Merge pull request #48 from lordnn/master

Fixed some vulnerabilities.

Author: agruzdev

Source/Plugins/PluginPNG.cpp

@@ -769,7 +769,6 @@ Load(FreeImageIO *io, fi_handle handle, int page, int flags, void *data) {
 
 static FIBOOL DLL_CALLCONV
 Save(FreeImageIO *io, FIBITMAP *dib, fi_handle handle, int page, int flags, void *data) {
-	png_colorp palette{};
 	png_uint_32 width, height;
 	FIBOOL has_alpha_channel = FALSE;
 
@@ -808,6 +807,8 @@ Save(FreeImageIO *io, FIBITMAP *dib, fi_handle handle, int page, int flags, void
 				return FALSE;
 			}
 
+            std::unique_ptr<png_color, std::function<void(png_colorp)>> safePalette(nullptr, [&png_ptr](png_colorp p){ png_free(png_ptr.get(), p); });
+
 			// init the IO
 
 			png_set_write_fn(png_ptr.get(), &fio, _WriteProc, _FlushProc);
@@ -897,7 +898,8 @@ Save(FreeImageIO *io, FIBITMAP *dib, fi_handle handle, int page, int flags, void
 					// set the palette
 
 					palette_entries = 1 << bit_depth;
-					palette = (png_colorp)png_malloc(png_ptr.get(), palette_entries * sizeof (png_color));
+					safePalette.reset(static_cast<png_colorp>(png_malloc(png_ptr.get(), palette_entries * sizeof (png_color))));
+					auto palette = safePalette.get();
 					pal = FreeImage_GetPalette(dib);
 
 					for (int i = 0; i < palette_entries; i++) {
@@ -1029,11 +1031,6 @@ Save(FreeImageIO *io, FIBITMAP *dib, fi_handle handle, int page, int flags, void
 
 			png_write_end(png_ptr.get(), info_ptr.get());
 
-			// clean up after the write, and free any memory allocated
-			if (palette) {
-				png_free(png_ptr.get(), palette);
-			}
-
 			return TRUE;
 
 		} catch (const char *text) {

Source/Plugins/PluginRAS.cpp

@@ -199,8 +199,7 @@ Load(FreeImageIO *io, fi_handle handle, int page, int flags, void *data) {
 	FIBOOL isRGB;			// TRUE if file type is RT_FORMAT_RGB
 	uint8_t fillchar;
 
-	FIBITMAP *dib{};
-	uint8_t *bits;			// Pointer to dib data
+	uint8_t *bits{};			// Pointer to dib data
 	uint16_t x, y;
 
 	if (!handle) {
@@ -232,6 +231,9 @@ Load(FreeImageIO *io, fi_handle handle, int page, int flags, void *data) {
 		if (header.magic != RAS_MAGIC) {
 			throw FI_MSG_ERROR_MAGIC_NUMBER;
 		}
+		if (header.width > 65500 || header.height > 65500) {
+			throw FI_MSG_ERROR_DIB_MEMORY;
+		}
 
 		// Allocate a new DIB
 		std::unique_ptr<FIBITMAP, decltype(&FreeImage_Unload)> dib(nullptr, &FreeImage_Unload);
@@ -353,7 +355,7 @@ Load(FreeImageIO *io, fi_handle handle, int page, int flags, void *data) {
 		// Each row is multiple of 16 bits (2 bytes).
 
 		if (header.depth == 1) {
-			linelength = (uint16_t)((header.width / 8) + (header.width % 8 ? 1 : 0));
+			linelength = (uint16_t)((header.width + 7) / 8);
 		} else {
 			linelength = (uint16_t)header.width;
 		}

