From baf50cec89d10055217a3bb210d389694fb1d389 Mon Sep 17 00:00:00 2001
From: Vincent Sanders <vince@netsurf-browser.org>
Date: Thu, 25 Oct 2012 11:12:41 +0100
Subject: make image content handlers title setting use the heap instead of the
 stack and remove the possibility of buffer overruns

---
 image/bmp.c      | 16 ++++++++++------
 image/gif.c      | 15 ++++++++++-----
 image/ico.c      | 15 ++++++++++-----
 image/jpeg.c     | 10 +++++++---
 image/mng.c      | 24 +++++++++++++++---------
 image/nssprite.c | 13 +++++++++----
 image/png.c      | 10 ++++++----
 image/webp.c     | 11 ++++++++---
 8 files changed, 75 insertions(+), 39 deletions(-)

diff --git a/image/bmp.c b/image/bmp.c
index 5af042d3e..946bca83b 100644
--- a/image/bmp.c
+++ b/image/bmp.c
@@ -132,7 +132,7 @@ static bool nsbmp_convert(struct content *c)
 	uint32_t swidth;
 	const char *data;
 	unsigned long size;
-	char title[512];
+	char *title;
 
 	/* set the bmp data */
 	data = content__get_source_data(c, &size);
@@ -156,15 +156,19 @@ static bool nsbmp_convert(struct content *c)
 	/* Store our content width and description */
 	c->width = bmp->bmp->width;
 	c->height = bmp->bmp->height;
-	LOG(("BMP      width %u       height %u", c->width, c->height));
-	snprintf(title, sizeof(title), messages_get("BMPTitle"),
-			nsurl_access_leaf(llcache_handle_get_url(c->llcache)),
-			c->width, c->height);
-	content__set_title(c, title);
 	swidth = bmp->bmp->bitmap_callbacks.bitmap_get_bpp(bmp->bmp->bitmap) * 
 			bmp->bmp->width;
 	c->size += (swidth * bmp->bmp->height) + 16 + 44;
 
+	/* set title text */
+	title = messages_get_buff("BMPTitle",
+			nsurl_access_leaf(llcache_handle_get_url(c->llcache)),
+			c->width, c->height);
+	if (title != NULL) {
+		content__set_title(c, title);
+		free(title);
+	}
+
 	/* exit as a success */
 	bmp->bitmap = bmp->bmp->bitmap;
 	bitmap_modified(bmp->bitmap);
diff --git a/image/gif.c b/image/gif.c
index a33f56200..704c9710b 100644
--- a/image/gif.c
+++ b/image/gif.c
@@ -242,7 +242,7 @@ static bool nsgif_convert(struct content *c)
 	union content_msg_data msg_data;
 	const char *data;
 	unsigned long size;
-	char title[512];
+	char *title;
 
 	/* Get the animation */
 	data = content__get_source_data(c, &size);
@@ -275,14 +275,19 @@ static bool nsgif_convert(struct content *c)
 		return false;
 	}
 
-	/* Store our content width and description */
+	/* Store our content width, height and calculate size */
 	c->width = gif->gif->width;
 	c->height = gif->gif->height;
-	snprintf(title, sizeof(title), messages_get("GIFTitle"),
+	c->size += (gif->gif->width * gif->gif->height * 4) + 16 + 44;
+
+	/* set title text */
+	title = messages_get_buff("GIFTitle",
 			nsurl_access_leaf(llcache_handle_get_url(c->llcache)),
 			c->width, c->height);
-	content__set_title(c, title);
-	c->size += (gif->gif->width * gif->gif->height * 4) + 16 + 44;
+	if (title != NULL) {
+		content__set_title(c, title);
+		free(title);
+	}
 
