 |
fix multiplication overflow - lel - Farbfeld image viewer |
 |
git clone git://git.codemadness.org/lel |
 |
Log |
|
Files |
|
Refs |
|
README |
|
LICENSE |
|
--- |
|
commit cbc30c2bf4a8942b1bddebb51b8fa640840ea8d2 |
|
parent 315842241bfb79a764962c2ed86f24db2a5a3946 |
|
Author: NRK <[email protected]> |
|
Date: Thu, 15 Feb 2024 07:03:31 +0000 |
|
|
|
fix multiplication overflow |
|
|
|
there are lots of places where width/height are being |
|
multiplied, avoid loading images where such multiplications |
|
would overflow. to reproduce: |
|
|
|
[lel master]~> gcc -g3 -std=c99 -Wall -pedantic -DVERSION=\"0.2\" lel.c… |
|
[lel master]~> printf "farbfeld\x00\xff\xff\xff\x00\xff\xff\xff" | ./lel |
|
lel.c:114:37: runtime error: signed integer overflow: 16777215 * 167772… |
|
|
|
Diffstat: |
|
M lel.c | 4 ++++ |
|
|
|
1 file changed, 4 insertions(+), 0 deletions(-) |
|
--- |
|
diff --git a/lel.c b/lel.c |
|
@@ -8,6 +8,7 @@ |
|
#include <stdlib.h> |
|
#include <string.h> |
|
#include <time.h> |
|
+#include <limits.h> |
|
#include <unistd.h> |
|
|
|
#include <X11/Xlib.h> |
|
@@ -111,6 +112,9 @@ ff_open(struct img *img) |
|
if (img->width <= 0 || img->height <= 0) |
|
return -1; |
|
|
|
+ if (img->width > (INT_MAX/4)/img->height) /* w*h*4 would overflow `int… |
|
+ return -1; |
|
+ |
|
if (!(img->buf = malloc(img->width * img->height * 4))) |
|
die("malloc:"); |
|
