Author: manolo
Date: 2012-11-09 08:02:08 -0800 (Fri, 09 Nov 2012)
New Revision: 9709
Log:
Fix STR#2881: the new static function Fl_RGB_Image::max_size(size) allows to
control the maximum
memory size allowed when creating an Fl_RGB_Image.
Modified:
branches/branch-1.3/FL/Fl_Image.H
branches/branch-1.3/src/Fl_BMP_Image.cxx
branches/branch-1.3/src/Fl_Image.cxx
branches/branch-1.3/src/Fl_JPEG_Image.cxx
branches/branch-1.3/src/Fl_PNG_Image.cxx
branches/branch-1.3/src/Fl_PNM_Image.cxx
Modified: branches/branch-1.3/FL/Fl_Image.H
===================================================================
--- branches/branch-1.3/FL/Fl_Image.H 2012-11-06 22:29:02 UTC (rev 9708)
+++ branches/branch-1.3/FL/Fl_Image.H 2012-11-09 16:02:08 UTC (rev 9709)
@@ -23,6 +23,7 @@
# define Fl_Image_H
# include "Enumerations.H"
+#include <stdlib.h>
class Fl_Widget;
struct Fl_Menu_Item;
@@ -167,6 +168,7 @@
friend class Fl_Quartz_Graphics_Driver;
friend class Fl_GDI_Graphics_Driver;
friend class Fl_Xlib_Graphics_Driver;
+ static size_t max_size_;
public:
const uchar *array;
@@ -211,6 +213,21 @@
virtual void label(Fl_Widget*w);
virtual void label(Fl_Menu_Item*m);
virtual void uncache();
+ /** Sets the maximum allowed image size in bytes when creating an
Fl_RGB_Image object.
+
+ The image size in bytes of an Fl_RGB_Image object is the value of the
product w() * h() * d().
+ If this product exceeds size, the created object of a derived class of
Fl_RGB_Image
+ won't be loaded with the image data.
+ This does not apply to direct RGB image creation with
+ Fl_RGB_Image::Fl_RGB_Image(const uchar *bits, int W, int H, int D, int LD).
+ The default max_size() value is essentially infinite.
+ */
+ static void max_size(size_t size) { max_size_ = size;}
+ /** Returns the maximum allowed image size in bytes when creating an
Fl_RGB_Image object.
+
+ \sa void Fl_RGB_Image::max_size(size_t)
+ */
+ static size_t max_size() {return max_size_;}
};
#endif // !Fl_Image_H
Modified: branches/branch-1.3/src/Fl_BMP_Image.cxx
===================================================================
--- branches/branch-1.3/src/Fl_BMP_Image.cxx 2012-11-06 22:29:02 UTC (rev
9708)
+++ branches/branch-1.3/src/Fl_BMP_Image.cxx 2012-11-09 16:02:08 UTC (rev
9709)
@@ -27,6 +27,7 @@
#include <FL/Fl_BMP_Image.H>
#include <FL/fl_utf8.h>
+#include <FL/Fl.H>
#include <config.h>
#include <stdio.h>
#include <stdlib.h>
@@ -187,6 +188,11 @@
d(bDepth);
if (offbits) fseek(fp, offbits, SEEK_SET);
+ if (((size_t)w()) * h() * d() > max_size() ) {
+ Fl::warning("BMP file \"%s\" is too large!\n", bmp);
+ fclose(fp);
+ return;
+ }
array = new uchar[w() * h() * d()];
alloc_array = 1;
Modified: branches/branch-1.3/src/Fl_Image.cxx
===================================================================
--- branches/branch-1.3/src/Fl_Image.cxx 2012-11-06 22:29:02 UTC (rev
9708)
+++ branches/branch-1.3/src/Fl_Image.cxx 2012-11-09 16:02:08 UTC (rev
9709)
@@ -163,6 +163,8 @@
//
// RGB image class...
