Fix integer overflows in the xpm loader

2 files changed, 10 insertions, 2 deletions

diff --git a/gdk-pixbuf/ChangeLog b/gdk-pixbuf/ChangeLog
index 16df5ead2c..d6dc0421d5 100644
--- a/gdk-pixbuf/ChangeLog
+++ b/gdk-pixbuf/ChangeLog
@@ -1,3 +1,8 @@
+2005-11-15  Matthias Clasen  <mclasen@redhat.com>
+
+	* io-xpm.c: Fix several integer overflows which have been
+	reported as CVE-2005-3186 and CVE-2005-2975.
+
 2005-10-12  Matthias Clasen  <mclasen@redhat.com>
 
 	* gdk-pixbuf-loader.c (gdk_pixbuf_loader_write): Only call
diff --git a/gdk-pixbuf/io-xpm.c b/gdk-pixbuf/io-xpm.c
index 750307005d..7f020cd964 100644
--- a/gdk-pixbuf/io-xpm.c
+++ b/gdk-pixbuf/io-xpm.c
@@ -405,7 +405,8 @@ file_buffer (enum buf_op op, gpointer handle)
 		/* Fall through to the xpm_read_string. */
 
 	case op_body:
-		xpm_read_string (h->infile, &h->buffer, &h->buffer_size);
+		if(!xpm_read_string (h->infile, &h->buffer, &h->buffer_size))
+			return NULL;
 		return h->buffer;
 
 	default:
@@ -500,7 +501,9 @@ pixbuf_create_from_xpm (const gchar * (*get_buf) (enum buf_op op, gpointer handl
                              _("XPM has invalid number of chars per pixel"));
 		return NULL;
 	}
-	if (n_col <= 0 || n_col >= G_MAXINT / (cpp + 1)) {
+	if (n_col <= 0 || 
+	    n_col >= G_MAXINT / (cpp + 1) || 
+	    n_col >= G_MAXINT / sizeof (XPMColor)) {
                 g_set_error (error,
                              GDK_PIXBUF_ERROR,
                              GDK_PIXBUF_ERROR_CORRUPT_IMAGE,