diff options
author | dgp <dgp@users.sourceforge.net> | 2015-05-20 12:34:32 (GMT) |
---|---|---|
committer | dgp <dgp@users.sourceforge.net> | 2015-05-20 12:34:32 (GMT) |
commit | 670cc8175d070b56068e54ebf6fd1b69eb31af7d (patch) | |
tree | 4ad484cb11fae2f1d1723b453e43bdf7177242d4 | |
parent | 511a4b5d5ef8ff90218dd3aa8c85478bd5f56a36 (diff) | |
download | tk-670cc8175d070b56068e54ebf6fd1b69eb31af7d.zip tk-670cc8175d070b56068e54ebf6fd1b69eb31af7d.tar.gz tk-670cc8175d070b56068e54ebf6fd1b69eb31af7d.tar.bz2 |
[dece631375] More mem alloc overflow check and init with proper unsigneds.
-rw-r--r-- | generic/tkImgGIF.c | 15 |
1 files changed, 13 insertions, 2 deletions
diff --git a/generic/tkImgGIF.c b/generic/tkImgGIF.c index 6273c69..fbfe621 100644 --- a/generic/tkImgGIF.c +++ b/generic/tkImgGIF.c @@ -393,7 +393,8 @@ FileReadGIF( * image being read. */ { int fileWidth, fileHeight, imageWidth, imageHeight; - int nBytes, index = 0, argc = 0, i, result = TCL_ERROR; + unsigned int nBytes; + int index = 0, argc = 0, i, result = TCL_ERROR; Tcl_Obj **objv; unsigned char buf[100]; unsigned char *trashBuffer = NULL; @@ -426,8 +427,9 @@ FileReadGIF( return TCL_ERROR; } for (i = 1; i < argc; i++) { + int optionIdx; if (Tcl_GetIndexFromObjStruct(interp, objv[i], optionStrings, - sizeof(char *), "option name", 0, &nBytes) != TCL_OK) { + sizeof(char *), "option name", 0, &optionIdx) != TCL_OK) { return TCL_ERROR; } if (i == (argc-1)) { @@ -591,6 +593,9 @@ FileReadGIF( */ if (trashBuffer == NULL) { + if (fileWidth > (UINT_MAX/3)/fileHeight) { + goto error; + } nBytes = fileWidth * fileHeight * 3; trashBuffer = ckalloc(nBytes); if (trashBuffer) { @@ -679,7 +684,13 @@ FileReadGIF( block.offset[1] = 1; block.offset[2] = 2; block.offset[3] = (transparent>=0) ? 3 : 0; + if (imageWidth > INT_MAX/block.pixelSize) { + goto error; + } block.pitch = block.pixelSize * imageWidth; + if (imageHeight > UINT_MAX/block.pitch) { + goto error; + } nBytes = block.pitch * imageHeight; block.pixelPtr = ckalloc(nBytes); if (block.pixelPtr) { |