backports of multiple bug fixes from 2.0: SDL-1.2
authorOzkan Sezer <sezeroz@gmail.com>
Tue, 16 Oct 2018 20:02:02 +0300
branchSDL-1.2
changeset 6071a1189c2978f
parent 606 4872fdc71670
child 609 e14e00a2754d
backports of multiple bug fixes from 2.0:

3999783e (r340): bug 1413 - Fix image corruption when using ImageIO framework
5bf0f0d6 (r343), 326a6025 (r361): fixes from VS code analysis and code review
2742fe58 (r355), 1e7a55d7 (r356). dd40be56 (r358): support for webp on big endian systems
ce8091ca (r365): bug 1801 - typo in the xcf decoder, condition is always false
35beff02 (r369): bug 1831 - Memory leak issue in SDL_image-1.2.12/IMG_xpm.c file
1700d607 (r415): bug 1991 - XCF and LBM image loading [only the memory leak parts.]
e108e122 (r419): bug 2010 - Memory leaks in do_layer_surface function in IMG_xcf.c
7a360f7d (r436): bug 2295 - Memory leak in IMG_LoadWEBP_RW
ee17b8eb (r443): bug 2454 - Crash when loading some XPM files
bca82f1c (r476): proper fix for Bugzilla #2965.
fd721465 (r490): crash if some initialization succeeded and some didn't
915de300 (r492): bug 3474 - IMG_tif leaks memory on errors
b6f8fbe5 (r493): bug 3475 - Remove unnecessary loop from IMG_tif.c
d3e819a0 (r499): bug 2318 - h->cm_map resource getting leak in read_xcf_header function
1e32e1f4 (r503): bug 3008 - Compiler warnings: "warning: initialization discards 'const'
318484db (r513): security vulnerability in XCF image loader
181ef57f (r530): failing to reset the file pointer when detecting file types with ImageIO
16772bbb (r555): lbm: use correct variable to check color planes.
97f7f01e (r556): lbm: Fail to load images with unsupported/bogus color depth.
bfa08dc0 (r557): lbm: Don't overflow static colormap buffer.
a1e9b624 (r558): ico: reject obviously incorrect image sizes.
37445f61 (r559): bmp: don't overflow palette buffer with bogus biClrUsed values.
7df1580f (r560): xcf: deal with bogus data in rle tile decoding.
45e750f9 (r563): gif: report error on bogus LWZ data, instead of overflowing a buffer.
2938fc80 (r567): pcx: don't overflow buffer if bytes-per-line is less than image width.
c5f9cbb5 (r568): xcf: Prevent infinite loop and/or buffer overflow on bogus data.
fb643e37 (r569): xcf: check for some potential integer overflows.
170d7d32 (r585): potential buffer overflow on corrupt or maliciously-crafted XCF file.
19beb4a1 (r586): Don't get into infinite loops on truncated GIF files.
32a18ca0 (r587): Don't get into infinite loops on truncated PNM files.
8b4ee1d7 (r590): memory leak in IMG_xcf.c
90a531f2 (r591): PNM: Improve checks when loading a file
31263a04 (r592): XCF: check if there's sufficient data in the stream before allocating
cec9b759 (r593): More error checking, and null terminate strings...
IMG.c
IMG_ImageIO.m
IMG_bmp.c
IMG_gif.c
IMG_jpg.c
IMG_lbm.c
IMG_pcx.c
IMG_png.c
IMG_pnm.c
IMG_tga.c
IMG_tif.c
IMG_webp.c
IMG_xcf.c
IMG_xpm.c
     1.1 --- a/IMG.c	Tue Oct 16 10:50:15 2018 +0300
     1.2 +++ b/IMG.c	Tue Oct 16 20:02:02 2018 +0300
     1.3 @@ -31,7 +31,7 @@
     1.4  
     1.5  /* Table of image detection and loading functions */
     1.6  static struct {
     1.7 -	char *type;
     1.8 +	const char *type;
     1.9  	int (SDLCALL *is)(SDL_RWops *src);
    1.10  	SDL_Surface *(SDLCALL *load)(SDL_RWops *src);
    1.11  } supported[] = {
     2.1 --- a/IMG_ImageIO.m	Tue Oct 16 10:50:15 2018 +0300
     2.2 +++ b/IMG_ImageIO.m	Tue Oct 16 20:02:02 2018 +0300
     2.3 @@ -217,13 +217,13 @@
     2.4  	 * libpng loader.
     2.5  	 * Thanks to Allegro. :)
     2.6  	 */
     2.7 -	CGFloat whitePoint[3] = { 1, 1, 1 };
     2.8 -	CGFloat blackPoint[3] = { 0, 0, 0 };
     2.9 +	CGFloat whitePoint[3] = { 0.950, 1.000, 1.089 };
    2.10 +	CGFloat blackPoint[3] = { 0.000, 0.000, 0.000 };
    2.11  	CGFloat gamma[3] = { 2.2, 2.2, 2.2 };
    2.12  	CGFloat matrix[9] = {
    2.13 -		1, 1, 1,
    2.14 -		1, 1, 1,
    2.15 -		1, 1, 1
    2.16 +		0.412, 0.213, 0.019,
    2.17 +		0.358, 0.715, 0.119,
    2.18 +		0.180, 0.072, 0.950
    2.19  	};
    2.20  	CGColorSpaceRef color_space =
    2.21  		CGColorSpaceCreateCalibratedRGB(
    2.22 @@ -521,7 +521,7 @@
    2.23          }
    2.24      }
    2.25      
    2.26 -    // reset the file descption pointer
    2.27 +    // reset the file pointer
    2.28      SDL_RWseek(rw_ops, start, SEEK_SET);
    2.29  
    2.30  #endif  /* #if defined(ALLOW_UIIMAGE_FALLBACK) && ((TARGET_OS_IPHONE == 1) || (TARGET_IPHONE_SIMULATOR == 1)) */
    2.31 @@ -532,6 +532,7 @@
    2.32  {
    2.33      int is_type = 0;
    2.34      
    2.35 +    Sint32 start = SDL_RWtell(rw_ops);
    2.36      CFDictionaryRef hint_dictionary = CreateHintDictionary(uti_string_to_test);	
    2.37      CGImageSourceRef image_source = CreateCGImageSourceFromRWops(rw_ops, hint_dictionary);
    2.38      
    2.39 @@ -540,6 +541,8 @@
    2.40      }
    2.41      
    2.42      if (NULL == image_source) {
    2.43 +        // reset the file pointer
    2.44 +        SDL_RWseek(rw_ops, start, SEEK_SET);
    2.45          return 0;
    2.46      }
    2.47      
    2.48 @@ -555,6 +558,9 @@
    2.49      is_type = (int)UTTypeConformsTo(uti_string_to_test, uti_type);
    2.50      
