From a441ff967a2fc53e051c59d60bb5230940d75e49 Mon Sep 17 00:00:00 2001
From: Fabian Keil <fk@fabiankeil.de>
Date: Tue, 2 Dec 2014 15:08:04 +0100
Subject: [PATCH 01/18] Prevent division-by-zero crashes

---
 src/modules/loaders/loader_pnm.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/modules/loaders/loader_pnm.c b/src/modules/loaders/loader_pnm.c
index 173e127..daf67df 100644
--- a/src/modules/loaders/loader_pnm.c
+++ b/src/modules/loaders/loader_pnm.c
@@ -229,7 +229,7 @@ load(ImlibImage * im, ImlibProgressFunction progress,
                          }
                     }
                   iptr = idata;
-                  if (v == 255)
+                  if (v == 0 || v == 255)
                     {
                        for (x = 0; x < w; x++)
                          {
@@ -303,7 +303,7 @@ load(ImlibImage * im, ImlibProgressFunction progress,
                          }
                     }
                   iptr = idata;
-                  if (v == 255)
+                  if (v == 0 || v == 255)
                     {
                        for (x = 0; x < w; x++)
                          {
@@ -376,7 +376,7 @@ load(ImlibImage * im, ImlibProgressFunction progress,
                      break;
 
                   ptr = data;
-                  if (v == 255)
+                  if (v == 0 || v == 255)
                     {
                        for (x = 0; x < w; x++)
                          {
@@ -418,7 +418,7 @@ load(ImlibImage * im, ImlibProgressFunction progress,
                      break;
 
                   ptr = data;
-                  if (v == 255)
+                  if (v == 0 || v == 255)
                     {
                        for (x = 0; x < w; x++)
                          {
@@ -493,7 +493,7 @@ load(ImlibImage * im, ImlibProgressFunction progress,
                      break;
 
                   ptr = data;
-                  if (v == 255)
+                  if (v == 0 || v == 255)
                     {
                        for (x = 0; x < w; x++)
                          {
-- 
2.1.2


From 6aa10fa9d83c5326b734509e38393f7761665cf2 Mon Sep 17 00:00:00 2001
From: Fabian Keil <fk@fabiankeil.de>
Date: Tue, 2 Dec 2014 15:40:25 +0100
Subject: [PATCH 02/18] imlib_conv: Use proper buffer size to prevent invalid
 write of size one

---
 src/bin/imlib2_conv.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/bin/imlib2_conv.c b/src/bin/imlib2_conv.c
index 1b05b1f..9491061 100644
--- a/src/bin/imlib2_conv.c
+++ b/src/bin/imlib2_conv.c
@@ -57,7 +57,7 @@ main(int argc, char **argv)
              char               *p, *q;
 
              /* max length of 8 for format name. seems reasonable. */
-             q = p = malloc(8);
+             q = p = malloc(9);
              memset(p, 0, 8);
              strncpy(p, dot, (strlen(dot) < 9) ? strlen(dot) : 8);
              /* Imlib2 only recognizes lowercase formats. convert it. */
-- 
2.1.2


From 0dd1fd37ea3f10b1459a178292cef5b69fadc4df Mon Sep 17 00:00:00 2001
From: Fabian Keil <fk@fabiankeil.de>
Date: Tue, 2 Dec 2014 15:41:51 +0100
Subject: [PATCH 03/18] loader_tiff: Verify that the magic number could be read

Previously an unitialised value ma have been checked.
---
 src/modules/loaders/loader_tiff.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/modules/loaders/loader_tiff.c b/src/modules/loaders/loader_tiff.c
index 7f16383..bd1628d 100644
--- a/src/modules/loaders/loader_tiff.c
+++ b/src/modules/loaders/loader_tiff.c
@@ -278,7 +278,12 @@ load(ImlibImage * im, ImlibProgressFunction progress,
    if (!file)
       return 0;
 
-   fread(&magic_number, sizeof(uint16), 1, file);
+   if (1 != fread(&magic_number, sizeof(uint16), 1, file))
+     {
+        fclose(file);
+        return 0;
+     }
+
    /* Apparently rewind(f) isn't sufficient */
    fseek(file, (long)0, SEEK_SET);
 
