plug-ins: improve security in flame plug-in

- Use g_malloc* functions instead of malloc, so we don't continue on failed allocations unless we test for NULL. - Make sure we don't iterate past the known number of control points (ncps). - Safely allocate, initialize and free points. Since points seems to be used uninitialized, we use g_malloc0 to set everything to 0.
2022-11-08 14:10:05 -05:00 · 2022-11-08 14:10:05 -05:00 · 981979bb39
parent 4fa8e7941d
commit 981979bb39
2 changed files with 20 additions and 10 deletions
--- a/plug-ins/flame/libifs.c
+++ b/plug-ins/flame/libifs.c
@ -692,6 +692,8 @@ interpolate (control_point  cps[],
  int i, j, i1, i2;
  double c0, c1, t;

+  g_return_if_fail (ncps > 0);
+
  if (ncps == 1)
    {
      *result = cps[0];
@ -710,12 +712,14 @@ interpolate (control_point  cps[],
  else
    {
      i1 = 0;
-      while (cps[i1].time < time)
+      while (i1 < ncps && cps[i1].time < time)
        i1++;
      i1--;
      i2 = i1 + 1;
-      if (time - cps[i1].time > -1e-7 &&
-          time - cps[i1].time < 1e-7)
+
+      if (i2 == ncps ||
+          (time - cps[i1].time > -1e-7 &&
+           time - cps[i1].time < 1e-7))
        {
          *result = cps[i1];
          return;
@ -861,15 +865,18 @@ tokenize (char **ss,
              i++;
              state = 1;
            }
+          break;
        case 1:
          if (g_ascii_isspace (c))
            {
              *s = 0;
              state = 0;
            }
+          break;
        case 2:
          if (c == '\n')
            state = 0;
+          break;
        }
      s++;
      len--;
@ -1373,7 +1380,8 @@ estimate_bounding_box (control_point *cp,
  int    low_target = batch * eps;
  int    high_target = batch - low_target;
  point  min, max, delta;
-  point *points = malloc (sizeof (point) * batch);
+  point *points = g_malloc0 (sizeof (point) * batch);
+
  iterate (cp, batch, 20, points);

  min[0] = min[1] =  1e10;
@ -1420,6 +1428,7 @@ estimate_bounding_box (control_point *cp,
      delta[0] = delta[0] / 2.0;
      delta[1] = delta[1] / 2.0;
    }
+  g_free (points);
 }

 /* this has serious flaws in it */
--- a/plug-ins/flame/rect.c
+++ b/plug-ins/flame/rect.c
@ -20,6 +20,7 @@

 #include <string.h>

+#include "libgimp/gimp.h"

 /* for batch
 *   interpolate
@ -122,7 +123,7 @@ render_rectangle (frame_spec    *spec,
      if ((filter_width ^ oversample) & 1)
        filter_width++;

-      filter = malloc (sizeof (double) * filter_width * filter_width);
+      filter = g_malloc (sizeof (double) * filter_width * filter_width);
      /* fill in the coefs */
      for (i = 0; i < filter_width; i++)
        for (j = 0; j < filter_width; j++)
@ -135,8 +136,8 @@ render_rectangle (frame_spec    *spec,
          }
      normalize_vector(filter, filter_width * filter_width);
    }
-  temporal_filter = malloc (sizeof (double) * nbatches);
-  temporal_deltas = malloc (sizeof (double) * nbatches);
+  temporal_filter = g_malloc (sizeof (double) * nbatches);
+  temporal_deltas = g_malloc (sizeof (double) * nbatches);
  if (nbatches > 1)
    {
      double t;
@ -173,11 +174,11 @@ render_rectangle (frame_spec    *spec,
        {
          if (last_block != NULL)
            free (last_block);
-          last_block = malloc (memory_rqd);
+          last_block = g_try_malloc (memory_rqd);
          if (last_block == NULL)
            {
-              fprintf (stderr, "render_rectangle: cannot malloc %d bytes.\n",
-                       memory_rqd);
+              g_printerr ("render_rectangle: cannot malloc %d bytes.\n",
+                          memory_rqd);
              exit (1);
            }
          last_block_size = memory_rqd;