    2.51      CFRelease(image_source);
    2.52 +
    2.53 +    // reset the file pointer
    2.54 +    SDL_RWseek(rw_ops, start, SEEK_SET);
    2.55      return is_type;
    2.56  }
    2.57  
     3.1 --- a/IMG_bmp.c	Tue Oct 16 10:50:15 2018 +0300
     3.2 +++ b/IMG_bmp.c	Tue Oct 16 20:02:02 2018 +0300
     3.3 @@ -662,6 +662,22 @@
     3.4          goto done;
     3.5      }
     3.6  
     3.7 +    /* sanity check image size, so we don't overflow integers, etc. */
     3.8 +    if ((biWidth < 0) || (biWidth > 0xFFFFFF) ||
     3.9 +        (biHeight < 0) || (biHeight > 0xFFFFFF)) {
    3.10 +        IMG_SetError("Unsupported or invalid ICO dimensions");
    3.11 +        was_error = SDL_TRUE;
    3.12 +        goto done;
    3.13 +    }
    3.14 +
    3.15 +    /* sanity check image size, so we don't overflow integers, etc. */
    3.16 +    if ((biWidth < 0) || (biWidth > 0xFFFFFF) ||
    3.17 +        (biHeight < 0) || (biHeight > 0xFFFFFF)) {
    3.18 +        IMG_SetError("Unsupported or invalid ICO dimensions");
    3.19 +        was_error = SDL_TRUE;
    3.20 +        goto done;
    3.21 +    }
    3.22 +
    3.23      /* Create a RGBA surface */
    3.24      biHeight = biHeight >> 1;
    3.25      //printf("%d x %d\n", biWidth, biHeight);
    3.26 @@ -679,6 +695,11 @@
    3.27          if (biClrUsed == 0) {
    3.28              biClrUsed = 1 << biBitCount;
    3.29          }
    3.30 +        if (biClrUsed > (sizeof(palette)/sizeof(palette[0]))) {
    3.31 +            IMG_SetError("Unsupported or incorrect biClrUsed field");
    3.32 +            was_error = SDL_TRUE;
    3.33 +            goto done;
    3.34 +        }
    3.35          for (i = 0; i < (int) biClrUsed; ++i) {
    3.36              SDL_RWread(src, &palette[i], 4, 1);
    3.37          }
     4.1 --- a/IMG_gif.c	Tue Oct 16 10:50:15 2018 +0300
     4.2 +++ b/IMG_gif.c	Tue Oct 16 20:02:02 2018 +0300
     4.3 @@ -320,7 +320,7 @@
     4.4  	break;
     4.5      case 0xfe:			/* Comment Extension */
     4.6  	str = "Comment Extension";
     4.7 -	while (GetDataBlock(src, (unsigned char *) buf) != 0)
     4.8 +	while (GetDataBlock(src, (unsigned char *) buf) > 0)
     4.9  	    ;
    4.10  	return FALSE;
    4.11      case 0xf9:			/* Graphic Control Extension */
    4.12 @@ -332,7 +332,7 @@
    4.13  	if ((buf[0] & 0x1) != 0)
    4.14  	    Gif89.transparent = buf[3];
    4.15  
    4.16 -	while (GetDataBlock(src, (unsigned char *) buf) != 0)
    4.17 +	while (GetDataBlock(src, (unsigned char *) buf) > 0)
    4.18  	    ;
    4.19  	return FALSE;
    4.20      default:
    4.21 @@ -341,7 +341,7 @@
    4.22  	break;
    4.23      }
    4.24  
    4.25 -    while (GetDataBlock(src, (unsigned char *) buf) != 0)
    4.26 +    while (GetDataBlock(src, (unsigned char *) buf) > 0)
    4.27  	;
    4.28  
    4.29      return FALSE;
    4.30 @@ -390,7 +390,7 @@
    4.31  	buf[0] = buf[last_byte - 2];
    4.32  	buf[1] = buf[last_byte - 1];
    4.33  
    4.34 -	if ((count = GetDataBlock(src, &buf[2])) == 0)
    4.35 +	if ((count = GetDataBlock(src, &buf[2])) <= 0)
    4.36  	    done = TRUE;
    4.37  
    4.38  	last_byte = 2 + count;
    4.39 @@ -439,8 +439,9 @@
    4.40  	    table[0][i] = 0;
    4.41  	    table[1][i] = i;
    4.42  	}
    4.43 +	table[1][0] = 0;
    4.44  	for (; i < (1 << MAX_LWZ_BITS); ++i)
    4.45 -	    table[0][i] = table[1][0] = 0;
    4.46 +	    table[0][i] = 0;
    4.47  
    4.48  	sp = stack;
    4.49  
    4.50 @@ -493,12 +494,24 @@
    4.51  	    code = oldcode;
    4.52  	}
    4.53  	while (code >= clear_code) {
    4.54 +	    /* Guard against buffer overruns */
    4.55 +	    if (code < 0 || code >= (1 << MAX_LWZ_BITS)) {
    4.56 +		RWSetMsg("invalid LWZ data");
    4.57 +		return -3;
    4.58 +	    }
    4.59  	    *sp++ = table[1][code];
    4.60 -	    if (code == table[0][code])
    4.61 +	    if (code == table[0][code]) {
    4.62  		RWSetMsg("circular table entry BIG ERROR");
    4.63 +		return -3;
    4.64 +	    }
    4.65  	    code = table[0][code];
    4.66  	}
    4.67  
    4.68 +	/* Guard against buffer overruns */
    4.69 +	if (code < 0 || code >= (1 << MAX_LWZ_BITS)) {
    4.70 +	    RWSetMsg("invalid LWZ data");
    4.71 +	    return -4;
    4.72 +	}
    4.73  	*sp++ = firstcode = table[1][code];
    4.74  
    4.75  	if ((code = max_code) < (1 << MAX_LWZ_BITS)) {
     5.1 --- a/IMG_jpg.c	Tue Oct 16 10:50:15 2018 +0300
     5.2 +++ b/IMG_jpg.c	Tue Oct 16 20:02:02 2018 +0300
     5.3 @@ -214,13 +214,13 @@
     5.4  					is_JPG = 0;
     5.5  				} else {
     5.6  					/* Yes, it's big-endian */
     5.7 -					Uint32 start;
     5.8 +					Sint32 innerStart;
     5.9  					Uint32 size;
    5.10 -					Uint32 end;
    5.11 -					start = SDL_RWtell(src);
    5.12 +					Sint32 end;
    5.13 +					innerStart = SDL_RWtell(src);
    5.14  					size = (magic[2] << 8) + magic[3];
    5.15  					end = SDL_RWseek(src, size-2, RW_SEEK_CUR);
    5.16 -					if ( end != start + size - 2 ) is_JPG = 0;
    5.17 +					if ( end != innerStart + size - 2 ) is_JPG = 0;
    5.18  					if ( magic[1] == 0xDA ) {
    5.19  						/* Now comes the actual JPEG meat */
