dnrops
/
gimp
mirror of https://github.com/GNOME/gimp.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

plug-ins: improve security in flame plug-in 

- Use g_malloc* functions instead of malloc, so we don't continue on
failed allocations unless we test for NULL.
- Make sure we don't iterate past the known number of control points (ncps).
- Safely allocate, initialize and free points. Since points seems to be
used uninitialized, we use g_malloc0 to set everything to 0.
This commit is contained in:
Jacob Boerema 2022-11-08 14:10:05 -05:00
parent 4fa8e7941d
commit 981979bb39
2 changed files with 20 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
plug-ins/flame/libifs.c
View File

@ -692,6 +692,8 @@ interpolate (control_point cps[],
int i, j, i1, i2; int i, j, i1, i2;
double c0, c1, t; double c0, c1, t;
g_return_if_fail (ncps > 0);
if (ncps == 1) if (ncps == 1)
{ {
*result = cps[0]; *result = cps[0];
@ -710,12 +712,14 @@ interpolate (control_point cps[],
else else
{ {
i1 = 0; i1 = 0;
while (cps[i1].time < time) while (i1 < ncps && cps[i1].time < time)
i1++; i1++;
i1--; i1--;
i2 = i1 + 1; i2 = i1 + 1;
if (time - cps[i1].time > -1e-7 &&
time - cps[i1].time < 1e-7) if (i2 == ncps ||
(time - cps[i1].time > -1e-7 &&
time - cps[i1].time < 1e-7))
{ {
*result = cps[i1]; *result = cps[i1];
return; return;
@ -861,15 +865,18 @@ tokenize (char **ss,
i++; i++;
state = 1; state = 1;
} }
break;
case 1: case 1:
if (g_ascii_isspace (c)) if (g_ascii_isspace (c))
{ {
*s = 0; *s = 0;
state = 0; state = 0;
} }
break;
case 2: case 2:
if (c == '\n') if (c == '\n')
state = 0; state = 0;
break;
} }
s++; s++;
len--; len--;
@ -1373,7 +1380,8 @@ estimate_bounding_box (control_point *cp,
int low_target = batch * eps; int low_target = batch * eps;
int high_target = batch - low_target; int high_target = batch - low_target;
point min, max, delta; point min, max, delta;
point *points = malloc (sizeof (point) * batch); point *points = g_malloc0 (sizeof (point) * batch);
iterate (cp, batch, 20, points); iterate (cp, batch, 20, points);
min[0] = min[1] = 1e10; min[0] = min[1] = 1e10;
@ -1420,6 +1428,7 @@ estimate_bounding_box (control_point *cp,
delta[0] = delta[0] / 2.0; delta[0] = delta[0] / 2.0;
delta[1] = delta[1] / 2.0; delta[1] = delta[1] / 2.0;
} }
g_free (points);
} }
/* this has serious flaws in it */ /* this has serious flaws in it */

13
plug-ins/flame/rect.c
View File

@ -20,6 +20,7 @@
#include <string.h> #include <string.h>
#include "libgimp/gimp.h"
/* for batch /* for batch
* interpolate * interpolate
@ -122,7 +123,7 @@ render_rectangle (frame_spec *spec,
if ((filter_width ^ oversample) & 1) if ((filter_width ^ oversample) & 1)
filter_width++; filter_width++;
filter = malloc (sizeof (double) * filter_width * filter_width); filter = g_malloc (sizeof (double) * filter_width * filter_width);
/* fill in the coefs */ /* fill in the coefs */
for (i = 0; i < filter_width; i++) for (i = 0; i < filter_width; i++)
for (j = 0; j < filter_width; j++) for (j = 0; j < filter_width; j++)
@ -135,8 +136,8 @@ render_rectangle (frame_spec *spec,
} }
normalize_vector(filter, filter_width * filter_width); normalize_vector(filter, filter_width * filter_width);
} }
temporal_filter = malloc (sizeof (double) * nbatches); temporal_filter = g_malloc (sizeof (double) * nbatches);
temporal_deltas = malloc (sizeof (double) * nbatches); temporal_deltas = g_malloc (sizeof (double) * nbatches);
if (nbatches > 1) if (nbatches > 1)
{ {
double t; double t;
@ -173,11 +174,11 @@ render_rectangle (frame_spec *spec,
{ {
if (last_block != NULL) if (last_block != NULL)
free (last_block); free (last_block);
last_block = malloc (memory_rqd); last_block = g_try_malloc (memory_rqd);
if (last_block == NULL) if (last_block == NULL)
{ {
fprintf (stderr, "render_rectangle: cannot malloc %d bytes.\n", g_printerr ("render_rectangle: cannot malloc %d bytes.\n",
memory_rqd); memory_rqd);
exit (1); exit (1);
} }
last_block_size = memory_rqd; last_block_size = memory_rqd;