Source/Plugins/PluginWebP.cpp

@@ -175,7 +175,7 @@ Open(FreeImageIO *io, fi_handle handle, FIBOOL read) {
 		// create the MUX object
 		mux = WebPMuxCreate(&bitstream, copy_data);
 		// no longer needed since copy_data == 1
-		free((void*)bitstream.bytes);
+		delete[] bitstream.bytes;
 		if (!mux) {
 			FreeImage_OutputMessageProc(s_format_id, "Failed to create mux object from file");
 		}

Source/Plugins/PluginXBM.cpp

@@ -56,7 +56,7 @@ readLine(char *str, int n, FreeImageIO *io, fi_handle handle) {
 	do {
 		count = io->read_proc(&c, 1, 1, handle);
 		str[i++] = c;
-	} while ((c != '\n') && (i < n));
+	} while ((c != '\n') && (i < n - 1));
 	if (count <= 0)
 		return nullptr;
 	str[i] = '\0';
@@ -88,34 +88,31 @@ Read an XBM file into a buffer
 static const char* 
 readXBMFile(FreeImageIO *io, fi_handle handle, int *widthP, int *heightP, std::unique_ptr<void, decltype(&free)> &dataP) {
 	char line[MAX_LINE], name_and_type[MAX_LINE];
-	char* ptr;
-	char* t;
+    char *ptr{};
+    char *t{};
 	int version = 0;
 	size_t bytes, bytes_per_line, raster_length;
 	int v, padding;
 	int c1, c2, value1, value2;
 	int hex_table[256];
-	FIBOOL found_declaration;
+    bool found_declaration{}; // haven't found it yet; haven't even looked
 	/* in scanning through the bitmap file, we have found the first
 	 line of the C declaration of the array (the "static char ..."
 	 or whatever line)
 	 */
-	FIBOOL eof;	// we've encountered end of file while searching file
+    bool eof{};	// we've encountered end of file while searching file
 
 	*widthP = *heightP = -1;
 
-	found_declaration = FALSE;    // haven't found it yet; haven't even looked
-	eof = FALSE;                  // haven't encountered end of file yet 
-	
 	while (!found_declaration && !eof) {
 
 		if (!readLine(line, MAX_LINE, io, handle)) {
-			eof = TRUE;
+			eof = true;
 		}
 		else {
 			if (strlen(line) == MAX_LINE - 1)
 				return( ERR_XBM_LINE );
-			if (sscanf(line, "#define %s %d", name_and_type, &v) == 2) {
+			if (sscanf_s(line, "#define %s %d", name_and_type, MAX_LINE, &v) == 2) {
 				if ((t = strrchr(name_and_type, '_')) == nullptr)
 					t = name_and_type;
 				else
@@ -127,17 +124,17 @@ readXBMFile(FreeImageIO *io, fi_handle handle, int *widthP, int *heightP, std::u
 				continue;
 			}
 
-			if (sscanf(line, "static short %s = {", name_and_type) == 1) {
+			if (sscanf_s(line, "static short %s = {", name_and_type, MAX_LINE) == 1) {
 				version = 10;
-				found_declaration = TRUE;
+				found_declaration = true;
 			}
-			else if (sscanf( line, "static char %s = {", name_and_type ) == 1) {
+			else if (sscanf_s(line, "static char %s = {", name_and_type, MAX_LINE) == 1) {
 				version = 11;
-				found_declaration = TRUE;
+				found_declaration = true;
 			}
-			else if (sscanf(line, "static unsigned char %s = {", name_and_type ) == 1) {
+			else if (sscanf_s(line, "static unsigned char %s = {", name_and_type, MAX_LINE) == 1) {
 				version = 11;
-				found_declaration = TRUE;
+				found_declaration = true;
 			}
 		}
 	}
@@ -292,7 +289,7 @@ MimeType() {
 static FIBOOL DLL_CALLCONV
 Validate(FreeImageIO *io, fi_handle handle) {
 	char magic[8];
-	if (readLine(magic, 7, io, handle)) {
+	if (readLine(magic, 8, io, handle)) {
 		if (strcmp(magic, "#define") == 0)
 			return TRUE;
 	}