    5.20  #ifdef	FAST_IS_JPEG
    5.21 @@ -386,7 +386,7 @@
    5.22  	}
    5.23  	start = SDL_RWtell(src);
    5.24  
    5.25 -	if ( !IMG_Init(IMG_INIT_JPG) ) {
    5.26 +	if ( (IMG_Init(IMG_INIT_JPG) & IMG_INIT_JPG) == 0 ) {
    5.27  		return NULL;
    5.28  	}
    5.29  
     6.1 --- a/IMG_lbm.c	Tue Oct 16 10:50:15 2018 +0300
     6.2 +++ b/IMG_lbm.c	Tue Oct 16 20:02:02 2018 +0300
     6.3 @@ -187,6 +187,11 @@
     6.4  
     6.5  		if ( !memcmp( id, "CMAP", 4 ) ) /* palette ( Color Map ) */
     6.6  		{
     6.7 +			if (size > sizeof (colormap)) {
     6.8 +				error="colormap size is too large";
     6.9 +				goto done;
    6.10 +			}
    6.11 +
    6.12  			if ( !SDL_RWread( src, &colormap, size, 1 ) )
    6.13  			{
    6.14  				error="error reading CMAP chunk";
    6.15 @@ -237,19 +242,25 @@
    6.16  		nbplanes = 1;
    6.17  	}
    6.18  
    6.19 +	if ((nbplanes != 1) && (nbplanes != 4) && (nbplanes != 8) && (nbplanes != 24))
    6.20 +	{
    6.21 +		error="unsupported number of color planes";
    6.22 +		goto done;
    6.23 +	}
    6.24 +
    6.25  	stencil = (bmhd.mask & 1);   /* There is a mask ( 'stencil' ) */
    6.26  
    6.27  	/* Allocate memory for a temporary buffer ( used for
    6.28             decompression/deinterleaving ) */
    6.29  
    6.30 -	MiniBuf = (void *)malloc( bytesperline * (nbplanes + stencil) );
    6.31 +	MiniBuf = (Uint8 *)malloc( bytesperline * (nbplanes + stencil) );
    6.32  	if ( MiniBuf == NULL )
    6.33  	{
    6.34 -		error="no enough memory for temporary buffer";
    6.35 +		error="not enough memory for temporary buffer";
    6.36  		goto done;
    6.37  	}
    6.38  
    6.39 -	if ( ( Image = SDL_CreateRGBSurface( SDL_SWSURFACE, width, bmhd.h, (bmhd.planes==24 || flagHAM==1)?24:8, 0, 0, 0, 0 ) ) == NULL )
    6.40 +	if ( ( Image = SDL_CreateRGBSurface( SDL_SWSURFACE, width, bmhd.h, (nbplanes==24 || flagHAM==1)?24:8, 0, 0, 0, 0 ) ) == NULL )
    6.41  	   goto done;
    6.42  
    6.43  	if ( bmhd.mask & 2 )               /* There is a transparent color */
    6.44 @@ -276,7 +287,7 @@
    6.45  		/* The 32 last colors are the same but divided by 2 */
    6.46  		/* Some Amiga pictures save 64 colors with 32 last wrong colors, */
    6.47  		/* they shouldn't !, and here we overwrite these 32 bad colors. */
    6.48 -		if ( (nbcolors==32 || flagEHB ) && (1<<bmhd.planes)==64 )
    6.49 +		if ( (nbcolors==32 || flagEHB ) && (1<<nbplanes)==64 )
    6.50  		{
    6.51  			nbcolors = 64;
    6.52  			ptr = &colormap[0];
    6.53 @@ -290,8 +301,8 @@
    6.54  
    6.55  		/* If nbcolors < 2^nbplanes, repeat the colormap */
    6.56  		/* This happens when pictures have a stencil mask */
    6.57 -		if ( nbrcolorsfinal > (1<<bmhd.planes) ) {
    6.58 -			nbrcolorsfinal = (1<<bmhd.planes);
    6.59 +		if ( nbrcolorsfinal > (1<<nbplanes) ) {
    6.60 +			nbrcolorsfinal = (1<<nbplanes);
    6.61  		}
    6.62  		for ( i=nbcolors; i < (Uint32)nbrcolorsfinal; i++ )
    6.63  		{
    6.64 @@ -365,7 +376,7 @@
    6.65  
    6.66  		/* One line has been read, store it ! */
    6.67  
    6.68 -		ptr = Image->pixels;
    6.69 +		ptr = (Uint8 *)Image->pixels;
    6.70  		if ( nbplanes==24 || flagHAM==1 )
    6.71  			ptr += h * width * 3;
    6.72  		else
     7.1 --- a/IMG_pcx.c	Tue Oct 16 10:50:15 2018 +0300
     7.2 +++ b/IMG_pcx.c	Tue Oct 16 20:02:02 2018 +0300
     7.3 @@ -149,8 +149,8 @@
     7.4  	if (bpl > surface->pitch) {
     7.5  		error = "bytes per line is too large (corrupt?)";
     7.6  	}
     7.7 -	buf = malloc(bpl);
     7.8 -	row = surface->pixels;
     7.9 +	buf = (Uint8 *)calloc(SDL_max(bpl, surface->pitch), 1);
    7.10 +	row = (Uint8 *)surface->pixels;
    7.11  	for ( y=0; y<surface->h; ++y ) {
    7.12  		/* decode a scan line to a temporary buffer first */
    7.13  		int i, count = 0;
    7.14 @@ -184,16 +184,16 @@
    7.15  
    7.16  		if(src_bits <= 4) {
    7.17  			/* expand planes to 1 byte/pixel */
    7.18 -			Uint8 *src = buf;
    7.19 +			Uint8 *innerSrc = buf;
    7.20  			int plane;
    7.21  			for(plane = 0; plane < pcxh.NPlanes; plane++) {
    7.22 -				int i, j, x = 0;
    7.23 -				for(i = 0; i < pcxh.BytesPerLine; i++) {
    7.24 -					Uint8 byte = *src++;
    7.25 -					for(j = 7; j >= 0; j--) {
    7.26 -						unsigned bit = (byte >> j) & 1;
    7.27 +				int j, k, x = 0;
    7.28 +				for(j = 0; j < pcxh.BytesPerLine; j++) {
    7.29 +					Uint8 byte = *innerSrc++;
    7.30 +					for(k = 7; k >= 0; k--) {
    7.31 +						unsigned bit = (byte >> k) & 1;
    7.32  						/* skip padding bits */
    7.33 -						if (i * 8 + j >= width)
    7.34 +						if (j * 8 + k >= width)
    7.35  							continue;
    7.36  						row[x++] |= bit << plane;
    7.37  					}
    7.38 @@ -201,13 +201,13 @@
    7.39  			}
    7.40   		} else if(src_bits == 24) {
    7.41  			/* de-interlace planes */
    7.42 -			Uint8 *src = buf;
    7.43 +			Uint8 *innerSrc = buf;
    7.44  			int plane;
    7.45  			for(plane = 0; plane < pcxh.NPlanes; plane++) {
    7.46  				int x;
    7.47  				dst = row + plane;
    7.48  				for(x = 0; x < width; x++) {
    7.49 -					*dst = *src++;
    7.50 +					*dst = *innerSrc++;