//
+size_t Fl_RGB_Image::max_size_ = ~((size_t)0);
+
/** The destructor free all memory and server resources that are used by the
image. */
Fl_RGB_Image::~Fl_RGB_Image() {
uncache();
Modified: branches/branch-1.3/src/Fl_JPEG_Image.cxx
===================================================================
--- branches/branch-1.3/src/Fl_JPEG_Image.cxx 2012-11-06 22:29:02 UTC (rev
9708)
+++ branches/branch-1.3/src/Fl_JPEG_Image.cxx 2012-11-09 16:02:08 UTC (rev
9709)
@@ -28,6 +28,7 @@
#include <FL/Fl_JPEG_Image.H>
#include <FL/Fl_Shared_Image.H>
#include <FL/fl_utf8.h>
+#include <FL/Fl.H>
#include <config.h>
#include <stdio.h>
#include <stdlib.h>
@@ -126,6 +127,7 @@
if (setjmp(jerr.errhand_))
{
// JPEG error handling...
+ Fl::warning("JPEG file \"%s\" is too large or contains errors!\n",
filename);
// if any of the cleanup routines hits another error, we would end up
// in a loop. So instead, we decrement max_err for some upper cleanup
limit.
if ( ((*max_finish_decompress_err)-- > 0) && array)
@@ -166,6 +168,7 @@
h(dinfo.output_height);
d(dinfo.output_components);
+ if (((size_t)w()) * h() * d() > max_size() ) longjmp(jerr.errhand_, 1);
array = new uchar[w() * h() * d()];
alloc_array = 1;
@@ -304,6 +307,7 @@
if (setjmp(jerr.errhand_))
{
// JPEG error handling...
+ Fl::warning("JPEG data is too large or contains errors!\n");
// if any of the cleanup routines hits another error, we would end up
// in a loop. So instead, we decrement max_err for some upper cleanup
limit.
if ( ((*max_finish_decompress_err)-- > 0) && array)
@@ -342,6 +346,7 @@
h(dinfo.output_height);
d(dinfo.output_components);
+ if (((size_t)w()) * h() * d() > max_size() ) longjmp(jerr.errhand_, 1);
array = new uchar[w() * h() * d()];
alloc_array = 1;
Modified: branches/branch-1.3/src/Fl_PNG_Image.cxx
===================================================================
--- branches/branch-1.3/src/Fl_PNG_Image.cxx 2012-11-06 22:29:02 UTC (rev
9708)
+++ branches/branch-1.3/src/Fl_PNG_Image.cxx 2012-11-09 16:02:08 UTC (rev
9709)
@@ -130,7 +130,7 @@
{
png_destroy_read_struct(&pp, &info, NULL);
if (!from_memory) fclose(fp);
- Fl::warning("PNG file or data \"%s\" contains errors!\n", name_png);
+ Fl::warning("PNG file or data \"%s\" is too large or contains errors!\n",
name_png);
return;
}
@@ -178,6 +178,7 @@
png_set_tRNS_to_alpha(pp);
# endif // HAVE_PNG_GET_VALID && HAVE_PNG_SET_TRNS_TO_ALPHA
+ if (((size_t)w()) * h() * d() > max_size() ) longjmp(png_jmpbuf(pp), 1);
array = new uchar[w() * h() * d()];
alloc_array = 1;
Modified: branches/branch-1.3/src/Fl_PNM_Image.cxx
===================================================================
--- branches/branch-1.3/src/Fl_PNM_Image.cxx 2012-11-06 22:29:02 UTC (rev
9708)
+++ branches/branch-1.3/src/Fl_PNM_Image.cxx 2012-11-09 16:02:08 UTC (rev
9709)
@@ -119,6 +119,11 @@
// printf("%s = %dx%dx%d\n", name, w(), h(), d());
+ if (((size_t)w()) * h() * d() > max_size() ) {
+ Fl::warning("PNM file \"%s\" is too large!\n", name);
+ fclose(fp);
+ return;
+ }
array = new uchar[w() * h() * d()];
alloc_array = 1;
_______________________________________________
fltk-commit mailing list
[email protected]
http://lists.easysw.com/mailman/listinfo/fltk-commit