-- 
2.1.2


From b08c12ed2ec1675776cc7113a93381927bfa3174 Mon Sep 17 00:00:00 2001
From: Fabian Keil <fk@fabiankeil.de>
Date: Tue, 2 Dec 2014 17:00:32 +0100
Subject: [PATCH 04/18] loader_png: Verify that the header coudld be read

---
 src/modules/loaders/loader_png.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/modules/loaders/loader_png.c b/src/modules/loaders/loader_png.c
index f7fe94f..9a51456 100644
--- a/src/modules/loaders/loader_png.c
+++ b/src/modules/loaders/loader_png.c
@@ -37,7 +37,11 @@ load(ImlibImage * im, ImlibProgressFunction progress,
         unsigned char       buf[PNG_BYTES_TO_CHECK];
 
         /* if we haven't read the header before, set the header data */
-        fread(buf, 1, PNG_BYTES_TO_CHECK, f);
+        if (PNG_BYTES_TO_CHECK != fread(buf, 1, PNG_BYTES_TO_CHECK, f))
+          {
+             fclose(f);
+             return 0;
+          }
         if (png_sig_cmp(buf, 0, PNG_BYTES_TO_CHECK))
           {
              fclose(f);
-- 
2.1.2


From 75876761b868ea8d32e1cac4ef645cf292f40c51 Mon Sep 17 00:00:00 2001
From: Fabian Keil <fk@fabiankeil.de>
Date: Tue, 2 Dec 2014 17:00:46 +0100
Subject: [PATCH 05/18] loader_xmp: Verify that the header coudld be read

---
 src/modules/loaders/loader_xpm.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/modules/loaders/loader_xpm.c b/src/modules/loaders/loader_xpm.c
index b3c1183..eadccd4 100644
--- a/src/modules/loaders/loader_xpm.c
+++ b/src/modules/loaders/loader_xpm.c
@@ -129,7 +129,11 @@ load(ImlibImage * im, ImlibProgressFunction progress, char progress_granularity,
         xpm_parse_done();
         return 0;
      }
-   fread(s, 1, 9, f);
+   if (9 != fread(s, 1, 9, f))
+     {
+        xpm_parse_done();
+        return 0;
+     }
    rewind(f);
    s[9] = 0;
    if (strcmp("/* XPM */", s))
-- 
2.1.2


From db1be6318a92c334017521e70ff8239fa00e2898 Mon Sep 17 00:00:00 2001
From: Fabian Keil <fk@fabiankeil.de>
Date: Tue, 2 Dec 2014 17:32:44 +0100
Subject: [PATCH 06/18] loader_gif: Prevent null pointer dereference. Test file
 062

---
 src/modules/loaders/loader_gif.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/modules/loaders/loader_gif.c b/src/modules/loaders/loader_gif.c
index 23b8fd0..465c9c8 100644
--- a/src/modules/loaders/loader_gif.c
+++ b/src/modules/loaders/loader_gif.c
@@ -147,6 +147,12 @@ load(ImlibImage * im, ImlibProgressFunction progress, char progress_granularity,
      {
         bg = gif->SBackGroundColor;
         cmap = (gif->Image.ColorMap ? gif->Image.ColorMap : gif->SColorMap);
+        if (!cmap)
+          {
+             DGifCloseFile(gif);
+             free(rows);
+             return 0;
+          }
         im->data = (DATA32 *) malloc(sizeof(DATA32) * w * h);
         if (!im->data)
           {
-- 
2.1.2


From 717e2da46ab75d31fb12af182e5ce4f18dc08910 Mon Sep 17 00:00:00 2001
From: Fabian Keil <fk@fabiankeil.de>
Date: Tue, 2 Dec 2014 18:50:26 +0100
Subject: [PATCH 07/18] loader_gif: Don't read uninitilized memory in case of
 invalid input

