From b2afa57ef9f7dc069d371ae1d25388e3f1035118 Mon Sep 17 00:00:00 2001
From: kennykb <kennykb@noemail.net>
Date: Mon, 26 Nov 2007 20:53:56 +0000
Subject: Backport from HEAD of [Bug #1822391]:

* generic/tkImgPPM.c (StringReadPPM): Corrected a comparison
whose sense was reversed that resulted in reading beyond the
end of the input buffer on malformed PPM data. [Bug #1822391]
* tests/imgPPM.test (imgPPM-4.1): Added test case that
exercises [Bug #1822391].


FossilOrigin-Name: d7902b20d936053d91698cb8e3eac5f57828a7c6
---
 ChangeLog          | 11 +++++++++++
 generic/tkImgPPM.c |  4 ++--
 tests/imgPPM.test  | 15 ++++++++++++++-
 3 files changed, 27 insertions(+), 3 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 08edaa1..ee7c7a4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,14 @@
+2007-11-26  Kevin Kenny  <kennykb@acm.org>
+	
+	Backport from HEAD of [Bug #1822391]:
+	
+	* generic/tkImgPPM.c (StringReadPPM): Corrected a comparison
+	whose sense was reversed that resulted in reading beyond the
+	end of the input buffer on malformed PPM data. [Bug #1822391]
+	* tests/imgPPM.test (imgPPM-4.1): Added test case that
+	exercises [Bug #1822391].
+	
+	
 2007-11-09  Daniel Steffen  <das@users.sourceforge.net>
 
 	Backport from HEAD of Aqua changes from 2007-10-12 to 2007-11-09:
diff --git a/generic/tkImgPPM.c b/generic/tkImgPPM.c
index 3469fcc..ad07913 100644
--- a/generic/tkImgPPM.c
+++ b/generic/tkImgPPM.c
@@ -13,7 +13,7 @@
  *	   Department of Computer Science,
  *	   Australian National University.
  *
- * RCS: @(#) $Id: tkImgPPM.c,v 1.10.2.2 2004/03/27 00:40:39 dkf Exp $
+ * RCS: @(#) $Id: tkImgPPM.c,v 1.10.2.3 2007/11/26 20:53:57 kennykb Exp $
  */
 
 #include "tkInt.h"
@@ -540,7 +540,7 @@ StringReadPPM(interp, dataObj, format, imageHandle, destX, destY,
 	 * We have all the data in memory, so write everything in one
 	 * go.
 	 */
-	if (block.pitch*height < dataSize) {
+	if (block.pitch*height > dataSize) {
 	    Tcl_AppendResult(interp, "truncated PPM data", NULL);
 	    return TCL_ERROR;
 	}
diff --git a/tests/imgPPM.test b/tests/imgPPM.test
index 867f54a..de43786 100644
--- a/tests/imgPPM.test
+++ b/tests/imgPPM.test
@@ -6,7 +6,7 @@
 # Copyright (c) 1998-1999 by Scriptics Corporation.
 # All rights reserved.
 #
-# RCS: @(#) $Id: imgPPM.test,v 1.5 2002/07/13 21:52:34 dgp Exp $
+# RCS: @(#) $Id: imgPPM.test,v 1.5.2.1 2007/11/26 20:53:57 kennykb Exp $
 
 package require tcltest 2.1
 namespace import -force tcltest::configure
@@ -150,6 +150,19 @@ test imgPPM-3.13 {ReadPPMFileHeader procedure, file ends too soon} {
     list [catch {image create photo p1 -file test.ppm} msg] $msg
 } {1 {couldn't recognize data in image file "test.ppm"}}
 
+test imgPPM-4.1 {StringReadPPM procedure, data too short [Bug 1822391]} \
+    -setup {
+	image create photo I -width 1103 -height 997
+    } \
+    -cleanup {
+	image delete I
+    } \
+    -body {
+	I put "P5\n1103 997\n255\n"
+    } \
+    -returnCodes error \
+    -result {truncated PPM data}
+
 removeFile test.ppm
 removeFile test2.ppm
 eval image delete [image names]
-- 
cgit v0.12