    7.51  					dst += pcxh.NPlanes;
    7.52  				}
    7.53  			}
     8.1 --- a/IMG_png.c	Tue Oct 16 10:50:15 2018 +0300
     8.2 +++ b/IMG_png.c	Tue Oct 16 20:02:02 2018 +0300
     8.3 @@ -374,7 +374,7 @@
     8.4  	}
     8.5  	start = SDL_RWtell(src);
     8.6  
     8.7 -	if ( !IMG_Init(IMG_INIT_PNG) ) {
     8.8 +	if ( (IMG_Init(IMG_INIT_PNG) & IMG_INIT_PNG) == 0 ) {
     8.9  		return NULL;
    8.10  	}
    8.11  
    8.12 @@ -444,15 +444,18 @@
    8.13  			     &transv);
    8.14  		if(color_type == PNG_COLOR_TYPE_PALETTE) {
    8.15  		    /* Check if all tRNS entries are opaque except one */
    8.16 -		    int i, t = -1;
    8.17 -		    for(i = 0; i < num_trans; i++)
    8.18 -			if(trans[i] == 0) {
    8.19 -			    if(t >= 0)
    8.20 +		    int j, t = -1;
    8.21 +		    for(j = 0; j < num_trans; j++) {
    8.22 +			if(trans[j] == 0) {
    8.23 +			    if (t >= 0) {
    8.24  				break;
    8.25 -			    t = i;
    8.26 -			} else if(trans[i] != 255)
    8.27 +			    }
    8.28 +			    t = j;
    8.29 +			} else if(trans[j] != 255) {
    8.30  			    break;
    8.31 -		    if(i == num_trans) {
    8.32 +			}
    8.33 +		    }
    8.34 +		    if(j == num_trans) {
    8.35  			/* exactly one transparent index */
    8.36  			ckey = t;
    8.37  		    } else {
     9.1 --- a/IMG_pnm.c	Tue Oct 16 10:50:15 2018 +0300
     9.2 +++ b/IMG_pnm.c	Tue Oct 16 20:02:02 2018 +0300
     9.3 @@ -27,6 +27,7 @@
     9.4   * Does not support: maximum component value > 255
     9.5   */
     9.6  
     9.7 +#include <limits.h>
     9.8  #include <stdio.h>
     9.9  #include <stdlib.h>
    9.10  #include <ctype.h>
    9.11 @@ -78,7 +79,7 @@
    9.12  	/* Skip leading whitespace */
    9.13  	do {
    9.14  		if ( ! SDL_RWread(src, &ch, 1, 1) ) {
    9.15 -			return(0);
    9.16 +			return(-1);
    9.17  		}
    9.18  		/* Eat comments as whitespace */
    9.19  		if ( ch == '#' ) {  /* Comment is '#' to end of line */
    9.20 @@ -91,7 +92,14 @@
    9.21  	} while ( isspace(ch) );
    9.22  
    9.23  	/* Add up the number */
    9.24 +	if (!isdigit(ch)) {
    9.25 +		return -1;
    9.26 +	}
    9.27  	do {
    9.28 +		/* Protect from possible overflow */
    9.29 +		if (number >= INT_MAX / 10) {
    9.30 +			return -1;
    9.31 +		}
    9.32  		number *= 10;
    9.33  		number += ch-'0';
    9.34  
    9.35 @@ -177,13 +185,13 @@
    9.36  		c[1].r = c[1].g = c[1].b = 0;
    9.37  		surface->format->palette->ncolors = 2;
    9.38  		bpl = (width + 7) >> 3;
    9.39 -		buf = malloc(bpl);
    9.40 +		buf = (Uint8 *)malloc(bpl);
    9.41  		if(buf == NULL)
    9.42  			ERROR("Out of memory");
    9.43  	}
    9.44  
    9.45  	/* Read the image into the surface */
    9.46 -	row = surface->pixels;
    9.47 +	row = (Uint8 *)surface->pixels;
    9.48  	for(y = 0; y < height; y++) {
    9.49  		if(ascii) {
    9.50  			int i;
    10.1 --- a/IMG_tga.c	Tue Oct 16 10:50:15 2018 +0300
    10.2 +++ b/IMG_tga.c	Tue Oct 16 20:02:02 2018 +0300
    10.3 @@ -207,7 +207,7 @@
    10.4      if(hdr.has_cmap) {
    10.5  	int palsiz = ncols * ((hdr.cmap_bits + 7) >> 3);
    10.6  	if(indexed && !grey) {
    10.7 -	    Uint8 *pal = malloc(palsiz), *p = pal;
    10.8 +	    Uint8 *pal = (Uint8 *)malloc(palsiz), *p = pal;
    10.9  	    SDL_Color *colors = img->format->palette->colors;
   10.10  	    img->format->palette->ncolors = ncols;
   10.11  	    SDL_RWread(src, pal, palsiz, 1);
   10.12 @@ -251,7 +251,7 @@
   10.13  
   10.14      if(hdr.flags & TGA_ORIGIN_UPPER) {
   10.15  	lstep = img->pitch;
   10.16 -	dst = img->pixels;
   10.17 +	dst = (Uint8 *)img->pixels;
   10.18      } else {
   10.19  	lstep = -img->pitch;
   10.20  	dst = (Uint8 *)img->pixels + (h - 1) * img->pitch;
    11.1 --- a/IMG_tif.c	Tue Oct 16 10:50:15 2018 +0300
    11.2 +++ b/IMG_tif.c	Tue Oct 16 20:02:02 2018 +0300
    11.3 @@ -37,7 +37,7 @@
    11.4  	TIFF* (*TIFFClientOpen)(const char*, const char*, thandle_t, TIFFReadWriteProc, TIFFReadWriteProc, TIFFSeekProc, TIFFCloseProc, TIFFSizeProc, TIFFMapFileProc, TIFFUnmapFileProc);
    11.5  	void (*TIFFClose)(TIFF*);
    11.6  	int (*TIFFGetField)(TIFF*, ttag_t, ...);
    11.7 -	int (*TIFFReadRGBAImage)(TIFF*, uint32, uint32, uint32*, int);
    11.8 +	int (*TIFFReadRGBAImageOriented)(TIFF*, uint32, uint32, uint32*, int, int);
    11.9  	TIFFErrorHandler (*TIFFSetErrorHandler)(TIFFErrorHandler);
   11.10  } lib;
   11.11  
   11.12 @@ -70,10 +70,10 @@
   11.13  			SDL_UnloadObject(lib.handle);
   11.14  			return -1;
   11.15  		}
   11.16 -		lib.TIFFReadRGBAImage =
   11.17 -			(int (*)(TIFF*, uint32, uint32, uint32*, int))
   11.18 -			SDL_LoadFunction(lib.handle, "TIFFReadRGBAImage");
   11.19 -		if ( lib.TIFFReadRGBAImage == NULL ) {
   11.20 +		lib.TIFFReadRGBAImageOriented =
   11.21 +			(int (*)(TIFF*, uint32, uint32, uint32*, int, int))
   11.22 +			SDL_LoadFunction(lib.handle, "TIFFReadRGBAImageOriented");
   11.23 +		if ( lib.TIFFReadRGBAImageOriented == NULL ) {
   11.24  			SDL_UnloadObject(lib.handle);
   11.25  			return -1;
   11.26  		}
   11.27 @@ -106,7 +106,7 @@
   11.28  		lib.TIFFClientOpen = TIFFClientOpen;
   11.29  		lib.TIFFClose = TIFFClose;
