From 602608b847ac2ae5787ca3719931642c1116ee3f Mon Sep 17 00:00:00 2001 From: Kevin B Kenny Date: Mon, 26 Nov 2007 20:38:34 +0000 Subject: * generic/tkImgPPM.c (StringReadPPM): Corrected a comparison whose sense was reversed that resulted in reading beyond the end of the input buffer on malformed PPM data. [Bug #1822391] * tests/imgPPM.test (imgPPM-4.1): Added test case that exercises [Bug #1822391]. --- ChangeLog | 9 +++++++-- generic/tkImgPPM.c | 4 ++-- tests/imgPPM.test | 15 ++++++++++++++- 3 files changed, 23 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index cf57bd5..65766b8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,11 +1,16 @@ 2007-11-26 Kevin Kenny + * generic/tkImgPPM.c (StringReadPPM): Corrected a comparison + whose sense was reversed that resulted in reading beyond the + end of the input buffer on malformed PPM data. [Bug #1822391] * library/tkfbox.tcl (VerifyFileName): Corrected a couple of typos in handling of bad file names. [Bug #1822076] - * tests/filebox.test (filebox-7.1, filebox-7.2): Added - test cases that exercise the above bug. Thanks to Christoph Bauer (fridolin@users.sf.net) for the patch. + * tests/filebox.test (filebox-7.1, filebox-7.2): Added + test cases that exercise [Bug #1822076]. + * tests/imgPPM.test (imgPPM-4.1): Added test case that + exercises [Bug #1822391]. 2007-11-25 Joe English diff --git a/generic/tkImgPPM.c b/generic/tkImgPPM.c index 45063c9..b4302e4 100644 --- a/generic/tkImgPPM.c +++ b/generic/tkImgPPM.c @@ -13,7 +13,7 @@ * Department of Computer Science, * Australian National University. * - * RCS: @(#) $Id: tkImgPPM.c,v 1.19 2007/09/07 00:34:52 dgp Exp $ + * RCS: @(#) $Id: tkImgPPM.c,v 1.20 2007/11/26 20:38:35 kennykb Exp $ */ #include "tkInt.h" @@ -538,7 +538,7 @@ StringReadPPM( * We have all the data in memory, so write everything in one go. */ - if (block.pitch*height < dataSize) { + if (block.pitch*height > dataSize) { Tcl_AppendResult(interp, "truncated PPM data", NULL); return TCL_ERROR; } diff --git a/tests/imgPPM.test b/tests/imgPPM.test index 53aa4c7..53d03c3 100644 --- a/tests/imgPPM.test +++ b/tests/imgPPM.test @@ -6,7 +6,7 @@ # Copyright (c) 1998-1999 by Scriptics Corporation. # All rights reserved. # -# RCS: @(#) $Id: imgPPM.test,v 1.8 2004/12/08 03:03:06 dgp Exp $ +# RCS: @(#) $Id: imgPPM.test,v 1.9 2007/11/26 20:38:35 kennykb Exp $ package require tcltest 2.1 eval tcltest::configure $argv @@ -146,6 +146,19 @@ test imgPPM-3.13 {ReadPPMFileHeader procedure, file ends too soon} { list [catch {image create photo p1 -file test.ppm} msg] $msg } {1 {couldn't recognize data in image file "test.ppm"}} +test imgPPM-4.1 {StringReadPPM procedure, data too short [Bug 1822391]} \ + -setup { + image create photo I -width 1103 -height 997 + } \ + -cleanup { + image delete I + } \ + -body { + I put "P5\n1103 997\n255\n" + } \ + -returnCodes error \ + -result {truncated PPM data} + eval image delete [image names] # cleanup -- cgit v0.12