diff options
author | fvogel <fvogelnew1@free.fr> | 2017-06-02 20:48:47 (GMT) |
---|---|---|
committer | fvogel <fvogelnew1@free.fr> | 2017-06-02 20:48:47 (GMT) |
commit | d0942929072fbd783a8d54d44e791739ae74445c (patch) | |
tree | e097a9bb028efeeed973a629a64a7dfaa05f6bd8 /generic/tkImgPhoto.c | |
parent | f316411ab53090e608f187721f6f1c96e1d0676d (diff) | |
download | tk-d0942929072fbd783a8d54d44e791739ae74445c.zip tk-d0942929072fbd783a8d54d44e791739ae74445c.tar.gz tk-d0942929072fbd783a8d54d44e791739ae74445c.tar.bz2 |
Fixed [b601ce3ab1]: A corrupted image can cause resource exhaustion. Patch for core-8-5-branch from Keith Nash
Diffstat (limited to 'generic/tkImgPhoto.c')
-rw-r--r-- | generic/tkImgPhoto.c | 28 |
1 files changed, 18 insertions, 10 deletions
diff --git a/generic/tkImgPhoto.c b/generic/tkImgPhoto.c index f6fee84..4e1aa01 100644 --- a/generic/tkImgPhoto.c +++ b/generic/tkImgPhoto.c @@ -3008,6 +3008,10 @@ ImgPhotoSetSize( height = masterPtr->userHeight; } + if (width > INT_MAX / 4) { + /* Pitch overflows int */ + return TCL_ERROR; + } pitch = width * 4; /* @@ -3023,6 +3027,10 @@ ImgPhotoSetSize( unsigned /*long*/ newPixSize = (unsigned /*long*/) (height * pitch); + if (pitch && height > (int)(UINT_MAX / pitch)) { + return TCL_ERROR; + } + /* * Some mallocs() really hate allocating zero bytes. [Bug 619544] */ @@ -3073,14 +3081,14 @@ ImgPhotoSetSize( if ((masterPtr->pix32 != NULL) && ((width == masterPtr->width) || (width == validBox.width))) { if (validBox.y > 0) { - memset(newPix32, 0, (size_t) (validBox.y * pitch)); + memset(newPix32, 0, ((size_t) validBox.y * pitch)); } h = validBox.y + validBox.height; if (h < height) { - memset(newPix32 + h*pitch, 0, (size_t) ((height - h) * pitch)); + memset(newPix32 + h*pitch, 0, ((size_t) (height - h) * pitch)); } } else { - memset(newPix32, 0, (size_t) (height * pitch)); + memset(newPix32, 0, ((size_t) height * pitch)); } if (masterPtr->pix32 != NULL) { @@ -3097,7 +3105,7 @@ ImgPhotoSetSize( offset = validBox.y * pitch; memcpy(newPix32 + offset, masterPtr->pix32 + offset, - (size_t) (validBox.height * pitch)); + ((size_t) validBox.height * pitch)); } else if ((validBox.width > 0) && (validBox.height > 0)) { /* @@ -3108,7 +3116,7 @@ ImgPhotoSetSize( srcPtr = masterPtr->pix32 + (validBox.y * masterPtr->width + validBox.x) * 4; for (h = validBox.height; h > 0; h--) { - memcpy(destPtr, srcPtr, (size_t) (validBox.width * 4)); + memcpy(destPtr, srcPtr, ((size_t) validBox.width * 4)); destPtr += width * 4; srcPtr += masterPtr->width * 4; } @@ -3266,7 +3274,7 @@ ImgPhotoInstanceSetSize( if (masterPtr->width == instancePtr->width) { offset = validBox.y * masterPtr->width * 3; memcpy(newError + offset, instancePtr->error + offset, - (size_t) (validBox.height + ((size_t) validBox.height * masterPtr->width * 3 * sizeof(schar))); } else if (validBox.width > 0 && validBox.height > 0) { @@ -4419,7 +4427,7 @@ Tk_PhotoPutBlock( && (blockPtr->pitch == pitch))) && (compRule == TK_PHOTO_COMPOSITE_SET)) { memmove(destLinePtr, blockPtr->pixelPtr + blockPtr->offset[0], - (size_t) (height * width * 4)); + ((size_t) height * width * 4)); /* * We know there's an alpha offset and we're setting the data, so skip @@ -4451,7 +4459,7 @@ Tk_PhotoPutBlock( && (blueOffset == 2) && (alphaOffset == 3) && (width <= blockPtr->width) && compRuleSet) { - memcpy(destLinePtr, srcLinePtr, (size_t) (width * 4)); + memcpy(destLinePtr, srcLinePtr, ((size_t) width * 4)); srcLinePtr += blockPtr->pitch; destLinePtr += pitch; continue; @@ -5425,12 +5433,12 @@ Tk_PhotoBlank( */ memset(masterPtr->pix32, 0, - (size_t) (masterPtr->width * masterPtr->height * 4)); + ((size_t) masterPtr->width * masterPtr->height * 4)); for (instancePtr = masterPtr->instancePtr; instancePtr != NULL; instancePtr = instancePtr->nextPtr) { if (instancePtr->error) { memset(instancePtr->error, 0, - (size_t) (masterPtr->width * masterPtr->height + ((size_t) masterPtr->width * masterPtr->height * 3 * sizeof(schar))); } } |