   11.30  		lib.TIFFGetField = TIFFGetField;
   11.31 -		lib.TIFFReadRGBAImage = TIFFReadRGBAImage;
   11.32 +		lib.TIFFReadRGBAImageOriented = TIFFReadRGBAImageOriented;
   11.33  		lib.TIFFSetErrorHandler = TIFFSetErrorHandler;
   11.34  	}
   11.35  	++lib.loaded;
   11.36 @@ -165,7 +165,7 @@
   11.37  
   11.38  static toff_t tiff_size(thandle_t fd)
   11.39  {
   11.40 -	Uint32 save_pos;
   11.41 +	Sint32 save_pos;
   11.42  	toff_t size;
   11.43  
   11.44  	save_pos = SDL_RWtell((SDL_RWops*)fd);
   11.45 @@ -204,7 +204,7 @@
   11.46  SDL_Surface* IMG_LoadTIF_RW(SDL_RWops* src)
   11.47  {
   11.48  	int start;
   11.49 -	TIFF* tiff;
   11.50 +	TIFF* tiff = NULL;
   11.51  	SDL_Surface* surface = NULL;
   11.52  	Uint32 img_width, img_height;
   11.53  	Uint32 Rmask, Gmask, Bmask, Amask;
   11.54 @@ -217,7 +217,7 @@
   11.55  	}
   11.56  	start = SDL_RWtell(src);
   11.57  
   11.58 -	if ( !IMG_Init(IMG_INIT_TIF) ) {
   11.59 +	if ( (IMG_Init(IMG_INIT_TIF) & IMG_INIT_TIF) == 0 ) {
   11.60  		return NULL;
   11.61  	}
   11.62  
   11.63 @@ -240,32 +240,21 @@
   11.64  	if(!surface)
   11.65  		goto error;
   11.66  	
   11.67 -	if(!lib.TIFFReadRGBAImage(tiff, img_width, img_height, surface->pixels, 0))
   11.68 +	if(!lib.TIFFReadRGBAImageOriented(tiff, img_width, img_height, (uint32 *)surface->pixels, ORIENTATION_TOPLEFT, 0))
   11.69  		goto error;
   11.70  
   11.71 -	/* libtiff loads the image upside-down, flip it back */
   11.72 -	half = img_height / 2;
   11.73 -	for(y = 0; y < half; y++)
   11.74 -	{
   11.75 -	        Uint32 *top = (Uint32 *)surface->pixels + y * surface->pitch/4;
   11.76 -	        Uint32 *bot = (Uint32 *)surface->pixels
   11.77 -		              + (img_height - y - 1) * surface->pitch/4;
   11.78 -		for(x = 0; x < img_width; x++)
   11.79 -		{
   11.80 -		        Uint32 tmp = top[x];
   11.81 -			top[x] = bot[x];
   11.82 -			bot[x] = tmp;
   11.83 -		}
   11.84 -	}
   11.85  	lib.TIFFClose(tiff);
   11.86  	
   11.87  	return surface;
   11.88  
   11.89  error:
   11.90  	SDL_RWseek(src, start, RW_SEEK_SET);
   11.91 -	if ( surface ) {
   11.92 +	if (surface) {
   11.93  		SDL_FreeSurface(surface);
   11.94  	}
   11.95 +	if (tiff) {
   11.96 +		lib.TIFFClose(tiff);
   11.97 +	}
   11.98  	return NULL;
   11.99  }
  11.100  
    12.1 --- a/IMG_webp.c	Tue Oct 16 10:50:15 2018 +0300
    12.2 +++ b/IMG_webp.c	Tue Oct 16 20:02:02 2018 +0300
    12.3 @@ -171,7 +171,7 @@
    12.4  	Uint32 Amask;
    12.5  	WebPBitstreamFeatures features;
    12.6  	int raw_data_size;
    12.7 -	uint8_t *raw_data;
    12.8 +	uint8_t *raw_data = NULL;
    12.9  	int r;
   12.10  	uint8_t *ret;
   12.11  
   12.12 @@ -182,11 +182,10 @@
   12.13  
   12.14  	start = SDL_RWtell(src);
   12.15  
   12.16 -	if ( !IMG_Init(IMG_INIT_WEBP) ) {
   12.17 +	if ( (IMG_Init(IMG_INIT_WEBP) & IMG_INIT_WEBP) == 0 ) {
   12.18  		goto error;
   12.19  	}
   12.20  
   12.21 -
   12.22  	raw_data_size = -1;
   12.23  	if ( !webp_getinfo( src, &raw_data_size ) ) {
   12.24  		error = "Invalid WEBP";
   12.25 @@ -219,14 +218,23 @@
   12.26  
   12.27  	if ( lib.webp_get_features_internal( raw_data, raw_data_size, &features, WEBP_DECODER_ABI_VERSION ) != VP8_STATUS_OK ) {
   12.28  		error = "WebPGetFeatures has failed";
   12.29 -		return NULL;
   12.30 +		goto error;
   12.31  	}
   12.32  
   12.33  	/* Check if it's ok !*/
   12.34 +#if SDL_BYTEORDER == SDL_LIL_ENDIAN
   12.35  	Rmask = 0x000000FF;
   12.36  	Gmask = 0x0000FF00;
   12.37  	Bmask = 0x00FF0000;
   12.38 -	Amask = features.has_alpha?0xFF000001:0;
   12.39 +	Amask = (features.has_alpha) ? 0xFF000000 : 0;
   12.40 +#else
   12.41 +	{ int s = (features.has_alpha) ? 0 : 8;
   12.42 +	Rmask = 0xFF000000 >> s;
   12.43 +	Gmask = 0x00FF0000 >> s;
   12.44 +	Bmask = 0x0000FF00 >> s;
   12.45 +	Amask = 0x000000FF >> s;
   12.46 +	}
   12.47 +#endif
   12.48  
   12.49  	surface = SDL_AllocSurface(SDL_SWSURFACE, features.width, features.height,
   12.50  			features.has_alpha?32:24, Rmask,Gmask,Bmask,Amask);
   12.51 @@ -237,9 +245,9 @@
   12.52  	}
   12.53  
   12.54  	if ( features.has_alpha ) {
   12.55 -		ret = lib.webp_decode_rgba_into( raw_data, raw_data_size, surface->pixels, surface->pitch * surface->h,  surface->pitch );
   12.56 +		ret = lib.webp_decode_rgba_into( raw_data, raw_data_size, (uint8_t *)surface->pixels, surface->pitch * surface->h,  surface->pitch );
   12.57  	} else {
   12.58 -		ret = lib.webp_decode_rgb_into( raw_data, raw_data_size, surface->pixels, surface->pitch * surface->h,  surface->pitch );
   12.59 +		ret = lib.webp_decode_rgb_into( raw_data, raw_data_size, (uint8_t *)surface->pixels, surface->pitch * surface->h,  surface->pitch );
   12.60  	}
   12.61  
   12.62  	if ( !ret ) {
   12.63 @@ -247,19 +255,23 @@
   12.64  		goto error;
   12.65  	}
   12.66  
   12.67 +	if ( raw_data ) {
   12.68 +		free( raw_data );
   12.69 +	}
   12.70 +
   12.71  	return surface;
   12.72  
   12.73  
   12.74  error:
   12.75  
   12.76 +	if ( raw_data ) {
   12.77 +		free( raw_data );
   12.78 +	}
   12.79 +
   12.80  	if ( surface ) {
   12.81  		SDL_FreeSurface( surface );
   12.82  	}
   12.83  