Test file id:000037,src:000000,op:flip8,pos:73,+cov.
---
 src/modules/loaders/loader_gif.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/modules/loaders/loader_gif.c b/src/modules/loaders/loader_gif.c
index 465c9c8..f74a672 100644
--- a/src/modules/loaders/loader_gif.c
+++ b/src/modules/loaders/loader_gif.c
@@ -55,6 +55,7 @@ load(ImlibImage * im, ImlibProgressFunction progress, char progress_granularity,
                {
                   /* PrintGifError(); */
                   rec = TERMINATE_RECORD_TYPE;
+                  break;
                }
              w = gif->Image.Width;
              h = gif->Image.Height;
-- 
2.1.2


From 1fee5f4fabc762bcfc6a88f639159d772f527dcf Mon Sep 17 00:00:00 2001
From: Fabian Keil <fk@fabiankeil.de>
Date: Wed, 3 Dec 2014 12:36:27 +0100
Subject: [PATCH 08/18] loader_gif(): Abort gif parsing if DGifGetLine() fails

Prevents multiple conditinal jumps based on and uses
of unitinitialied memory when parsing fuzzed file
id:000067,src:000000,op:havoc,rep:4,+cov.
---
 src/modules/loaders/loader_gif.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/modules/loaders/loader_gif.c b/src/modules/loaders/loader_gif.c
index f74a672..c532ba3 100644
--- a/src/modules/loaders/loader_gif.c
+++ b/src/modules/loaders/loader_gif.c
@@ -97,7 +97,10 @@ load(ImlibImage * im, ImlibProgressFunction progress, char progress_granularity,
                     {
                        for (j = intoffset[i]; j < h; j += intjump[i])
                          {
-                            DGifGetLine(gif, rows[j], w);
+                            if (DGifGetLine(gif, rows[i], w) == GIF_ERROR)
+                               {
+                                  break;
+                               }
                          }
                     }
                }
@@ -105,7 +108,10 @@ load(ImlibImage * im, ImlibProgressFunction progress, char progress_granularity,
                {
                   for (i = 0; i < h; i++)
                     {
-                       DGifGetLine(gif, rows[i], w);
+                       if (DGifGetLine(gif, rows[i], w) == GIF_ERROR)
+                          {
+                             break;
+                          }
                     }
                }
              done = 1;
-- 
2.1.2


From 122d53b76bb4bd1f3e6857ad8baf8becfe7f0927 Mon Sep 17 00:00:00 2001
From: Fabian Keil <fk@fabiankeil.de>
Date: Wed, 3 Dec 2014 13:00:15 +0100
Subject: [PATCH 09/18] Fix segfault when opening
 input/queue/id:000007,src:000000,op:flip1,pos:51 with feh

---
 src/modules/loaders/loader_gif.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/modules/loaders/loader_gif.c b/src/modules/loaders/loader_gif.c
index c532ba3..52ab1df 100644
--- a/src/modules/loaders/loader_gif.c
+++ b/src/modules/loaders/loader_gif.c
@@ -143,6 +143,11 @@ load(ImlibImage * im, ImlibProgressFunction progress, char progress_granularity,
      {
         UNSET_FLAG(im->flags, F_HAS_ALPHA);
      }
+   if (!rows)
+     {
+        DGifCloseFile(gif);
+        return 0;
+     }
    /* set the format string member to the lower-case full extension */
    /* name for the format - so example names would be: */
    /* "png", "jpeg", "tiff", "ppm", "pgm", "pbm", "gif", "xpm" ... */
-- 
2.1.2


From 2f2a97bd949abd1eea8286fee80c0d37c1af5537 Mon Sep 17 00:00:00 2001
From: Fabian Keil <fk@fabiankeil.de>
Date: Wed, 3 Dec 2014 15:00:48 +0100
Subject: [PATCH 10/18] Make IMAGE_DIMENSIONS_OK() more restrictive

Prevents invalid reads and unreasonably large memory allocations
with input/queue/id:000210,src:000114,op:int32,pos:3,val:be:+32,+cov:

