From cc385f5292669738e105a689ae3df700c87c4a78 Mon Sep 17 00:00:00 2001 From: Klaus Schmidinger Date: Sat, 17 Feb 2007 16:10:46 +0100 Subject: Fixed a possible crash when loading an invalid XPM file --- CONTRIBUTORS | 1 + HISTORY | 3 ++- osd.c | 22 +++++++++++++++------- 3 files changed, 18 insertions(+), 8 deletions(-) diff --git a/CONTRIBUTORS b/CONTRIBUTORS index fc4a42e5..44aab9ac 100644 --- a/CONTRIBUTORS +++ b/CONTRIBUTORS @@ -1696,6 +1696,7 @@ Henrik Niehaus Martin Wache for adding a sleep in cDvbPlayer::Action() in case there is no data to send to the device, which avoids a busy loop on very fast machines + for fixing a possible crash when loading an invalid XPM file Matthias Lenk for reporting an out-of-bounds memory access with audio language ids diff --git a/HISTORY b/HISTORY index 51f94c83..fc9d6bb8 100644 --- a/HISTORY +++ b/HISTORY @@ -5091,9 +5091,10 @@ Video Disk Recorder Revision History with open file handles when starting background commands (thanks to Reinhard Nissl). -2007-02-03: Version 1.4.5-2 +2007-02-17: Version 1.4.5-2 - Removed 'assert(0)' from cDvbSpuDecoder::setTime() (thanks to Marco Schlüßler). +- Fixed a possible crash when loading an invalid XPM file (thanks to Martin Wache). 2007-02-03: Version 1.5.1 diff --git a/osd.c b/osd.c index cf16fe63..c8fde293 100644 --- a/osd.c +++ b/osd.c @@ -4,7 +4,7 @@ * See the main source file 'vdr.c' for copyright information and * how to reach the author. * - * $Id: osd.c 1.67 2006/02/26 14:31:31 kls Exp $ + * $Id: osd.c 1.68 2007/02/17 16:05:52 kls Exp $ */ #include "osd.h" @@ -218,14 +218,17 @@ bool cBitmap::LoadXpm(const char *FileName) int w, h, n, c; if (4 != sscanf(s, "%d %d %d %d", &w, &h, &n, &c)) { esyslog("ERROR: faulty 'values' line in XPM file '%s'", FileName); + isXpm = false; break; } lines = h + n + 1; Xpm = MALLOC(char *, lines); + memset(Xpm, 0, lines * sizeof(char*)); } char *q = strchr(s, '"'); if (!q) { esyslog("ERROR: missing quotes in XPM file '%s'", FileName); + isXpm = false; break; } *q = 0; @@ -233,16 +236,21 @@ bool cBitmap::LoadXpm(const char *FileName) Xpm[index++] = strdup(s); else { esyslog("ERROR: too many lines in XPM file '%s'", FileName); + isXpm = false; break; } } } - if (index == lines) - Result = SetXpm(Xpm); - else - esyslog("ERROR: too few lines in XPM file '%s'", FileName); - for (int i = 0; i < index; i++) - free(Xpm[i]); + if (isXpm) { + if (index == lines) + Result = SetXpm(Xpm); + else + esyslog("ERROR: too few lines in XPM file '%s'", FileName); + } + if (Xpm) { + for (int i = 0; i < index; i++) + free(Xpm[i]); + } free(Xpm); fclose(f); } -- cgit v1.2.3