Check the number of scanned items. (#168906, Morten Welinder)

[~andy/gtk] / gdk-pixbuf / io-xpm.c

diff --git a/gdk-pixbuf/io-xpm.c b/gdk-pixbuf/io-xpm.c
index f8267d5b717acd1b23c1a786fa20b25911d6d740..45a7cae46265da9ff42a731b2a4a867c066927a6 100644 (file)
--- a/gdk-pixbuf/io-xpm.c
+++ b/gdk-pixbuf/io-xpm.c
@@ -34,7 +34,7 @@
 #include <errno.h>
 #include "gdk-pixbuf-private.h"
 #include "gdk-pixbuf-io.h"
-
+#include <glib/gstdio.h>
 \f
 
 /* I have must have done something to deserve this.
@@ -1230,6 +1230,15 @@ pixbuf_create_from_xpm (const gchar * (*get_buf) (enum buf_op op, gpointer handl
                return NULL;
        }
        items = sscanf (buffer, "%d %d %d %d %d %d", &w, &h, &n_col, &cpp, &x_hot, &y_hot);
+
+       if (items != 4 && items != 6) {
+               g_set_error (error,
+                             GDK_PIXBUF_ERROR,
+                             GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+                             _("Invalid XPM header"));
+               return NULL;
+       }
+
        if (w <= 0) {
                 g_set_error (error,
                              GDK_PIXBUF_ERROR,
@@ -1499,7 +1508,7 @@ gdk_pixbuf__xpm_image_stop_load (gpointer data,
        }
 
        fclose (context->file);
-       unlink (context->tempname);
+       g_unlink (context->tempname);
        g_free (context->tempname);
        g_free ((XPMContext *) context);