From bd67f64d35b980395d97bcc31cdd05f22494f75a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Henrik=20Grubbstr=C3=B6m=20=28Grubba=29?=
 <grubba@grubba.org>
Date: Wed, 11 Oct 2017 11:03:36 +0200
Subject: [PATCH] Image.Image: Improved argument checking in apply_curve().

Non-integer array values lead to use of uninitialized curve values.

Fixes [CID 1400857].
---
 src/modules/Image/image.c | 47 ++++++++++++++++++++++++++-------------
 1 file changed, 32 insertions(+), 15 deletions(-)

diff --git a/src/modules/Image/image.c b/src/modules/Image/image.c
index df65943b8d..f642620858 100644
--- a/src/modules/Image/image.c
+++ b/src/modules/Image/image.c
@@ -4098,12 +4098,17 @@ static void image_apply_curve( INT32 args )
          if( TYPEOF(sp[-args+i]) != T_ARRAY ||
              sp[-args+i].u.array->size != 256 )
            bad_arg_error("apply_curve",
-                         sp-args, args, 0, "", sp-args,
-                         "Bad arguments to apply_curve.\n");
+                         sp-args, args, i+1, "array(int(8bit))", sp-args,
+                         "Bad argument to apply_curve.\n");
          else
-           for( j = 0; j<256; j++ )
-             if( TYPEOF(sp[-args+i].u.array->item[j]) == T_INT )
-               curve[i][j]=MINIMUM(sp[-args+i].u.array->item[j].u.integer,255);
+           for( j = 0; j<256; j++ ) {
+             if( TYPEOF(sp[-args+i].u.array->item[j]) != T_INT ) {
+	       bad_arg_error("apply_curve",
+			     sp-args, args, i+1, "array(int(8bit))", sp-args,
+			     "Bad argument to apply_curve.\n");
+	     }
+	     curve[i][j]=MINIMUM(sp[-args+i].u.array->item[j].u.integer,255);
+	   }
        pop_n_elems( args );
        image_apply_curve_3( curve );
        return;
@@ -4118,11 +4123,18 @@ static void image_apply_curve( INT32 args )
 	 SIMPLE_BAD_ARG_ERROR("apply_curve", 1, "string");
        if( TYPEOF(sp[-args+1]) != T_ARRAY ||
            sp[-args+1].u.array->size != 256 )
-	 SIMPLE_BAD_ARG_ERROR("apply_curve", 2, "256 element array");
-
-       for( j = 0; j<256; j++ )
-	 if( TYPEOF(sp[-args+1].u.array->item[j]) == T_INT )
-	   curve[j] = MINIMUM(sp[-args+1].u.array->item[j].u.integer,255);
+	 bad_arg_error("apply_curve",
+		       sp-args, args, 2, "array(int(8bit))", sp-args,
+		       "Bad argument to apply_curve.\n");
+
+       for( j = 0; j<256; j++ ) {
+	 if( TYPEOF(sp[-args+1].u.array->item[j]) != T_INT ) {
+	   bad_arg_error("apply_curve",
+			 sp-args, args, 2, "array(int(8bit))", sp-args,
+			 "Bad argument to apply_curve.\n");
+	 }
+	 curve[j] = MINIMUM(sp[-args+1].u.array->item[j].u.integer,255);
+       }
 
        MAKE_CONST_STRING(s_red,"red");
        MAKE_CONST_STRING(s_green,"green");
@@ -4194,12 +4206,17 @@ static void image_apply_curve( INT32 args )
        if( TYPEOF(sp[-args]) != T_ARRAY ||
            sp[-args].u.array->size != 256 )
          bad_arg_error("apply_curve",
-                       sp-args, args, 0, "", sp-args,
-                       "Bad arguments to apply_curve.\n" );
+                       sp-args, args, 0, "array(int(8bit))", sp-args,
+                       "Bad argument to apply_curve.\n" );
        else
-         for( j = 0; j<256; j++ )
-           if( TYPEOF(sp[-args].u.array->item[j]) == T_INT )
-             curve[j] = MINIMUM(sp[-args].u.array->item[j].u.integer,255);
+         for( j = 0; j<256; j++ ) {
+           if(TYPEOF(sp[-args].u.array->item[j]) != T_INT) {
+	     bad_arg_error("apply_curve",
+			   sp-args, args, 0, "array(int(8bit))", sp-args,
+			   "Bad argument to apply_curve.\n");
+	   }
+	   curve[j] = MINIMUM(sp[-args].u.array->item[j].u.integer,255);
+	 }
        pop_n_elems( args );
        image_apply_curve_1( curve );
        return;
-- 
GitLab