Bug 506207 - Check the return value of fread to make sure the readed data is valid; r,a=joe
authorJeff Muizelaar <jmuizelaar@mozilla.com>
Mon, 28 Feb 2011 13:01:05 -0800
changeset 63175 a9c54c0e838169e9953de715b18afcb00777f0fa
parent 63174 96b0a0ff62661af3b61f3c23454f40e5a585ccbb
child 63176 587ce1b7cfc67dae746a1d81d0df89b2e4f4f5b5
push id19059
push usereakhgari@mozilla.com
push dateMon, 28 Feb 2011 21:16:17 +0000
treeherdermozilla-central@f787a4548826 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjoe
bugs506207
milestone2.0b13pre
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 506207 - Check the return value of fread to make sure the readed data is valid; r,a=joe
gfx/qcms/iccread.c
--- a/gfx/qcms/iccread.c
+++ b/gfx/qcms/iccread.c
@@ -781,19 +781,21 @@ void qcms_profile_release(qcms_profile *
 qcms_profile* qcms_profile_from_file(FILE *file)
 {
 	uint32_t length, remaining_length;
 	qcms_profile *profile;
 	size_t read_length;
 	be32 length_be;
 	void *data;
 
-	fread(&length_be, sizeof(length), 1, file);
+	if (fread(&length_be, 1, sizeof(length_be), file) != sizeof(length_be))
+		return BAD_VALUE_PROFILE;
+
 	length = be32_to_cpu(length_be);
-	if (length > MAX_PROFILE_SIZE)
+	if (length > MAX_PROFILE_SIZE || length < sizeof(length_be))
 		return BAD_VALUE_PROFILE;
 
 	/* allocate room for the entire profile */
 	data = malloc(length);
 	if (!data)
 		return NO_MEM_PROFILE;
 
 	/* copy in length to the front so that the buffer will contain the entire profile */