==20321== Invalid read of size 1
==20321==    at 0x1FCDB16: __imlib_ScaleAARGB (scale.c:1043)
==20321==    by 0x1F9BF81: __imlib_RenderImage (rend.c:409)
==20321==    by 0x1F0F82C: imlib_render_image_part_on_drawable_at_size (api.c:1886)
==20321==    by 0x40CD75: gib_imlib_render_image_part_on_drawable_at_size (gib_imlib.c:231)
==20321==    by 0x42C732: winwidget_render_image (winwidget.c:576)
==20321==    by 0x417ACA: feh_event_handle_keypress (keyevents.c:598)
==20321==    by 0x4190DE: feh_main_iteration (main.c:119)
==20321==    by 0x418F45: main (main.c:82)
==20321==  Address 0x3a12e034 is 12 bytes before a block of size 1,965,846,976 alloc'd
==20321==    at 0x103D293: malloc (in /usr/local/lib/valgrind/vgpreload_memcheck-amd64-freebsd.so)
==20321==    by 0x5B3D1F1: load (loader_pnm.c:149)
==20321==    by 0x1F7D70F: __imlib_LoadImage (image.c:1041)
==20321==    by 0x1F090E4: imlib_load_image_with_error_return (api.c:1299)
==20321==    by 0x40F47B: feh_load_image (imlib.c:252)
==20321==    by 0x42CA0E: winwidget_loadimage (winwidget.c:753)
==20321==    by 0x42C918: winwidget_create_from_file (winwidget.c:126)
==20321==    by 0x421869: init_slideshow_mode (slideshow.c:62)
==20321==    by 0x418F13: main (main.c:78)
---
 src/lib/image.h | 7 +++++--
 src/lib/rend.c  | 4 ----
 2 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/src/lib/image.h b/src/lib/image.h
index eef59d2..df233c6 100644
--- a/src/lib/image.h
+++ b/src/lib/image.h
@@ -188,8 +188,11 @@ __hidden void              __imlib_SaveImage(ImlibImage *im, const char *file,
 # define SET_FLAG(flags, f) ((flags) |= (f))
 # define UNSET_FLAG(flags, f) ((flags) &= (~f))
 
+/* The maximum pixmap dimension is 65535. */
+/* However, for now, use 46340 (46340^2 < 2^31) to avoid buffer overflow issues. */
+# define X_MAX_DIM 46340
+
 # define IMAGE_DIMENSIONS_OK(w, h) \
-   ( ((w) > 0) && ((h) > 0) && \
-     ((unsigned long long)(w) * (unsigned long long)(h) <= (1ULL << 29) - 1) )
+   ( ((w) > 0) && ((h) > 0) && ((w) < X_MAX_DIM) && ((h) < X_MAX_DIM) )
 
 #endif
diff --git a/src/lib/rend.c b/src/lib/rend.c
index e2759cd..69d16e2 100644
--- a/src/lib/rend.c
+++ b/src/lib/rend.c
@@ -15,10 +15,6 @@
 #include "rend.h"
 #include "rotate.h"
 
-/* The maximum pixmap dimension is 65535. */
-/* However, for now, use 46340 (46340^2 < 2^31) to avoid buffer overflow issues. */
-#define X_MAX_DIM 46340
-
 /* size of the lines per segment we scale / render at a time */
 #define LINESIZE 16
 
-- 
2.1.2


From f74ab8ca4b7673e2b5895f9b1458bc2df60b95a3 Mon Sep 17 00:00:00 2001
From: Fabian Keil <fk@fabiankeil.de>
Date: Wed, 3 Dec 2014 15:21:02 +0100
Subject: [PATCH 11/18] load_pnm: Deal with fread() errors consistently