   12.84 -	if ( raw_data ) {
   12.85 -		free( raw_data );
   12.86 -	}
   12.87 -
   12.88  	if ( error ) {
   12.89  		IMG_SetError( error );
   12.90  	}
    13.1 --- a/IMG_xcf.c	Tue Oct 16 10:50:15 2018 +0300
    13.2 +++ b/IMG_xcf.c	Tue Oct 16 20:02:02 2018 +0300
    13.3 @@ -225,19 +225,32 @@
    13.4  	return(is_XCF);
    13.5  }
    13.6  
    13.7 +/* SDL-1.2 doesn't have a SDL_RWsize(). sigh... */
    13.8 +static Sint32 SDLCALL SDL12_RWsize(SDL_RWops *rw) {
    13.9 +  Sint32 pos, size;
   13.10 +  if ((pos=SDL_RWtell(rw))<0) return -1;
   13.11 +  size = SDL_RWseek(rw, 0, RW_SEEK_END);
   13.12 +  SDL_RWseek(rw, pos, RW_SEEK_SET);
   13.13 +  return size;
   13.14 +}
   13.15 +
   13.16  static char * read_string (SDL_RWops * src) {
   13.17 +  Sint32 remaining;
   13.18    Uint32 tmp;
   13.19    char * data;
   13.20  
   13.21    tmp = SDL_ReadBE32 (src);
   13.22 -  if (tmp > 0) {
   13.23 +  remaining = SDL12_RWsize(src) - SDL_RWtell(src);
   13.24 +  if (tmp > 0 && tmp <= remaining) {
   13.25      data = (char *) malloc (sizeof (char) * tmp);
   13.26 -    SDL_RWread (src, data, tmp, 1);
   13.27 +    if (data) {
   13.28 +      SDL_RWread(src, data, tmp, 1);
   13.29 +      data[tmp - 1] = '\0';
   13.30 +    }
   13.31    }
   13.32    else {
   13.33      data = NULL;
   13.34    }
   13.35 -
   13.36    return data;
   13.37  }
   13.38  
   13.39 @@ -251,6 +264,7 @@
   13.40  }
   13.41  
   13.42  static void xcf_read_property (SDL_RWops * src, xcf_prop * prop) {
   13.43 +  Uint32 len;
   13.44    prop->id = SDL_ReadBE32 (src);
   13.45    prop->length = SDL_ReadBE32 (src);
   13.46  
   13.47 @@ -274,7 +288,13 @@
   13.48      break;
   13.49    case PROP_COMPRESSION:
   13.50    case PROP_COLOR:
   13.51 -    SDL_RWread (src, &prop->data, prop->length, 1);
   13.52 +    if (prop->length > sizeof(prop->data)) {
   13.53 +      len = sizeof(prop->data);
   13.54 +    }
   13.55 +    else {
   13.56 +      len = prop->length;
   13.57 +    }
   13.58 +    SDL_RWread(src, &prop->data, len, 1);
   13.59      break;
   13.60    case PROP_VISIBLE:
   13.61      prop->data.visible = SDL_ReadBE32 (src);
   13.62 @@ -288,7 +308,8 @@
   13.63  static void free_xcf_header (xcf_header * h) {
   13.64    if (h->cm_num)
   13.65      free (h->cm_map);
   13.66 -
   13.67 +  if (h->layer_file_offsets)
   13.68 +    free (h->layer_file_offsets);
   13.69    free (h);
   13.70  }
   13.71  
   13.72 @@ -297,12 +318,16 @@
   13.73    xcf_prop prop;
   13.74  
   13.75    h = (xcf_header *) malloc (sizeof (xcf_header));
   13.76 +  if (!h) {
   13.77 +    return NULL;
   13.78 +  }
   13.79    SDL_RWread (src, h->sign, 14, 1);
   13.80    h->width       = SDL_ReadBE32 (src);
   13.81    h->height      = SDL_ReadBE32 (src);
   13.82    h->image_type  = SDL_ReadBE32 (src);
   13.83  
   13.84    h->properties = NULL;
   13.85 +  h->layer_file_offsets = NULL;
   13.86    h->compr      = COMPR_NONE;
   13.87    h->cm_num = 0;
   13.88    h->cm_map = NULL;
   13.89 @@ -311,14 +336,25 @@
   13.90    do {
   13.91      xcf_read_property (src, &prop);
   13.92      if (prop.id == PROP_COMPRESSION)
   13.93 -      h->compr = prop.data.compression;
   13.94 +      h->compr = (xcf_compr_type)prop.data.compression;
   13.95      else if (prop.id == PROP_COLORMAP) {
   13.96        // unused var: int i;
   13.97 +      Uint32 cm_num;
   13.98 +      unsigned char *cm_map;
   13.99  
  13.100 -      h->cm_num = prop.data.colormap.num;
  13.101 -      h->cm_map = (unsigned char *) malloc (sizeof (unsigned char) * 3 * h->cm_num);
  13.102 +      cm_num = prop.data.colormap.num;
  13.103 +      cm_map = (unsigned char *) realloc(h->cm_map, sizeof (unsigned char) * 3 * cm_num);
  13.104 +      if (cm_map) {
  13.105 +        h->cm_num = cm_num;
  13.106 +        h->cm_map = cm_map;
  13.107        memcpy (h->cm_map, prop.data.colormap.cmap, 3*sizeof (char)*h->cm_num);
  13.108 +      }
  13.109        free (prop.data.colormap.cmap);
  13.110 +
  13.111 +      if (!cm_map) {
  13.112 +        free_xcf_header(h);
  13.113 +        return NULL;
  13.114 +      }
  13.115      }
  13.116    } while (prop.id != PROP_END);
  13.117  
  13.118 @@ -466,15 +502,19 @@
  13.119    int i, size, count, j, length;
  13.120    unsigned char val;
  13.121  
  13.122 +  if (len == 0) {  /* probably bogus data. */
  13.123 +    return NULL;
  13.124 +  }
  13.125 +
  13.126    t = load = (unsigned char *) malloc (len);
  13.127    reallen = SDL_RWread (src, t, 1, len);
  13.128  
  13.129 -  data = (unsigned char *) malloc (x*y*bpp);
  13.130 +  data = (unsigned char *) calloc (1, x*y*bpp);
  13.131    for (i = 0; i < bpp; i++) {
  13.132      d    = data + i;
  13.133      size = x*y;
  13.134      count = 0;
  13.135 - 
  13.136 +
  13.137      while (size > 0) {
  13.138        val = *t++;
  13.139  
  13.140 @@ -486,6 +526,12 @@
  13.141  	  t += 2;
  13.142  	}
  13.143  
  13.144 +	if (((size_t) (t - load) + length) >= len) {
  13.145 +	  break;  /* bogus data */
  13.146 +	} else if (length > size) {
  13.147 +	  break;  /* bogus data */
  13.148 +	}
  13.149 +
  13.150  	count += length;
