From 1ca27f1c43f2b35afdf959ab86e105e0f99ec76d Mon Sep 17 00:00:00 2001
From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Tue, 28 Nov 2017 21:38:07 +0100
Subject: [PATCH] Fix heap overflows when parsing malicious files.

It is possible to trigger heap overflows due to an integer overflow
while parsing images.

The integer overflow occurs because the chosen limit 0x10000 for
dimensions is too large for 32 bit systems, because each pixel takes
4 bytes. Properly chosen values allow an overflow which in turn will
lead to less allocated memory than needed for subsequent reads.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
---
 cursor/xcursor.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/cursor/xcursor.c b/cursor/xcursor.c
index ca41c4a..689c702 100644
--- a/cursor/xcursor.c
+++ b/cursor/xcursor.c
@@ -202,6 +202,11 @@ XcursorImageCreate (int width, int height)
 {
     XcursorImage    *image;
 
+    if (width < 0 || height < 0)
+       return NULL;
+    if (width > XCURSOR_IMAGE_MAX_SIZE || height > XCURSOR_IMAGE_MAX_SIZE)
+       return NULL;
+
     image = malloc (sizeof (XcursorImage) +
 		    width * height * sizeof (XcursorPixel));
     if (!image)
@@ -482,7 +487,8 @@ _XcursorReadImage (XcursorFile		*file,
     if (!_XcursorReadUInt (file, &head.delay))
 	return NULL;
     /* sanity check data */
-    if (head.width >= 0x10000 || head.height > 0x10000)
+    if (head.width > XCURSOR_IMAGE_MAX_SIZE  ||
+	head.height > XCURSOR_IMAGE_MAX_SIZE)
 	return NULL;
     if (head.width == 0 || head.height == 0)
 	return NULL;
-- 
2.15.0