Was supposed to fixes:
==24603== Invalid read of size 1
==24603==    at 0x1FCD748: __imlib_ScaleAARGB (scale.c:990)
==24603==    by 0x1F9BF81: __imlib_RenderImage (rend.c:405)
==24603==    by 0x1F0F82C: imlib_render_image_part_on_drawable_at_size (api.c:1886)
==24603==    by 0x40CD75: gib_imlib_render_image_part_on_drawable_at_size (gib_imlib.c:231)
==24603==    by 0x42C732: winwidget_render_image (winwidget.c:576)
==24603==    by 0x417ACA: feh_event_handle_keypress (keyevents.c:598)
==24603==    by 0x4190DE: feh_main_iteration (main.c:119)
==24603==    by 0x418F45: main (main.c:82)
==24603==  Address 0x4824832 is 3,650 bytes inside a block of size 4,096 free'd
==24603==    at 0x103E498: free (in /usr/local/lib/valgrind/vgpreload_memcheck-amd64-freebsd.so)
==24603==    by 0x234157D: fclose (fclose.c:62)
==24603==    by 0x5B3CD7F: load (loader_pnm.c:540)
==24603==    by 0x1F7D70F: __imlib_LoadImage (image.c:1041)
==24603==    by 0x1F090E4: imlib_load_image_with_error_return (api.c:1299)
==24603==    by 0x40F47B: feh_load_image (imlib.c:252)
==24603==    by 0x42CA0E: winwidget_loadimage (winwidget.c:753)
==24603==    by 0x42C918: winwidget_create_from_file (winwidget.c:126)
==24603==    by 0x421869: init_slideshow_mode (slideshow.c:62)
==24603==    by 0x418F13: main (main.c:78)
when using feh to scale input/queue/id:000407,src:000226,op:havoc,rep:32
but isn't sufficient by itself.

Still looks correct to me, though.
---
 src/modules/loaders/loader_pnm.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/modules/loaders/loader_pnm.c b/src/modules/loaders/loader_pnm.c
index daf67df..509523c 100644
--- a/src/modules/loaders/loader_pnm.c
+++ b/src/modules/loaders/loader_pnm.c
@@ -373,7 +373,7 @@ load(ImlibImage * im, ImlibProgressFunction progress,
              for (y = 0; y < h; y++)
                {
                   if (!fread(data, w * 1, 1, f))
-                     break;
+                     goto quit_error;
 
                   ptr = data;
                   if (v == 0 || v == 255)
@@ -415,7 +415,7 @@ load(ImlibImage * im, ImlibProgressFunction progress,
              for (y = 0; y < h; y++)
                {
                   if (!fread(data, w * 3, 1, f))
-                     break;
+                     goto quit_error;
 
                   ptr = data;
                   if (v == 0 || v == 255)
@@ -457,7 +457,7 @@ load(ImlibImage * im, ImlibProgressFunction progress,
              for (y = 0; y < h; y++)
                {
                   if (!fread(data, w * 1, 1, f))
-                     break;
+                     goto quit_error;
 
                   ptr = data;
                   for (x = 0; x < w; x++)
@@ -490,7 +490,7 @@ load(ImlibImage * im, ImlibProgressFunction progress,
              for (y = 0; y < h; y++)
                {
                   if (!fread(data, w * 4, 1, f))
-                     break;
+                     goto quit_error;
 
                   ptr = data;
                   if (v == 0 || v == 255)
-- 
2.1.2


From 6081707daf172a3ca7918dde86116e563187cc5e Mon Sep 17 00:00:00 2001
From: Fabian Keil <fk@fabiankeil.de>
Date: Wed, 3 Dec 2014 20:14:08 +0100
Subject: [PATCH 12/18] __imlib_LoadImage(): Additionally check loader_ret to
 detect loader failures

Fixes:

==14822== Conditional jump or move depends on uninitialised value(s)
==14822==    at 0x4E08376: load (loader_tiff.c:285)
==14822==    by 0x1F7D70F: __imlib_LoadImage (image.c:1041)
==14822==    by 0x1F090E4: imlib_load_image_with_error_return (api.c:1299)
==14822==    by 0x40F47B: feh_load_image (imlib.c:252)
==14822==    by 0x42CA0E: winwidget_loadimage (winwidget.c:753)
==14822==    by 0x42C918: winwidget_create_from_file (winwidget.c:126)
==14822==    by 0x421869: init_slideshow_mode (slideshow.c:62)
==14822==    by 0x418F13: main (main.c:78)
==14822==
==14822== Conditional jump or move depends on uninitialised value(s)
==14822==    at 0x4E083BC: load (loader_tiff.c:285)
==14822==    by 0x1F7D70F: __imlib_LoadImage (image.c:1041)
==14822==    by 0x1F090E4: imlib_load_image_with_error_return (api.c:1299)
==14822==    by 0x40F47B: feh_load_image (imlib.c:252)
==14822==    by 0x42CA0E: winwidget_loadimage (winwidget.c:753)
==14822==    by 0x42C918: winwidget_create_from_file (winwidget.c:126)
==14822==    by 0x421869: init_slideshow_mode (slideshow.c:62)
==14822==    by 0x418F13: main (main.c:78)
==14822==

