From 04d59cbc4af657da97a836a24ed6f952bb1a3633 Mon Sep 17 00:00:00 2001 From: Kevin B Kenny Date: Mon, 26 Nov 2007 20:53:57 +0000 Subject: Backport from HEAD of [Bug #1822391]: * generic/tkImgPPM.c (StringReadPPM): Corrected a comparison whose sense was reversed that resulted in reading beyond the end of the input buffer on malformed PPM data. [Bug #1822391] * tests/imgPPM.test (imgPPM-4.1): Added test case that exercises [Bug #1822391]. --- ChangeLog | 11 +++++++++++ generic/tkImgPPM.c | 4 ++-- tests/imgPPM.test | 15 ++++++++++++++- 3 files changed, 27 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 08edaa1..ee7c7a4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,14 @@ +2007-11-26 Kevin Kenny + + Backport from HEAD of [Bug #1822391]: + + * generic/tkImgPPM.c (StringReadPPM): Corrected a comparison + whose sense was reversed that resulted in reading beyond the + end of the input buffer on malformed PPM data. [Bug #1822391] + * tests/imgPPM.test (imgPPM-4.1): Added test case that + exercises [Bug #1822391]. + + 2007-11-09 Daniel Steffen Backport from HEAD of Aqua changes from 2007-10-12 to 2007-11-09: diff --git a/generic/tkImgPPM.c b/generic/tkImgPPM.c index 3469fcc..ad07913 100644 --- a/generic/tkImgPPM.c +++ b/generic/tkImgPPM.c @@ -13,7 +13,7 @@ * Department of Computer Science, * Australian National University. * - * RCS: @(#) $Id: tkImgPPM.c,v 1.10.2.2 2004/03/27 00:40:39 dkf Exp $ + * RCS: @(#) $Id: tkImgPPM.c,v 1.10.2.3 2007/11/26 20:53:57 kennykb Exp $ */ #include "tkInt.h" @@ -540,7 +540,7 @@ StringReadPPM(interp, dataObj, format, imageHandle, destX, destY, * We have all the data in memory, so write everything in one * go. */ - if (block.pitch*height < dataSize) { + if (block.pitch*height > dataSize) { Tcl_AppendResult(interp, "truncated PPM data", NULL); return TCL_ERROR; } diff --git a/tests/imgPPM.test b/tests/imgPPM.test index 867f54a..de43786 100644 --- a/tests/imgPPM.test +++ b/tests/imgPPM.test @@ -6,7 +6,7 @@ # Copyright (c) 1998-1999 by Scriptics Corporation. # All rights reserved. # -# RCS: @(#) $Id: imgPPM.test,v 1.5 2002/07/13 21:52:34 dgp Exp $ +# RCS: @(#) $Id: imgPPM.test,v 1.5.2.1 2007/11/26 20:53:57 kennykb Exp $ package require tcltest 2.1 namespace import -force tcltest::configure @@ -150,6 +150,19 @@ test imgPPM-3.13 {ReadPPMFileHeader procedure, file ends too soon} { list [catch {image create photo p1 -file test.ppm} msg] $msg } {1 {couldn't recognize data in image file "test.ppm"}} +test imgPPM-4.1 {StringReadPPM procedure, data too short [Bug 1822391]} \ + -setup { + image create photo I -width 1103 -height 997 + } \ + -cleanup { + image delete I + } \ + -body { + I put "P5\n1103 997\n255\n" + } \ + -returnCodes error \ + -result {truncated PPM data} + removeFile test.ppm removeFile test2.ppm eval image delete [image names] -- cgit v0.12