diff options
author | Kevin B Kenny <kennykb@acm.org> | 2007-11-26 20:53:57 (GMT) |
---|---|---|
committer | Kevin B Kenny <kennykb@acm.org> | 2007-11-26 20:53:57 (GMT) |
commit | 04d59cbc4af657da97a836a24ed6f952bb1a3633 (patch) | |
tree | 1f3a435ace170a7ccfe7ee18e33f9f2fab8f2dc3 | |
parent | 86cb489f9d555eb126bc7af0aed33123a9c1742c (diff) | |
download | tk-04d59cbc4af657da97a836a24ed6f952bb1a3633.zip tk-04d59cbc4af657da97a836a24ed6f952bb1a3633.tar.gz tk-04d59cbc4af657da97a836a24ed6f952bb1a3633.tar.bz2 |
Backport from HEAD of [Bug #1822391]:
* generic/tkImgPPM.c (StringReadPPM): Corrected a comparison
whose sense was reversed that resulted in reading beyond the
end of the input buffer on malformed PPM data. [Bug #1822391]
* tests/imgPPM.test (imgPPM-4.1): Added test case that
exercises [Bug #1822391].
-rw-r--r-- | ChangeLog | 11 | ||||
-rw-r--r-- | generic/tkImgPPM.c | 4 | ||||
-rw-r--r-- | tests/imgPPM.test | 15 |
3 files changed, 27 insertions, 3 deletions
@@ -1,3 +1,14 @@ +2007-11-26 Kevin Kenny <kennykb@acm.org> + + Backport from HEAD of [Bug #1822391]: + + * generic/tkImgPPM.c (StringReadPPM): Corrected a comparison + whose sense was reversed that resulted in reading beyond the + end of the input buffer on malformed PPM data. [Bug #1822391] + * tests/imgPPM.test (imgPPM-4.1): Added test case that + exercises [Bug #1822391]. + + 2007-11-09 Daniel Steffen <das@users.sourceforge.net> Backport from HEAD of Aqua changes from 2007-10-12 to 2007-11-09: diff --git a/generic/tkImgPPM.c b/generic/tkImgPPM.c index 3469fcc..ad07913 100644 --- a/generic/tkImgPPM.c +++ b/generic/tkImgPPM.c @@ -13,7 +13,7 @@ * Department of Computer Science, * Australian National University. * - * RCS: @(#) $Id: tkImgPPM.c,v 1.10.2.2 2004/03/27 00:40:39 dkf Exp $ + * RCS: @(#) $Id: tkImgPPM.c,v 1.10.2.3 2007/11/26 20:53:57 kennykb Exp $ */ #include "tkInt.h" @@ -540,7 +540,7 @@ StringReadPPM(interp, dataObj, format, imageHandle, destX, destY, * We have all the data in memory, so write everything in one * go. */ - if (block.pitch*height < dataSize) { + if (block.pitch*height > dataSize) { Tcl_AppendResult(interp, "truncated PPM data", NULL); return TCL_ERROR; } diff --git a/tests/imgPPM.test b/tests/imgPPM.test index 867f54a..de43786 100644 --- a/tests/imgPPM.test +++ b/tests/imgPPM.test @@ -6,7 +6,7 @@ # Copyright (c) 1998-1999 by Scriptics Corporation. # All rights reserved. # -# RCS: @(#) $Id: imgPPM.test,v 1.5 2002/07/13 21:52:34 dgp Exp $ +# RCS: @(#) $Id: imgPPM.test,v 1.5.2.1 2007/11/26 20:53:57 kennykb Exp $ package require tcltest 2.1 namespace import -force tcltest::configure @@ -150,6 +150,19 @@ test imgPPM-3.13 {ReadPPMFileHeader procedure, file ends too soon} { list [catch {image create photo p1 -file test.ppm} msg] $msg } {1 {couldn't recognize data in image file "test.ppm"}} +test imgPPM-4.1 {StringReadPPM procedure, data too short [Bug 1822391]} \ + -setup { + image create photo I -width 1103 -height 997 + } \ + -cleanup { + image delete I + } \ + -body { + I put "P5\n1103 997\n255\n" + } \ + -returnCodes error \ + -result {truncated PPM data} + removeFile test.ppm removeFile test2.ppm eval image delete [image names] |