when scaling id:000407,src:000226,op:havoc,rep:32 in feh.
---
 src/lib/image.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/lib/image.c b/src/lib/image.c
index e1c064c..c22692e 100644
--- a/src/lib/image.c
+++ b/src/lib/image.c
@@ -1063,7 +1063,7 @@ __imlib_LoadImage(const char *file, ImlibProgressFunction progress,
       im->loader = best_loader;
    /* all loaders have been tried and they all failed. free the skeleton */
    /* image struct we had and return NULL */
-   if (im->w == 0)
+   if ((loader_ret == 0) || (im->w == 0))
      {
         /* if the caller wants an error return */
         if (er)
-- 
2.1.2


From 2c3a14be1b4dd9acd52888309dc28c0b2a9ec6da Mon Sep 17 00:00:00 2001
From: Fabian Keil <fk@fabiankeil.de>
Date: Thu, 4 Dec 2014 12:49:04 +0100
Subject: [PATCH 13/18] loader_tga: Abort file loading if the file obviously
 isn't large enough

Prevents an integer overflow later on that resulted in a datasize of
18446744073709551575 for id:000131,src:000104,op:havoc,rep:32,+cov
whose actual size is 48 byte.
---
 src/modules/loaders/loader_tga.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/modules/loaders/loader_tga.c b/src/modules/loaders/loader_tga.c
index 38d6898..7a86718 100644
--- a/src/modules/loaders/loader_tga.c
+++ b/src/modules/loaders/loader_tga.c
@@ -237,6 +237,14 @@ load(ImlibImage * im, ImlibProgressFunction progress,
      {
      }
 
+   if ((size_t)ss.st_size < sizeof(tga_header) + header->idLength +
+      (footer_present ? sizeof(tga_footer) : 0))
+     {
+        munmap(seg, ss.st_size);
+        close(fd);
+        return 0;
+     }
+
    /* skip over header */
    filedata = (char *)filedata + sizeof(tga_header);
 
-- 
2.1.2


From ea9290d5fb740c0742f03b7c297ee24d346fa065 Mon Sep 17 00:00:00 2001
From: Fabian Keil <fk@fabiankeil.de>
Date: Thu, 4 Dec 2014 13:47:31 +0100
Subject: [PATCH 14/18] imlib_save_image(): Check loader return code for errors

Prevents tons of:
==10646== Conditional jump or move depends on uninitialised value(s)
==10646==    at 0x4F7D30C: png_write_find_filter (pngwutil.c:2578)
==10646==    by 0x4F7568F: png_write_row (pngwrite.c:827)
==10646==    by 0x4F751B0: png_write_rows (pngwrite.c:587)
==10646==    by 0x4D40C7D: save (loader_png.c:373)
==10646==    by 0x1297084: __imlib_SaveImage (image.c:1282)
==10646==    by 0x124252B: imlib_save_image (api.c:4615)
==10646==    by 0x401990: main (imlib2_conv.c:74)
when trying to convert id:000134,src:000105,op:havoc,rep:32.
---
 src/lib/api.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/lib/api.c b/src/lib/api.c
index e29eaf0..224a4a6 100644
--- a/src/lib/api.c
+++ b/src/lib/api.c
@@ -4607,7 +4607,8 @@ imlib_save_image(const char *filename)
    CHECK_PARAM_POINTER("imlib_save_image", "filename", filename);
    CAST_IMAGE(im, ctx->image);
    if ((!(im->data)) && (im->loader) && (im->loader->load))
-      im->loader->load(im, NULL, 0, 1);
+      if (!im->loader->load(im, NULL, 0, 1))
+         return;
    if (!im->data)
       return;
    prev_ctxt_image = ctx->image;
-- 
2.1.2