 	/* Schedule the animation if we have one */
 	gif->current_frame = 0;
diff --git a/image/ico.c b/image/ico.c
index ff8f9204c..e455a59d9 100644
--- a/image/ico.c
+++ b/image/ico.c
@@ -100,7 +100,7 @@ static bool nsico_convert(struct content *c)
 	union content_msg_data msg_data;
 	const char *data;
 	unsigned long size;
-	char title[512];
+	char *title;
 
 	/* set the ico data */
 	data = content__get_source_data(c, &size);
@@ -122,14 +122,19 @@ static bool nsico_convert(struct content *c)
 		return false;
 	}
 
-	/* Store our content width and description */
+	/* Store our content width, height and calculate size */
 	c->width = ico->ico->width;
 	c->height = ico->ico->height;
-	snprintf(title, sizeof(title), messages_get("ICOTitle"),
+	c->size += (ico->ico->width * ico->ico->height * 4) + 16 + 44;
+
+	/* set title text */
+	title = messages_get_buff("ICOTitle",
 			nsurl_access_leaf(llcache_handle_get_url(c->llcache)),
 			c->width, c->height);
-	content__set_title(c, title);
-	c->size += (ico->ico->width * ico->ico->height * 4) + 16 + 44;
+	if (title != NULL) {
+		content__set_title(c, title);
+		free(title);
+	}
 
 	/* select largest icon to ensure one can be selected */
 	bmp = ico_find(ico->ico, 255, 255);
diff --git a/image/jpeg.c b/image/jpeg.c
index 7c68fb668..fd18238f7 100644
--- a/image/jpeg.c
+++ b/image/jpeg.c
@@ -289,7 +289,7 @@ static bool nsjpeg_convert(struct content *c)
 	union content_msg_data msg_data;
 	const char *data;
 	unsigned long size;
-	char title[512];
+	char *title;
 
 	/* check image header is valid and get width/height */
 	data = content__get_source_data(c, &size);
@@ -325,10 +325,14 @@ static bool nsjpeg_convert(struct content *c)
 
 	image_cache_add(c, NULL, jpeg_cache_convert);
 
-	snprintf(title, sizeof(title), messages_get("JPEGTitle"),
+	/* set title text */
+	title = messages_get_buff("JPEGTitle",
 			nsurl_access_leaf(llcache_handle_get_url(c->llcache)),
 			c->width, c->height);
-	content__set_title(c, title);
+	if (title != NULL) {
+		content__set_title(c, title);
+		free(title);
+	}
 
 	content_set_ready(c);
 	content_set_done(c);	
diff --git a/image/mng.c b/image/mng.c
index 9ca9a2d48..518dc8552 100644
--- a/image/mng.c
+++ b/image/mng.c
@@ -541,7 +541,7 @@ static bool nsmng_convert(struct content *c)
 	nsmng_content *mng = (nsmng_content *) c;
 	mng_retcode status;
 	unsigned long size;
-	char title[512];
+	char *title;
 
 	assert(c != NULL);
 
@@ -554,12 +554,15 @@ static bool nsmng_convert(struct content *c)
 		return nsmng_broadcast_error(mng, -1) == NSERROR_OK;
 	}
 
-	/*	Set the title
-	*/
-	snprintf(title, sizeof(title), messages_get("MNGTitle"),
+
+	/* set title text */
+	title = messages_get_buff("MNGTitle",
 			nsurl_access_leaf(llcache_handle_get_url(c->llcache)),
 			c->width, c->height);
-	content__set_title(c, title);
+	if (title != NULL) {
+		content__set_title(c, title);
+		free(title);
+	}
 
 	c->size += c->width * c->height * 4;
 	content_set_ready(c);
@@ -599,7 +602,7 @@ static bool nsjpng_convert(struct content *c)
 	nsmng_content *mng = (nsmng_content *) c;
 	mng_retcode status;
 	unsigned long size;
-	char title[512];
+	char *title;
 	mng_handle handle;
 
 	assert(c != NULL);
@@ -613,11 +616,14 @@ static bool nsjpng_convert(struct content *c)
 		return nsmng_broadcast_error(mng, -1) == NSERROR_OK;
 	}
 
