Skip to content

Commit

Permalink
Fix buffer overflow in sreadHeaderSpix (found by cluster-fuzz)
Browse files Browse the repository at this point in the history
  • Loading branch information
@DanBloomberg
DanBloomberg committed Jul 28, 2020
1 parent c0fb788 commit 13f812c
Show file tree
Hide file tree
Showing 3 changed files with 7 additions and 3 deletions.
2 changes: 1 addition & 1 deletion src/allheaders.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2561,7 +2561,7 @@ LEPT_DLL extern l_ok pixFindNormalizedSquareSum ( PIX *pixs, l_float32 *phratio,
LEPT_DLL extern PIX * pixReadStreamSpix ( FILE *fp );
LEPT_DLL extern l_ok readHeaderSpix ( const char *filename, l_int32 *pwidth, l_int32 *pheight, l_int32 *pbps, l_int32 *pspp, l_int32 *piscmap );
LEPT_DLL extern l_ok freadHeaderSpix ( FILE *fp, l_int32 *pwidth, l_int32 *pheight, l_int32 *pbps, l_int32 *pspp, l_int32 *piscmap );
LEPT_DLL extern l_ok sreadHeaderSpix ( const l_uint32 *data, l_int32 *pwidth, l_int32 *pheight, l_int32 *pbps, l_int32 *pspp, l_int32 *piscmap );
LEPT_DLL extern l_ok sreadHeaderSpix ( const l_uint32 *data, size_t size, l_int32 *pwidth, l_int32 *pheight, l_int32 *pbps, l_int32 *pspp, l_int32 *piscmap );
LEPT_DLL extern l_ok pixWriteStreamSpix ( FILE *fp, PIX *pix );
LEPT_DLL extern PIX * pixReadMemSpix ( const l_uint8 *data, size_t size );
LEPT_DLL extern l_ok pixWriteMemSpix ( l_uint8 **pdata, size_t *psize, PIX *pix );
Expand Down
2 changes: 1 addition & 1 deletion src/readfile.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1070,7 +1070,7 @@ PIX *pix;
return ERROR_INT("Pdf reading is not supported\n", procName, 1);

case IFF_SPIX:
ret = sreadHeaderSpix((l_uint32 *)data, &w, &h, &bps,
ret = sreadHeaderSpix((l_uint32 *)data, size, &w, &h, &bps,
&spp, &iscmap);
if (ret)
return ERROR_INT( "pnm: no header info returned", procName, 1);
Expand Down
6 changes: 5 additions & 1 deletion src/spixio.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -190,7 +190,7 @@ l_uint32 data[6];
return ERROR_INT("file too small to be spix", procName, 1);
if (fread(data, 4, 6, fp) != 6)
return ERROR_INT("error reading data", procName, 1);
ret = sreadHeaderSpix(data, pwidth, pheight, pbps, pspp, piscmap);
ret = sreadHeaderSpix(data, nbytes, pwidth, pheight, pbps, pspp, piscmap);
return ret;
}

Expand All @@ -199,6 +199,7 @@ l_uint32 data[6];
* \brief sreadHeaderSpix()
*
* \param[in] data
* \param[in] size of data
* \param[out] pwidth width
* \param[out] pheight height
* \param[out] pbps bits/sample
Expand All @@ -213,6 +214,7 @@ l_uint32 data[6];
*/
l_ok
sreadHeaderSpix(const l_uint32 *data,
size_t size,
l_int32 *pwidth,
l_int32 *pheight,
l_int32 *pbps,
Expand All @@ -231,6 +233,8 @@ l_int32 d, ncolors;
*pwidth = *pheight = *pbps = *pspp = 0;
if (piscmap)
*piscmap = 0;
if (size < 28)
return ERROR_INT("size too small", procName, 1);

/* Check file id */
id = (char *)data;
Expand Down

0 comments on commit 13f812c

Please sign in to comment.