 |
Prevent overflow in rowlen and improve inaccuracies in style - farbfeld - suckl… |
 |
git clone git://git.suckless.org/farbfeld |
 |
Log |
|
Files |
|
Refs |
|
README |
|
LICENSE |
|
--- |
|
commit e637aae67ededf6a4a0b4d490d02f3294f297b71 |
|
parent 49cef794d9cef3c1ab8478963a7f778c8c28eb70 |
|
Author: FRIGN <[email protected]> |
|
Date: Fri, 18 Mar 2016 19:49:11 +0100 |
|
|
|
Prevent overflow in rowlen and improve inaccuracies in style |
|
|
|
Diffstat: |
|
M ff2png.c | 6 +++++- |
|
M jpg2ff.c | 5 ++--- |
|
M png2ff.c | 11 +++++++---- |
|
|
|
3 files changed, 14 insertions(+), 8 deletions(-) |
|
--- |
|
diff --git a/ff2png.c b/ff2png.c |
|
@@ -61,7 +61,11 @@ main(int argc, char *argv[]) |
|
png_write_info(pngs, pngi); |
|
|
|
/* write rows */ |
|
- rowlen = (sizeof("RGBA") - 1) * width; |
|
+ if (width > SIZE_MAX / ((sizeof("RGBA") - 1) * sizeof(uint16_t))) { |
|
+ fprintf(stderr, "%s: row length integer overflow\n", argv0); |
|
+ return 1; |
|
+ } |
|
+ rowlen = width * (sizeof("RGBA") - 1); |
|
if (!(row = malloc(rowlen * sizeof(uint16_t)))) { |
|
fprintf(stderr, "%s: malloc: out of memory\n", argv0); |
|
return 1; |
|
diff --git a/jpg2ff.c b/jpg2ff.c |
|
@@ -5,7 +5,6 @@ |
|
#include <stdint.h> |
|
#include <stdio.h> |
|
#include <stdlib.h> |
|
-#include <string.h> |
|
|
|
#include <jpeglib.h> |
|
|
|
@@ -58,7 +57,7 @@ main(int argc, char *argv[]) |
|
jpgrow = (*js.mem->alloc_sarray)((j_common_ptr)&js, |
|
JPOOL_IMAGE, width * |
|
js.output_components, 1); |
|
- rowlen = strlen("RGBA") * width; |
|
+ rowlen = width * (sizeof("RGBA") - 1); |
|
if(!(row = malloc(rowlen * sizeof(uint16_t)))) { |
|
fprintf(stderr, "%s: malloc: out of memory\n", argv0); |
|
return 1; |
|
@@ -89,7 +88,7 @@ main(int argc, char *argv[]) |
|
} |
|
|
|
/* write data */ |
|
- if (fwrite(row, 2, rowlen, stdout) != rowlen) |
|
+ if (fwrite(row, sizeof(uint16_t), rowlen, stdout) != rowlen) |
|
goto writerr; |
|
} |
|
jpeg_finish_decompress(&js); |
|
diff --git a/png2ff.c b/png2ff.c |
|
@@ -5,7 +5,6 @@ |
|
#include <stdint.h> |
|
#include <stdio.h> |
|
#include <stdlib.h> |
|
-#include <string.h> |
|
|
|
#include <png.h> |
|
|
|
@@ -57,7 +56,11 @@ main(int argc, char *argv[]) |
|
pngrows = png_get_rows(pngs, pngi); |
|
|
|
/* allocate output row buffer */ |
|
- rowlen = width * strlen("RGBA"); |
|
+ if (width > SIZE_MAX / ((sizeof("RGBA") - 1) * sizeof(uint16_t))) { |
|
+ fprintf(stderr, "%s: row length integer overflow\n", argv0); |
|
+ return 1; |
|
+ } |
|
+ rowlen = width * (sizeof("RGBA") - 1); |
|
if (!(row = malloc(rowlen * sizeof(uint16_t)))) { |
|
fprintf(stderr, "%s: malloc: out of memory\n", argv0); |
|
return 1; |
|
@@ -87,8 +90,8 @@ main(int argc, char *argv[]) |
|
break; |
|
case 16: |
|
for (r = 0; r < height; ++r) { |
|
- if (fwrite(pngrows[r], sizeof(uint16_t), |
|
- rowlen, stdout) != rowlen) { |
|
+ if (fwrite(pngrows[r], sizeof(uint16_t), rowlen, |
|
+ stdout) != rowlen) { |
|
goto writerr; |
|
} |
|
} |
