167ea1f4f0
* Partial #818, unused arg * Partial #818, init var * partail #818, fix va_args usage * partail #818, handle f* calls and avoid possible call to malloc with negative values * partail #818, prevent double free * partail #818, resource leak if test fail * partail #818, null deref fix * partail #818, avoid double free on fp failure * Partial #818, fix error msg * Partial #818, leak on error * Partial #818, null deref * Partial #818, avoid possible negative index on failure * partial #818, does not free if we return if requested new size overflow * partial #818, avoid double free, free where the alloc happened
62 lines
1.1 KiB
C
62 lines
1.1 KiB
C
/**
|
|
* Test that crafted TGA files don't trigger OOB reads.
|
|
*/
|
|
|
|
|
|
#include "gd.h"
|
|
#include "gdtest.h"
|
|
|
|
|
|
static void check_file(char *basename);
|
|
static size_t read_test_file(char **buffer, char *basename);
|
|
|
|
|
|
int main()
|
|
{
|
|
check_file("heap_overflow_1.tga");
|
|
check_file("heap_overflow_2.tga");
|
|
|
|
return gdNumFailures();
|
|
}
|
|
|
|
|
|
static void check_file(char *basename)
|
|
{
|
|
gdImagePtr im;
|
|
char *buffer;
|
|
size_t size;
|
|
|
|
size = read_test_file(&buffer, basename);
|
|
im = gdImageCreateFromTgaPtr(size, (void *) buffer);
|
|
if (!gdTestAssert(im == NULL)) {
|
|
gdImageDestroy(im);
|
|
}
|
|
free(buffer);
|
|
}
|
|
|
|
|
|
static size_t read_test_file(char **buffer, char *basename)
|
|
{
|
|
char *filename;
|
|
FILE *fp;
|
|
size_t exp_size, act_size;
|
|
|
|
filename = gdTestFilePath2("tga", basename);
|
|
fp = fopen(filename, "rb");
|
|
gdTestAssert(fp != NULL);
|
|
|
|
fseek(fp, 0, SEEK_END);
|
|
exp_size = ftell(fp);
|
|
fseek(fp, 0, SEEK_SET);
|
|
|
|
*buffer = malloc(exp_size);
|
|
gdTestAssert(*buffer != NULL);
|
|
act_size = fread(*buffer, sizeof(**buffer), exp_size, fp);
|
|
gdTestAssert(act_size == exp_size);
|
|
|
|
fclose(fp);
|
|
free(filename);
|
|
|
|
return act_size;
|
|
}
|