fix multiplication overflow - lel - Farbfeld image viewer
(HTM) git clone git://git.codemadness.org/lel
(DIR) Log
(DIR) Files
(DIR) Refs
(DIR) README
(DIR) LICENSE
---
(DIR) commit cbc30c2bf4a8942b1bddebb51b8fa640840ea8d2
(DIR) parent 315842241bfb79a764962c2ed86f24db2a5a3946
(HTM) Author: NRK <nrk@disroot.org>
Date: Thu, 15 Feb 2024 07:03:31 +0000
fix multiplication overflow
there are lots of places where width/height are being
multiplied, avoid loading images where such multiplications
would overflow. to reproduce:
[lel master]~> gcc -g3 -std=c99 -Wall -pedantic -DVERSION=\"0.2\" lel.c -fsanitize=address,undefined -o lel -lX11
[lel master]~> printf "farbfeld\x00\xff\xff\xff\x00\xff\xff\xff" | ./lel
lel.c:114:37: runtime error: signed integer overflow: 16777215 * 16777215 cannot be represented in type 'int'
Diffstat:
M lel.c | 4 ++++
1 file changed, 4 insertions(+), 0 deletions(-)
---
(DIR) diff --git a/lel.c b/lel.c
@@ -8,6 +8,7 @@
#include <stdlib.h>
#include <string.h>
#include <time.h>
+#include <limits.h>
#include <unistd.h>
#include <X11/Xlib.h>
@@ -111,6 +112,9 @@ ff_open(struct img *img)
if (img->width <= 0 || img->height <= 0)
return -1;
+ if (img->width > (INT_MAX/4)/img->height) /* w*h*4 would overflow `int` */
+ return -1;
+
if (!(img->buf = malloc(img->width * img->height * 4)))
die("malloc:");