-	/* Set the title */
-	snprintf(title, sizeof(title), messages_get("PNGTitle"),
+	/* set title text */
+	title = messages_get_buff("PNGTitle",
 			nsurl_access_leaf(llcache_handle_get_url(c->llcache)),
 			c->width, c->height);
-	content__set_title(c, title);
+	if (title != NULL) {
+		content__set_title(c, title);
+		free(title);
+	}
 
 	c->size += c->width * c->height * 4;
 	content_set_ready(c);
diff --git a/image/nssprite.c b/image/nssprite.c
index ea05c8fe0..5f05c940a 100644
--- a/image/nssprite.c
+++ b/image/nssprite.c
@@ -98,7 +98,7 @@ static bool nssprite_convert(struct content *c)
 
 	const char *data;
 	unsigned long size;
-	char title[100];
+	char *title;
 
 	data = content__get_source_data(c, &size);
 
@@ -144,9 +144,14 @@ static bool nssprite_convert(struct content *c)
 	c->width = sprite->width;
 	c->height = sprite->height;
 
-	snprintf(title, sizeof(title), messages_get("SpriteTitle"), 
-		 c->width, c->height, size);
-	content__set_title(c, title);
+	/* set title text */
+	title = messages_get_buff("SpriteTitle",
+			nsurl_access_leaf(llcache_handle_get_url(c->llcache)),
+			c->width, c->height);
+	if (title != NULL) {
+		content__set_title(c, title);
+		free(title);
+	}
 
 	bitmap_modified(nssprite->bitmap);
 
diff --git a/image/png.c b/image/png.c
index 99482d63d..23c755825 100644
--- a/image/png.c
+++ b/image/png.c
@@ -510,7 +510,7 @@ png_cache_convert_error:
 static bool nspng_convert(struct content *c)
 {
 	nspng_content *png_c = (nspng_content *) c;
-	char title[512];
+	char *title;
 
 	assert(png_c->png != NULL);
 	assert(png_c->info != NULL);
@@ -519,11 +519,13 @@ static bool nspng_convert(struct content *c)
 	png_destroy_read_struct(&png_c->png, &png_c->info, 0);
 
 	/* set title text */
-	snprintf(title, sizeof(title), messages_get("PNGTitle"),
+	title = messages_get_buff("PNGTitle",
 			nsurl_access_leaf(llcache_handle_get_url(c->llcache)),
 			c->width, c->height);
-
-	content__set_title(c, title);
+	if (title != NULL) {
+		content__set_title(c, title);
+		free(title);
+	}
 
 	if (png_c->bitmap != NULL) {
 		bitmap_set_opaque(png_c->bitmap, bitmap_test_opaque(png_c->bitmap));
diff --git a/image/webp.c b/image/webp.c
index acf226b5f..fc4356c01 100644
--- a/image/webp.c
+++ b/image/webp.c
@@ -78,7 +78,7 @@ static bool webp_convert(struct content *c)
 	unsigned char *imagebuf = NULL;
 	unsigned long size;
 	int width = 0, height = 0;
-	char title[512];
+	char *title;
 	int res = 0;
 	uint8_t *res_p = NULL;
 
@@ -116,10 +116,15 @@ static bool webp_convert(struct content *c)
 
 	c->width = width;
 	c->height = height;
-	snprintf(title, sizeof(title), messages_get("WebPTitle"),
+
+	/* set title */
+	title = messages_get_buff("WebPTitle",
 			nsurl_access_leaf(llcache_handle_get_url(c->llcache)),
 			c->width, c->height);
-	content__set_title(c, title);
+	if (title != NULL) {
+		content__set_title(c, title);
+		free(title);
+	}
 
 	bitmap_modified(webp->bitmap);
 
-- 
cgit v1.2.3