From 981979bb39a9453f33d8c33f12ef19ff15be25ba Mon Sep 17 00:00:00 2001 From: Jacob Boerema Date: Tue, 8 Nov 2022 14:10:05 -0500 Subject: [PATCH] plug-ins: improve security in flame plug-in - Use g_malloc* functions instead of malloc, so we don't continue on failed allocations unless we test for NULL. - Make sure we don't iterate past the known number of control points (ncps). - Safely allocate, initialize and free points. Since points seems to be used uninitialized, we use g_malloc0 to set everything to 0. --- plug-ins/flame/libifs.c | 17 +++++++++++++---- plug-ins/flame/rect.c | 13 +++++++------ 2 files changed, 20 insertions(+), 10 deletions(-) diff --git a/plug-ins/flame/libifs.c b/plug-ins/flame/libifs.c index 16259d46a5..461ac5c96d 100644 --- a/plug-ins/flame/libifs.c +++ b/plug-ins/flame/libifs.c @@ -692,6 +692,8 @@ interpolate (control_point cps[], int i, j, i1, i2; double c0, c1, t; + g_return_if_fail (ncps > 0); + if (ncps == 1) { *result = cps[0]; @@ -710,12 +712,14 @@ interpolate (control_point cps[], else { i1 = 0; - while (cps[i1].time < time) + while (i1 < ncps && cps[i1].time < time) i1++; i1--; i2 = i1 + 1; - if (time - cps[i1].time > -1e-7 && - time - cps[i1].time < 1e-7) + + if (i2 == ncps || + (time - cps[i1].time > -1e-7 && + time - cps[i1].time < 1e-7)) { *result = cps[i1]; return; @@ -861,15 +865,18 @@ tokenize (char **ss, i++; state = 1; } + break; case 1: if (g_ascii_isspace (c)) { *s = 0; state = 0; } + break; case 2: if (c == '\n') state = 0; + break; } s++; len--; @@ -1373,7 +1380,8 @@ estimate_bounding_box (control_point *cp, int low_target = batch * eps; int high_target = batch - low_target; point min, max, delta; - point *points = malloc (sizeof (point) * batch); + point *points = g_malloc0 (sizeof (point) * batch); + iterate (cp, batch, 20, points); min[0] = min[1] = 1e10; @@ -1420,6 +1428,7 @@ estimate_bounding_box (control_point *cp, delta[0] = delta[0] / 2.0; delta[1] = delta[1] / 2.0; } + g_free (points); } /* this has serious flaws in it */ diff --git a/plug-ins/flame/rect.c b/plug-ins/flame/rect.c index 4951bfdfc8..0ff0f5f89c 100644 --- a/plug-ins/flame/rect.c +++ b/plug-ins/flame/rect.c @@ -20,6 +20,7 @@ #include +#include "libgimp/gimp.h" /* for batch * interpolate @@ -122,7 +123,7 @@ render_rectangle (frame_spec *spec, if ((filter_width ^ oversample) & 1) filter_width++; - filter = malloc (sizeof (double) * filter_width * filter_width); + filter = g_malloc (sizeof (double) * filter_width * filter_width); /* fill in the coefs */ for (i = 0; i < filter_width; i++) for (j = 0; j < filter_width; j++) @@ -135,8 +136,8 @@ render_rectangle (frame_spec *spec, } normalize_vector(filter, filter_width * filter_width); } - temporal_filter = malloc (sizeof (double) * nbatches); - temporal_deltas = malloc (sizeof (double) * nbatches); + temporal_filter = g_malloc (sizeof (double) * nbatches); + temporal_deltas = g_malloc (sizeof (double) * nbatches); if (nbatches > 1) { double t; @@ -173,11 +174,11 @@ render_rectangle (frame_spec *spec, { if (last_block != NULL) free (last_block); - last_block = malloc (memory_rqd); + last_block = g_try_malloc (memory_rqd); if (last_block == NULL) { - fprintf (stderr, "render_rectangle: cannot malloc %d bytes.\n", - memory_rqd); + g_printerr ("render_rectangle: cannot malloc %d bytes.\n", + memory_rqd); exit (1); } last_block_size = memory_rqd;