From de470892c30c8344255fcd210cdf917954e38778 Mon Sep 17 00:00:00 2001
From: Tony Cook <tony@develop=help.com>
Date: Fri, 18 Apr 2008 04:36:55 +0000
Subject: [PATCH]  - check that the result of fileno($fh) is defined rather
 than simply    true when read() or write() is supplied with an fh parameter. 
   http://rt.cpan.org/Ticket/Display.html?id=35139

 - i_scale_axis() wasn't checking the result of i_img_new_ch()
   resulting in a SIGSEGV when attempting to scale an image to a size
   too large to fit in memory.  This is a NULL pointer access issue,
   not a buffer overflow.
   Added a check for the failure.
   scale_calculate() (and hence scale()) will now fail if any of the
   scale size parameters are a reference.
   http://rt.cpan.org/Ticket/Display.html?id=35172
---
 Changes      | 18 ++++++++++++++++++
 Imager.pm    | 18 +++++++++++++-----
 image.c      |  5 +++++
 t/t40scale.t | 10 +++++++++-
 4 files changed, 45 insertions(+), 6 deletions(-)

diff --git a/Changes b/Changes
index c994ade5..e6ef2bfd 100644
--- a/Changes
+++ b/Changes
@@ -1,5 +1,23 @@
 Imager release history.  Older releases can be found in Changes.old
 
+Imager 0.64 - unreleased
+===========
+
+Bug fixes:
+
+ - check that the result of fileno($fh) is defined rather than simply
+   true when read() or write() is supplied with an fh parameter.
+   http://rt.cpan.org/Ticket/Display.html?id=35139
+
+ - i_scale_axis() wasn't checking the result of i_img_new_ch()
+   resulting in a SIGSEGV when attempting to scale an image to a size
+   too large to fit in memory.  This is a NULL pointer access issue,
+   not a buffer overflow.
+   Added a check for the failure.
+   scale_calculate() (and hence scale()) will now fail if any of the
+   scale size parameters are a reference.
+   http://rt.cpan.org/Ticket/Display.html?id=35172
+
 Imager 0.63 - 7 April 2008
 ===========
 
diff --git a/Imager.pm b/Imager.pm
index 7c9c12cc..446bd22c 100644
--- a/Imager.pm
+++ b/Imager.pm
@@ -1197,7 +1197,7 @@ sub _get_reader_io {
   }
   elsif ($input->{fh}) {
     my $fd = fileno($input->{fh});
-    unless ($fd) {
+    unless (defined $fd) {
       $self->_set_error("Handle in fh option not opened");
       return;
     }
@@ -1248,7 +1248,7 @@ sub _get_writer_io {
   }
   elsif ($input->{fh}) {
     my $fd = fileno($input->{fh});
-    unless ($fd) {
+    unless (defined $fd) {
       $self->_set_error("Handle in fh option not opened");
       return;
     }
@@ -2075,6 +2075,14 @@ sub scale_calculate {
 
   my %opts = ('type'=>'max', @_);
 
+  # none of these should be references
+  for my $name (qw/xpixels ypixels xscalefactor yscalefactor width height/) {
+    if (defined $opts{$name} && ref $opts{$name}) {
+      $self->_set_error("scale_calculate: $name parameter cannot be a reference");
+      return;
+    }
+  }
+
   my ($x_scale, $y_scale);
   my $width = $opts{width};
   my $height = $opts{height};
@@ -2178,12 +2186,12 @@ sub scale {
   if ($opts{qtype} eq 'normal') {
     $tmp->{IMG} = i_scaleaxis($self->{IMG}, $x_scale, 0);
     if ( !defined($tmp->{IMG}) ) { 
-      $self->{ERRSTR} = 'unable to scale image';
+      $self->{ERRSTR} = 'unable to scale image: ' . $self->_error_as_msg;
       return undef;
     }
     $img->{IMG}=i_scaleaxis($tmp->{IMG}, $y_scale, 1);
     if ( !defined($img->{IMG}) ) { 
-      $self->{ERRSTR}='unable to scale image'; 
+      $self->{ERRSTR}='unable to scale image: ' . $self->_error_as_msg; 
       return undef;
     }
 
@@ -2200,7 +2208,7 @@ sub scale {
   elsif ($opts{'qtype'} eq 'mixing') {
     $img->{IMG} = i_scale_mixing($self->{IMG}, $new_width, $new_height);
     unless ($img->{IMG}) {
-      $self->_set_error(Imager->_error_as_meg);
+      $self->_set_error(Imager->_error_as_msg);
       return;
     }
     return $img;
diff --git a/image.c b/image.c
index 27382f66..5dba629f 100644
--- a/image.c
+++ b/image.c
@@ -853,6 +853,7 @@ i_scaleaxis(i_img *im, float Value, int Axis) {
   i_color val,val1,val2;
   i_img *new_img;
 
+  i_clear_error();
   mm_log((1,"i_scaleaxis(im %p,Value %.2f,Axis %d)\n",im,Value,Axis));
 
 
@@ -880,6 +881,10 @@ i_scaleaxis(i_img *im, float Value, int Axis) {
   }
   
   new_img = i_img_empty_ch(NULL, hsize, vsize, im->channels);
+  if (!new_img) {
+    i_push_error(0, "cannot create output image");
+    return NULL;
+  }
   
   /* 1.4 is a magic number, setting it to 2 will cause rather blurred images */
   LanczosWidthFactor = (Value >= 1) ? 1 : (int) (1.4/Value); 
diff --git a/t/t40scale.t b/t/t40scale.t
index f4de6408..4ffcc25e 100644
--- a/t/t40scale.t
+++ b/t/t40scale.t
@@ -1,6 +1,6 @@
 #!perl -w
 use strict;
-use Test::More tests => 228;
+use Test::More tests => 230;
 
 BEGIN { use_ok(Imager=>':all') }
 use Imager::Test qw(is_image is_color4);
@@ -213,6 +213,14 @@ SKIP:
 	    "class method scale_factor");
 }
 
+{ # passing a reference for scaling parameters should fail
+  # RT #35172
+  my $im = Imager->new(xsize => 100, ysize => 100);
+  ok(!$im->scale(xpixels => {}), "can't use a reference as a size");
+  cmp_ok($im->errstr, '=~', "xpixels parameter cannot be a reference",
+	 "check error message");
+}
+
 sub scale_test {
   my ($in, $method, $exp_width, $exp_height, $note, @parms) = @_;
 
-- 
2.39.5