From 19f17c94169ea0841b23360a3992f4dae068cdb2 Mon Sep 17 00:00:00 2001
From: Johannes Hofmann <Johannes.Hofmann@gmx.de>
Date: Mon, 29 Jun 2009 20:27:13 +0200
Subject: check for suspicious image size requests in
 FltkImgbuf::getScaledBuf()

In addition to the test in html.cc we need to check here for
excessive image sizes because
* images can be scaled preserving their original aspect ratio
  by just specifing one dimension
* image sizes can be specified via CSS.
---
 dw/fltkimgbuf.cc | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/dw/fltkimgbuf.cc b/dw/fltkimgbuf.cc
index 680a4f4b..48339b51 100644
--- a/dw/fltkimgbuf.cc
+++ b/dw/fltkimgbuf.cc
@@ -26,6 +26,8 @@
 #include <fltk/draw.h>
 #include <fltk/Color.h>
 
+#define IMAGE_MAX_AREA (6000 * 6000)
+
 using namespace fltk;
 
 namespace dw {
@@ -185,6 +187,18 @@ core::Imgbuf* FltkImgbuf::getScaledBuf (int width, int height)
       }
    }
 
+   /* Check for excessive image sizes which would cause crashes due to
+    * too big allocations for the image buffer.
+    * In this case we return a pointer to the unscaled image buffer.
+    */
+   if (width <= 0 || height <= 0 ||
+       width > IMAGE_MAX_AREA / height) {
+      MSG("FltkImgbuf::getScaledBuf: suspicious image size request %dx%d\n",
+           width, height);
+      ref ();
+      return this;
+   }
+
    /* This size is not yet used, so a new buffer has to be created. */
    FltkImgbuf *sb = new FltkImgbuf (type, width, height, this);
    scaledBuffers->append (sb);
-- 
cgit v1.2.3