From cb855225cfb7d8bcd6a495f0c0278a4c9eb72104 Mon Sep 17 00:00:00 2001
From: Fabian Keil <fk@fabiankeil.de>
Date: Thu, 4 Dec 2014 13:53:04 +0100
Subject: [PATCH 15/18] loader_tga.c: Properly signal if decoding uncompressed
 BGRA data failed

Required to reject id:000134,src:000105,op:havoc,rep:32.
---
 src/modules/loaders/loader_tga.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/modules/loaders/loader_tga.c b/src/modules/loaders/loader_tga.c
index 7a86718..0bf5d05 100644
--- a/src/modules/loaders/loader_tga.c
+++ b/src/modules/loaders/loader_tga.c
@@ -356,8 +356,14 @@ load(ImlibImage * im, ImlibProgressFunction progress,
                   else
                      dataptr = im->data + (y * im->w);
 
-                  for (x = 0; (x < im->w) && (bufptr + bpp / 8 <= bufend); x++) /* for each pixel in the row */
+                  for (x = 0; (x < im->w); x++) /* for each pixel in the row */
                     {
+                       if (bufptr + bpp / 8 > bufend)
+                         {
+                           munmap(seg, ss.st_size);
+                           close(fd);
+                           return 0;
+                         }
                        switch (bpp)
                          {
 
-- 
2.1.2


From 658aba4fd9c1a5b60b076dba48983760ec936f41 Mon Sep 17 00:00:00 2001
From: Fabian Keil <fk@fabiankeil.de>
Date: Thu, 4 Dec 2014 13:59:31 +0100
Subject: [PATCH 16/18] loader_tga.c: Properly signal if decoding RLE
 compressed data failed

Otherwise uninitilized memory could be used later on.

I don't have a test file for this commit.
---
 src/modules/loaders/loader_tga.c | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/src/modules/loaders/loader_tga.c b/src/modules/loaders/loader_tga.c
index 0bf5d05..ce3663c 100644
--- a/src/modules/loaders/loader_tga.c
+++ b/src/modules/loaders/loader_tga.c
@@ -413,11 +413,17 @@ load(ImlibImage * im, ImlibProgressFunction progress,
              DATA32             *final_pixel = dataptr + im->w * im->h;
 
              /* loop until we've got all the pixels or run out of input */
-             while ((dataptr < final_pixel) &&
-                    ((bufptr + 1 + (bpp / 8)) <= bufend))
+             while ((dataptr < final_pixel))
                {
                   int                 count;
 
+                  if ((bufptr + 1 + (bpp / 8)) > bufend)
+                     {
+                        munmap(seg, ss.st_size);
+                        close(fd);
+                        return 0;
+                     }
+
                   curbyte = *bufptr++;
                   count = (curbyte & 0x7F) + 1;
 
@@ -471,9 +477,14 @@ load(ImlibImage * im, ImlibProgressFunction progress,
                     {
                        int                 i;
 
-                       for (i = 0; (i < count) && (dataptr < final_pixel) &&
-                            ((bufptr + (bpp / 8)) <= bufend); i++)
+                       for (i = 0; (i < count) && (dataptr < final_pixel); i++)
                          {
+                            if ((bufptr + 1 + (bpp / 8)) > bufend)
+                              {
+                                 munmap(seg, ss.st_size);
+                                 close(fd);
+                                 return 0;
+                              }
                             switch (bpp)
                               {
 
-- 
2.1.2


From 57da2a2dd51b2f158761acb8fe1ccfe99faeb76a Mon Sep 17 00:00:00 2001
From: Fabian Keil <fk@fabiankeil.de>
Date: Thu, 4 Dec 2014 14:05:25 +0100
Subject: [PATCH 17/18] imlib_save_image_with_error_return(): Check loader
 return code to prevent use of unitialized memor

---
 src/lib/api.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/lib/api.c b/src/lib/api.c
index 224a4a6..f078d95 100644
--- a/src/lib/api.c
+++ b/src/lib/api.c
@@ -4640,7 +4640,8 @@ imlib_save_image_with_error_return(const char *filename,
                        error_return);
    CAST_IMAGE(im, ctx->image);
    if ((!(im->data)) && (im->loader) && (im->loader->load))
-      im->loader->load(im, NULL, 0, 1);
+      if (!im->loader->load(im, NULL, 0, 1))
+         return;
    if (!im->data)
       return;
    prev_ctxt_image = ctx->image;
-- 
2.1.2


