From 1057df5c1e13fdcbe656eb02bc6466d211d26c7e Mon Sep 17 00:00:00 2001
From: "Tobias S. Josefowitz" <tobij@tobij.de>
Date: Sat, 17 Apr 2021 12:13:36 +0200
Subject: [PATCH] Image.X: Improved size checks better detect malformed Images

Thanks to Cezary Cerekwicki <ccerekwicki@opera.com> for the report.
---
 src/modules/Image/encodings/x.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/modules/Image/encodings/x.c b/src/modules/Image/encodings/x.c
index 1112c2ef35..228e912c28 100644
--- a/src/modules/Image/encodings/x.c
+++ b/src/modules/Image/encodings/x.c
@@ -857,13 +857,20 @@ static void image_x_decode_truecolor(INT32 args)
 	    gpos=Bpp-1-gpos,
 	    bpos=Bpp-1-bpos;
 
+      n=width*height;
+
+      if (n && ((rpos < 0 || gpos < 0 || bpos < 0) ||
+          !((size_t)rpos < len && (size_t)gpos < len && (size_t)bpos < len)))
+      {
+         Pike_error("Image.X.decode_trucolor: Malformed X image data\n");
+      }
+
       push_int(width);
       push_int(height);
       o=clone_object(image_program,2);
       img=(struct image*)get_storage(o,image_program);
 
       d=img->img;
-      n=width*height;
 
       if (nct)
 	 while (n--)
-- 
GitLab