diff options
| author | Kevin B Kenny <kennykb@acm.org> | 2007-11-26 20:38:34 (GMT) |
|---|---|---|
| committer | Kevin B Kenny <kennykb@acm.org> | 2007-11-26 20:38:34 (GMT) |
| commit | 55f6adc5b76aed80e9078d161d890051fecbc651 (patch) | |
| tree | 4b3c4719ed27a5a97869113ec8a9418f1c35be81 | |
| parent | 671bcba7bb5831707282a085723aaf9c2812fd9a (diff) | |
| download | tk-55f6adc5b76aed80e9078d161d890051fecbc651.zip tk-55f6adc5b76aed80e9078d161d890051fecbc651.tar.gz tk-55f6adc5b76aed80e9078d161d890051fecbc651.tar.bz2 | |
* generic/tkImgPPM.c (StringReadPPM): Corrected a comparison
whose sense was reversed that resulted in reading beyond the
end of the input buffer on malformed PPM data. [Bug #1822391]
* tests/imgPPM.test (imgPPM-4.1): Added test case that
exercises [Bug #1822391].
| -rw-r--r-- | ChangeLog | 9 | ||||
| -rw-r--r-- | generic/tkImgPPM.c | 4 | ||||
| -rw-r--r-- | tests/imgPPM.test | 15 |
3 files changed, 23 insertions, 5 deletions
@@ -1,11 +1,16 @@ 2007-11-26 Kevin Kenny <kennykb@acm.org> + * generic/tkImgPPM.c (StringReadPPM): Corrected a comparison + whose sense was reversed that resulted in reading beyond the + end of the input buffer on malformed PPM data. [Bug #1822391] * library/tkfbox.tcl (VerifyFileName): Corrected a couple of typos in handling of bad file names. [Bug #1822076] - * tests/filebox.test (filebox-7.1, filebox-7.2): Added - test cases that exercise the above bug. Thanks to Christoph Bauer (fridolin@users.sf.net) for the patch. + * tests/filebox.test (filebox-7.1, filebox-7.2): Added + test cases that exercise [Bug #1822076]. + * tests/imgPPM.test (imgPPM-4.1): Added test case that + exercises [Bug #1822391]. 2007-11-25 Joe English <jenglish@users.sourceforge.net> diff --git a/generic/tkImgPPM.c b/generic/tkImgPPM.c index 45063c9..b4302e4 100644 --- a/generic/tkImgPPM.c +++ b/generic/tkImgPPM.c @@ -13,7 +13,7 @@ * Department of Computer Science, * Australian National University. * - * RCS: @(#) $Id: tkImgPPM.c,v 1.19 2007/09/07 00:34:52 dgp Exp $ + * RCS: @(#) $Id: tkImgPPM.c,v 1.20 2007/11/26 20:38:35 kennykb Exp $ */ #include "tkInt.h" @@ -538,7 +538,7 @@ StringReadPPM( * We have all the data in memory, so write everything in one go. */ - if (block.pitch*height < dataSize) { + if (block.pitch*height > dataSize) { Tcl_AppendResult(interp, "truncated PPM data", NULL); return TCL_ERROR; } diff --git a/tests/imgPPM.test b/tests/imgPPM.test index 53aa4c7..53d03c3 100644 --- a/tests/imgPPM.test +++ b/tests/imgPPM.test @@ -6,7 +6,7 @@ # Copyright (c) 1998-1999 by Scriptics Corporation. # All rights reserved. # -# RCS: @(#) $Id: imgPPM.test,v 1.8 2004/12/08 03:03:06 dgp Exp $ +# RCS: @(#) $Id: imgPPM.test,v 1.9 2007/11/26 20:38:35 kennykb Exp $ package require tcltest 2.1 eval tcltest::configure $argv @@ -146,6 +146,19 @@ test imgPPM-3.13 {ReadPPMFileHeader procedure, file ends too soon} { list [catch {image create photo p1 -file test.ppm} msg] $msg } {1 {couldn't recognize data in image file "test.ppm"}} +test imgPPM-4.1 {StringReadPPM procedure, data too short [Bug 1822391]} \ + -setup { + image create photo I -width 1103 -height 997 + } \ + -cleanup { + image delete I + } \ + -body { + I put "P5\n1103 997\n255\n" + } \ + -returnCodes error \ + -result {truncated PPM data} + eval image delete [image names] # cleanup |