From 0a44c9a5ca214b7ad015d9be3ec53d1ebea4178d Mon Sep 17 00:00:00 2001
From: Ivan Baravy <dunkaist@gmail.com>
Date: Thu, 14 Nov 2013 11:12:21 +0000
Subject: [PATCH] libimg: check raw pnm payload size (broken files)

git-svn-id: svn://kolibrios.org@4229 a494cfbc-eb01-0410-851d-a64ba20cac60
---
 .../libraries/libs-dev/libimg/pnm/pnm.asm       | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/programs/develop/libraries/libs-dev/libimg/pnm/pnm.asm b/programs/develop/libraries/libs-dev/libimg/pnm/pnm.asm
index af4fd88d0b..a3db163b48 100644
--- a/programs/develop/libraries/libs-dev/libimg/pnm/pnm.asm
+++ b/programs/develop/libraries/libs-dev/libimg/pnm/pnm.asm
@@ -158,6 +158,18 @@ endl
 
   .header_parsed:
 
+        cmp     [data_type], PNM_RAW
+        jne     @f
+        mov     ecx, [width]
+        imul    ecx, [height]
+        lea     eax, [ecx*3]
+        mov     edx, [_data]
+        add     edx, [_length]
+        sub     edx, esi
+        cmp     eax, edx
+        ja      .error
+    @@:
+
 	mov	eax, [pnm_type]
 	cmp	eax, PNM_PBM
 	je	.pbm
@@ -172,6 +184,11 @@ include	'pbm.asm'
 include	'pgm.asm'
 include	'ppm.asm'
 
+  .error:
+        popa
+        xor     eax, eax
+        ret
+
   .quit:
 	popa
 	mov	eax, [retvalue]