #include "platform.h" @@ -24403,6 +24403,17 @@ static void load_info_about_label_surface(FILE * lfi) #ifdef DEBUG printf("Original label size %dx%d\n", new_node->save_width, new_node->save_height); #endif + if (new_node->save_width > 8192 || new_node->save_height > 8192) + { + fprintf(stderr, "Unexpected! Save dimensions are (%u x %u!)\n", new_node->save_width, new_node->save_height); + free(new_node); + free(wtmpstr); +#ifdef WIN32 + free(tmpstr); +#endif + fclose(lfi); + return; + } /* Read the label's font */ tmp_fscanf_return = fscanf(lfi, "%d\n", &new_node->save_cur_font);