From fe2419e56cd0fe1c1ee77c87483b3068b4c1212d Mon Sep 17 00:00:00 2001
From: Fabian Keil <fk@fabiankeil.de>
Date: Tue, 2 Dec 2014 20:36:19 +0100
Subject: [PATCH 18/18] load_gif: Make sure rows isn't used partly unitialized

Prevents:

==22831== Conditional jump or move depends on uninitialised value(s)
==22831==    at 0x634F040: load (loader_gif.c:181)
==22831==    by 0x1F7D7B3: __imlib_LoadImage (image.c:1041)
==22831==    by 0x1F090E4: imlib_load_image_with_error_return (api.c:1299)
==22831==    by 0x40F47B: feh_load_image (imlib.c:252)
==22831==    by 0x42CA0E: winwidget_loadimage (winwidget.c:753)
==22831==    by 0x42C918: winwidget_create_from_file (winwidget.c:126)
==22831==    by 0x421869: init_slideshow_mode (slideshow.c:62)
==22831==    by 0x418F13: main (main.c:78)
==22831==
==22831== Use of uninitialised value of size 8
==22831==    at 0x634F0F4: load (loader_gif.c:190)
==22831==    by 0x1F7D7B3: __imlib_LoadImage (image.c:1041)
==22831==    by 0x1F090E4: imlib_load_image_with_error_return (api.c:1299)
==22831==    by 0x40F47B: feh_load_image (imlib.c:252)
==22831==    by 0x42CA0E: winwidget_loadimage (winwidget.c:753)
==22831==    by 0x42C918: winwidget_create_from_file (winwidget.c:126)
==22831==    by 0x421869: init_slideshow_mode (slideshow.c:62)
==22831==    by 0x418F13: main (main.c:78)
==22831==
==22831== Use of uninitialised value of size 8
==22831==    at 0x634F122: load (loader_gif.c:191)
==22831==    by 0x1F7D7B3: __imlib_LoadImage (image.c:1041)
==22831==    by 0x1F090E4: imlib_load_image_with_error_return (api.c:1299)
==22831==    by 0x40F47B: feh_load_image (imlib.c:252)
==22831==    by 0x42CA0E: winwidget_loadimage (winwidget.c:753)
==22831==    by 0x42C918: winwidget_create_from_file (winwidget.c:126)
==22831==    by 0x421869: init_slideshow_mode (slideshow.c:62)
==22831==    by 0x418F13: main (main.c:78)
==22831==
==22831== Use of uninitialised value of size 8
==22831==    at 0x634F151: load (loader_gif.c:192)
==22831==    by 0x1F7D7B3: __imlib_LoadImage (image.c:1041)
==22831==    by 0x1F090E4: imlib_load_image_with_error_return (api.c:1299)
==22831==    by 0x40F47B: feh_load_image (imlib.c:252)
==22831==    by 0x42CA0E: winwidget_loadimage (winwidget.c:753)
==22831==    by 0x42C918: winwidget_create_from_file (winwidget.c:126)
==22831==    by 0x421869: init_slideshow_mode (slideshow.c:62)
==22831==    by 0x418F13: main (main.c:78)
==22831==

when opening id:000001,orig:smaller-animated.gif with feh.
---
 src/modules/loaders/loader_gif.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/modules/loaders/loader_gif.c b/src/modules/loaders/loader_gif.c
index 52ab1df..1605493 100644
--- a/src/modules/loaders/loader_gif.c
+++ b/src/modules/loaders/loader_gif.c
@@ -76,7 +76,7 @@ load(ImlibImage * im, ImlibProgressFunction progress, char progress_granularity,
                }
              for (i = 0; i < h; i++)
                {
-                  rows[i] = malloc(w * sizeof(GifPixelType));
+                  rows[i] = calloc(w, sizeof(GifPixelType));
                   if (!rows[i])
                     {
                        DGifCloseFile(gif);
-- 
2.1.2