  13.151  	size -= length;
  13.152  
  13.153 @@ -501,6 +547,13 @@
  13.154  	  t += 2;
  13.155  	}
  13.156  
  13.157 +	if (((size_t) (t - load)) >= len) {
  13.158 +	  break;  /* bogus data */
  13.159 +	}
  13.160 +	else if (length > size) {
  13.161 +	  break;  /* bogus data */
  13.162 +	}
  13.163 +
  13.164  	count += length;
  13.165  	size -= length;
  13.166  
  13.167 @@ -512,6 +565,10 @@
  13.168  	}
  13.169        }
  13.170      }
  13.171 +
  13.172 +    if (size > 0) {
  13.173 +      break;  /* just drop out, untouched data initialized to zero. */
  13.174 +    }
  13.175    }
  13.176  
  13.177    free (load);
  13.178 @@ -542,19 +599,34 @@
  13.179    SDL_FillRect (surf, NULL, c);
  13.180  }
  13.181  
  13.182 -static int do_layer_surface (SDL_Surface * surface, SDL_RWops * src, xcf_header * head, xcf_layer * layer, load_tile_type load_tile) {
  13.183 +static int 
  13.184 +do_layer_surface(SDL_Surface * surface, SDL_RWops * src, xcf_header * head, xcf_layer * layer, load_tile_type load_tile)
  13.185 +{
  13.186    xcf_hierarchy * hierarchy;
  13.187    xcf_level     * level;
  13.188    unsigned char * tile;
  13.189    Uint8  * p8;
  13.190    Uint16 * p16;
  13.191    Uint32 * p;
  13.192 -  int x, y, tx, ty, ox, oy, i, j;
  13.193 +  int i, j;
  13.194 +  Uint32 x, y, tx, ty, ox, oy;
  13.195    Uint32 *row;
  13.196  
  13.197    SDL_RWseek (src, layer->hierarchy_file_offset, RW_SEEK_SET);
  13.198    hierarchy = read_xcf_hierarchy (src);
  13.199  
  13.200 +  if (hierarchy->bpp > 4) {  /* unsupported. */
  13.201 +    fprintf (stderr, "Unknown Gimp image bpp (%u)\n", (unsigned int) hierarchy->bpp);
  13.202 +    free_xcf_hierarchy(hierarchy);
  13.203 +    return 1;
  13.204 +  }
  13.205 +
  13.206 +  if ((hierarchy->width > 20000) || (hierarchy->height > 20000)) {  /* arbitrary limit to avoid integer overflow. */
  13.207 +    fprintf (stderr, "Gimp image too large (%ux%u)\n", (unsigned int) hierarchy->width, (unsigned int) hierarchy->height);
  13.208 +    free_xcf_hierarchy(hierarchy);
  13.209 +    return 1;
  13.210 +  }
  13.211 +
  13.212    level = NULL;
  13.213    for (i = 0; hierarchy->level_file_offsets [i]; i++) {
  13.214      SDL_RWseek (src, hierarchy->level_file_offsets [i], RW_SEEK_SET);
  13.215 @@ -580,11 +652,21 @@
  13.216  	   hierarchy->bpp,
  13.217  	   ox, oy);
  13.218        }
  13.219 +      if (!tile) {
  13.220 +	if (hierarchy)
  13.221 +	  free_xcf_hierarchy(hierarchy);
  13.222 +	if (level)
  13.223 +	  free_xcf_level(level);
  13.224 +	return 1;
  13.225 +      }
  13.226  
  13.227        p8  = tile;
  13.228        p16 = (Uint16 *) p8;
  13.229        p   = (Uint32 *) p8;
  13.230        for (y=ty; y < ty+oy; y++) {
  13.231 +	if ((ty >= surface->h) || ((tx+ox) > surface->w)) {
  13.232 +	  break;
  13.233 +	}
  13.234  	row = (Uint32 *)((Uint8 *)surface->pixels + y*surface->pitch + tx*4);
  13.235  	switch (hierarchy->bpp) {
  13.236  	case 4:
  13.237 @@ -594,9 +676,9 @@
  13.238  	case 3:
  13.239  	  for (x=tx; x < tx+ox; x++) {
  13.240  	    *row = 0xFF000000;
  13.241 -	    *row |= ((Uint32) *(p8++) << 16);
  13.242 -	    *row |= ((Uint32) *(p8++) << 8);
  13.243 -	    *row |= ((Uint32) *(p8++) << 0);
  13.244 +	    *row |= ((Uint32)*p8++ << 16);
  13.245 +	    *row |= ((Uint32)*p8++ << 8);
  13.246 +	    *row |= ((Uint32)*p8++ << 0);
  13.247  	    row++;
  13.248  	  }
  13.249  	  break;
  13.250 @@ -607,7 +689,7 @@
  13.251  	      *row =  ((Uint32) (head->cm_map [*p8*3])     << 16);
  13.252  	      *row |= ((Uint32) (head->cm_map [*p8*3+1])   << 8);
  13.253  	      *row |= ((Uint32) (head->cm_map [*p8++*3+2]) << 0);
  13.254 -	      *row |= ((Uint32) *p8++ << 24);;
  13.255 +	      *row |= ((Uint32) *p8++ << 24);
  13.256  	      row++;
  13.257  	    }
  13.258  	    break;
  13.259 @@ -616,12 +698,16 @@
  13.260  	      *row = ((Uint32) *p8 << 16);
  13.261  	      *row |= ((Uint32) *p8 << 8);
  13.262  	      *row |= ((Uint32) *p8++ << 0);
  13.263 -	      *row |= ((Uint32) *p8++ << 24);;
  13.264 +	      *row |= ((Uint32) *p8++ << 24);
  13.265  	      row++;
  13.266  	    }
  13.267  	    break;	    
  13.268  	  default:
  13.269  	    fprintf (stderr, "Unknown Gimp image type (%d)\n", head->image_type);
  13.270 +	    if (hierarchy)
  13.271 +	      free_xcf_hierarchy(hierarchy);
  13.272 +	    if (level)
  13.273 +	      free_xcf_level (level);
  13.274  	    return 1;
  13.275  	  }
  13.276  	  break;
  13.277 @@ -647,11 +733,19 @@
  13.278  	    break;	    
  13.279  	  default:
  13.280  	    fprintf (stderr, "Unknown Gimp image type (%d)\n", head->image_type);
  13.281 +	    if (tile)
  13.282 +	      free_xcf_tile (tile);
  13.283 +	    if (level)
  13.284 +	      free_xcf_level (level);
  13.285 +	    if (hierarchy)
  13.286 +	      free_xcf_hierarchy (hierarchy);
  13.287  	    return 1;
  13.288  	  }
  13.289  	  break;
  13.290  	}
  13.291        }
  13.292 +      free_xcf_tile(tile);
  13.293 +
  13.294        tx += 64;
  13.295        if (tx >= level->width) {
  13.296  	tx = 0;
  13.297 @@ -660,8 +754,6 @@
  13.298        if (ty >= level->height) {
