Merge pull request #1358 from emersion/xcursor-heap

xcursor: Fix heap overflows when parsing malicious files

1 files changed, 9 insertions, 1 deletions

diff --git a/xcursor/xcursor.c b/xcursor/xcursor.c
index 32711105..6690da1a 100644
--- a/xcursor/xcursor.c
+++ b/xcursor/xcursor.c
@@ -203,6 +203,11 @@ XcursorImageCreate (int width, int height)
 {
     XcursorImage    *image;
 
+    if (width < 0 || height < 0)
+       return NULL;
+    if (width > XCURSOR_IMAGE_MAX_SIZE || height > XCURSOR_IMAGE_MAX_SIZE)
+       return NULL;
+
     image = malloc (sizeof (XcursorImage) +
 		    width * height * sizeof (XcursorPixel));
     if (!image)
@@ -483,7 +488,8 @@ _XcursorReadImage (XcursorFile		*file,
     if (!_XcursorReadUInt (file, &head.delay))
 	return NULL;
     /* sanity check data */
-    if (head.width >= 0x10000 || head.height > 0x10000)
+    if (head.width > XCURSOR_IMAGE_MAX_SIZE  ||
+	head.height > XCURSOR_IMAGE_MAX_SIZE)
 	return NULL;
     if (head.width == 0 || head.height == 0)
 	return NULL;
@@ -877,9 +883,11 @@ load_all_cursors_from_dir(const char *path, int size,
 		return;
 
 	for(ent = readdir(dir); ent; ent = readdir(dir)) {
+#ifdef _DIRENT_HAVE_D_TYPE
 		if (ent->d_type != DT_UNKNOWN &&
 		    (ent->d_type != DT_REG && ent->d_type != DT_LNK))
 			continue;
+#endif
 
 		full = _XcursorBuildFullname(path, "", ent->d_name);
 		if (!full)