summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKevin B Kenny <kennykb@acm.org>2007-11-26 20:38:34 (GMT)
committerKevin B Kenny <kennykb@acm.org>2007-11-26 20:38:34 (GMT)
commit55f6adc5b76aed80e9078d161d890051fecbc651 (patch)
tree4b3c4719ed27a5a97869113ec8a9418f1c35be81
parent671bcba7bb5831707282a085723aaf9c2812fd9a (diff)
downloadtk-55f6adc5b76aed80e9078d161d890051fecbc651.zip
tk-55f6adc5b76aed80e9078d161d890051fecbc651.tar.gz
tk-55f6adc5b76aed80e9078d161d890051fecbc651.tar.bz2
* generic/tkImgPPM.c (StringReadPPM): Corrected a comparison
whose sense was reversed that resulted in reading beyond the end of the input buffer on malformed PPM data. [Bug #1822391] * tests/imgPPM.test (imgPPM-4.1): Added test case that exercises [Bug #1822391].
-rw-r--r--ChangeLog9
-rw-r--r--generic/tkImgPPM.c4
-rw-r--r--tests/imgPPM.test15
3 files changed, 23 insertions, 5 deletions
diff --git a/ChangeLog b/ChangeLog
index cf57bd5..65766b8 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,11 +1,16 @@
2007-11-26 Kevin Kenny <kennykb@acm.org>
+ * generic/tkImgPPM.c (StringReadPPM): Corrected a comparison
+ whose sense was reversed that resulted in reading beyond the
+ end of the input buffer on malformed PPM data. [Bug #1822391]
* library/tkfbox.tcl (VerifyFileName): Corrected a couple
of typos in handling of bad file names. [Bug #1822076]
- * tests/filebox.test (filebox-7.1, filebox-7.2): Added
- test cases that exercise the above bug.
Thanks to Christoph Bauer (fridolin@users.sf.net) for the
patch.
+ * tests/filebox.test (filebox-7.1, filebox-7.2): Added
+ test cases that exercise [Bug #1822076].
+ * tests/imgPPM.test (imgPPM-4.1): Added test case that
+ exercises [Bug #1822391].
2007-11-25 Joe English <jenglish@users.sourceforge.net>
diff --git a/generic/tkImgPPM.c b/generic/tkImgPPM.c
index 45063c9..b4302e4 100644
--- a/generic/tkImgPPM.c
+++ b/generic/tkImgPPM.c
@@ -13,7 +13,7 @@
* Department of Computer Science,
* Australian National University.
*
- * RCS: @(#) $Id: tkImgPPM.c,v 1.19 2007/09/07 00:34:52 dgp Exp $
+ * RCS: @(#) $Id: tkImgPPM.c,v 1.20 2007/11/26 20:38:35 kennykb Exp $
*/
#include "tkInt.h"
@@ -538,7 +538,7 @@ StringReadPPM(
* We have all the data in memory, so write everything in one go.
*/
- if (block.pitch*height < dataSize) {
+ if (block.pitch*height > dataSize) {
Tcl_AppendResult(interp, "truncated PPM data", NULL);
return TCL_ERROR;
}
diff --git a/tests/imgPPM.test b/tests/imgPPM.test
index 53aa4c7..53d03c3 100644
--- a/tests/imgPPM.test
+++ b/tests/imgPPM.test
@@ -6,7 +6,7 @@
# Copyright (c) 1998-1999 by Scriptics Corporation.
# All rights reserved.
#
-# RCS: @(#) $Id: imgPPM.test,v 1.8 2004/12/08 03:03:06 dgp Exp $
+# RCS: @(#) $Id: imgPPM.test,v 1.9 2007/11/26 20:38:35 kennykb Exp $
package require tcltest 2.1
eval tcltest::configure $argv
@@ -146,6 +146,19 @@ test imgPPM-3.13 {ReadPPMFileHeader procedure, file ends too soon} {
list [catch {image create photo p1 -file test.ppm} msg] $msg
} {1 {couldn't recognize data in image file "test.ppm"}}
+test imgPPM-4.1 {StringReadPPM procedure, data too short [Bug 1822391]} \
+ -setup {
+ image create photo I -width 1103 -height 997
+ } \
+ -cleanup {
+ image delete I
+ } \
+ -body {
+ I put "P5\n1103 997\n255\n"
+ } \
+ -returnCodes error \
+ -result {truncated PPM data}
+
eval image delete [image names]
# cleanup