From c16dc96284fafa7cc8a6ae0d9b96b8b20ee8dd5a Mon Sep 17 00:00:00 2001 From: "[CST] Bas" Date: Tue, 17 Feb 2015 19:41:24 +0800 Subject: [PATCH] src/driver/framebuffer.cpp: fix-up reading raw icons. If read failed or it read an corrupted header it could lead to bad allocations. Prevent that. Origin commit data ------------------ Branch: ni/coolstream Commit: https://github.com/neutrino-images/ni-neutrino/commit/e9f049c67771c66253851f2c9ecd671df6753cd4 Author: [CST] Bas Date: 2015-02-17 (Tue, 17 Feb 2015) Origin message was: ------------------ src/driver/framebuffer.cpp: fix-up reading raw icons. If read failed or it read an corrupted header it could lead to bad allocations. Prevent that. ------------------ This commit was generated by Migit --- src/driver/framebuffer.cpp | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/src/driver/framebuffer.cpp b/src/driver/framebuffer.cpp index b890a43f4..24bc2a527 100644 --- a/src/driver/framebuffer.cpp +++ b/src/driver/framebuffer.cpp @@ -1099,10 +1099,25 @@ bool CFrameBuffer::paintIcon(const std::string & filename, const int x, const in //printf("paintIcon: error while loading icon: %s\n", newname.c_str()); return false; } - read(lfd, &header, sizeof(struct rawHeader)); + + ssize_t s = read(lfd, &header, sizeof(struct rawHeader)); + if (s < 0) { + perror("read"); + return false; + } + + if (s < (ssize_t) sizeof(rawHeader)){ + printf("paintIcon: error while loading icon: %s, header too small\n", newname.c_str()); + return false; + } + tmpIcon.width = width = (header.width_hi << 8) | header.width_lo; tmpIcon.height = height = (header.height_hi << 8) | header.height_lo; + if (!width || !height) { + printf("paintIcon: error while loading icon: %s, wrong dimensions (%dHx%dW)\n", newname.c_str(), height, width); + return false; + } int dsize = width*height*sizeof(fb_pixel_t);