  13.299  	break;
  13.300        }
  13.301 -
  13.302 -      free_xcf_tile (tile);
  13.303      }
  13.304      free_xcf_level (level);
  13.305    }
  13.306 @@ -680,7 +772,7 @@
  13.307    xcf_layer  * layer;
  13.308    xcf_channel ** channel;
  13.309    int chnls, i, offsets;
  13.310 -  Uint32 offset, fp;
  13.311 +  Sint32 offset, fp;
  13.312  
  13.313    unsigned char * (* load_tile) (SDL_RWops *, Uint32, int, int, int);
  13.314  
  13.315 @@ -694,6 +786,9 @@
  13.316    surface = NULL;
  13.317  
  13.318    head = read_xcf_header (src);
  13.319 +  if (!head) {
  13.320 +    return NULL;
  13.321 +  }
  13.322  
  13.323    switch (head->compr) {
  13.324    case COMPR_NONE:
  13.325 @@ -717,16 +812,15 @@
  13.326      goto done;
  13.327    }
  13.328  
  13.329 -  head->layer_file_offsets = NULL;
  13.330    offsets = 0;
  13.331  
  13.332    while ((offset = SDL_ReadBE32 (src))) {
  13.333      head->layer_file_offsets = (Uint32 *) realloc (head->layer_file_offsets, sizeof (Uint32) * (offsets+1));
  13.334 -    head->layer_file_offsets [offsets] = offset;
  13.335 +    head->layer_file_offsets [offsets] = (Uint32)offset;
  13.336      offsets++;
  13.337    }
  13.338    fp = SDL_RWtell (src);
  13.339 - 
  13.340 +
  13.341    lays = SDL_AllocSurface(SDL_SWSURFACE, head->width, head->height, 32,
  13.342  			  0x00FF0000,0x0000FF00,0x000000FF,0xFF000000);
  13.343  
  13.344 @@ -784,11 +878,12 @@
  13.345      for (i = 0; i < chnls; i++) {
  13.346        //      printf ("CNLBLT %i\n", i);
  13.347        if (!channel [i]->selection && channel [i]->visible) {
  13.348 -	create_channel_surface (chs, head->image_type, channel [i]->color, channel [i]->opacity);
  13.349 +	create_channel_surface (chs, (xcf_image_type)head->image_type, channel [i]->color, channel [i]->opacity);
  13.350  	SDL_BlitSurface (chs, NULL, surface, NULL);
  13.351        }
  13.352        free_xcf_channel (channel [i]);
  13.353      }
  13.354 +    free(channel);
  13.355  
  13.356      SDL_FreeSurface (chs);
  13.357    }
    14.1 --- a/IMG_xpm.c	Tue Oct 16 10:50:15 2018 +0300
    14.2 +++ b/IMG_xpm.c	Tue Oct 16 20:02:02 2018 +0300
    14.3 @@ -106,7 +106,7 @@
    14.4  
    14.5  	/* we know how many entries we need, so we can allocate
    14.6  	   everything here */
    14.7 -	hash = malloc(sizeof *hash);
    14.8 +	hash = (struct color_hash *)malloc(sizeof *hash);
    14.9  	if(!hash)
   14.10  		return NULL;
   14.11  
   14.12 @@ -117,13 +117,16 @@
   14.13  	hash->maxnum = maxnum;
   14.14  	bytes = hash->size * sizeof(struct hash_entry **);
   14.15  	hash->entries = NULL;	/* in case malloc fails */
   14.16 -	hash->table = malloc(bytes);
   14.17 -	if(!hash->table)
   14.18 +	hash->table = (struct hash_entry **)malloc(bytes);
   14.19 +	if(!hash->table) {
   14.20 +		free(hash);
   14.21  		return NULL;
   14.22 +	}
   14.23  	memset(hash->table, 0, bytes);
   14.24 -	hash->entries = malloc(maxnum * sizeof(struct hash_entry));
   14.25 +	hash->entries = (struct hash_entry *)malloc(maxnum * sizeof(struct hash_entry));
   14.26  	if(!hash->entries) {
   14.27  		free(hash->table);
   14.28 +		free(hash);
   14.29  		return NULL;
   14.30  	}
   14.31  	hash->next_free = hash->entries;
   14.32 @@ -158,7 +161,7 @@
   14.33  
   14.34  static void free_colorhash(struct color_hash *hash)
   14.35  {
   14.36 -	if(hash && hash->table) {
   14.37 +	if(hash) {
   14.38  		free(hash->table);
   14.39  		free(hash->entries);
   14.40  		free(hash);
   14.41 @@ -262,7 +265,7 @@
   14.42  			len += 4;	/* "\",\n\0" */
   14.43  			if(len > buflen){
   14.44  				buflen = len;
   14.45 -				linebufnew = realloc(linebuf, buflen);
   14.46 +				linebufnew = (char *)realloc(linebuf, buflen);
   14.47  				if(!linebufnew) {
   14.48  					free(linebuf);
   14.49  					error = "Out of memory";
   14.50 @@ -282,7 +285,7 @@
   14.51  					if(buflen == 0)
   14.52  						buflen = 16;
   14.53  					buflen *= 2;
   14.54 -					linebufnew = realloc(linebuf, buflen);
   14.55 +					linebufnew = (char *)realloc(linebuf, buflen);
   14.56  					if(!linebufnew) {
   14.57  						free(linebuf);
   14.58  						error = "Out of memory";
   14.59 @@ -359,7 +362,7 @@
   14.60  		goto done;
   14.61  	}
   14.62  
   14.63 -	keystrings = malloc(ncolors * cpp);
   14.64 +	keystrings = (char *)malloc(ncolors * cpp);
   14.65  	if(!keystrings) {
   14.66  		error = "Out of memory";
   14.67  		goto done;
   14.68 @@ -438,9 +441,11 @@
   14.69  
   14.70  	/* Read the pixels */
   14.71  	pixels_len = w * cpp;
   14.72 -	dst = image->pixels;
   14.73 +	dst = (Uint8 *)image->pixels;
   14.74  	for(y = 0; y < h; y++) {
   14.75  		line = get_next_line(xpmlines, src, pixels_len);
   14.76 +		if (!line)
   14.77 +			goto done;
   14.78  		if(indexed) {
   14.79  			/* optimization for some common cases */
   14.80  			if(cpp == 1)
   14.81 @@ -489,6 +494,10 @@
   14.82  
   14.83  SDL_Surface *IMG_ReadXPMFromArray(char **xpm)
   14.84  {
   14.85 +	if ( !xpm ) {
   14.86 +		IMG_SetError("array is NULL");
   14.87 +		return NULL;
   14.88 +	}
   14.89  	return load_xpm(xpm, NULL);
   14.90  }
   14.91