Ticket [822330269b] Add check for overflow before image plain ckalloc.

author: oehhar <harald.oehlmann@elmicron.de> 2021-01-06 21:10:28 (GMT)
committer: oehhar <harald.oehlmann@elmicron.de> 2021-01-06 21:10:28 (GMT)
commit: b0485d1db2987e875693a1304438f2f98b4a0526 (patch)
tree: 46c661bef6be93f19ef8ed3c4a98026802829ee7 /generic/tkImgSVGnano.c
parent: 1754a52a4c38bb15ff6ceb6ac64514442ebbd989 (diff)
download: tk-b0485d1db2987e875693a1304438f2f98b4a0526.zip
tk-b0485d1db2987e875693a1304438f2f98b4a0526.tar.gz
tk-b0485d1db2987e875693a1304438f2f98b4a0526.tar.bz2
1 files changed, 8 insertions, 0 deletions
diff --git a/generic/tkImgSVGnano.c b/generic/tkImgSVGnano.c
index db4cc61..85288ec 100644
--- a/generic/tkImgSVGnano.c
+++ b/generic/tkImgSVGnano.c
@@ -591,6 +591,14 @@ RasterizeSVG(
 		NULL);
 	goto cleanAST;
     }
+
+    /* Tk Ticket [822330269b] Check potential int overflow in following ckalloc*/
+    if ( w * h < 0 || w * h > INT_MAX / 4) {
+	Tcl_SetObjResult(interp, Tcl_NewStringObj("image size overflow", -1));
+	Tcl_SetErrorCode(interp, "TK", "IMAGE", "SVG", "IMAGE_SIZE_OVERFLOW", NULL);
+	goto cleanRAST;
+    }
+    
     imgData = (unsigned char *)attemptckalloc(w * h *4);
     if (imgData == NULL) {
 	Tcl_SetObjResult(interp, Tcl_NewStringObj("cannot alloc image buffer", -1));
author	oehhar <harald.oehlmann@elmicron.de>	2021-01-06 21:10:28 (GMT)
committer	oehhar <harald.oehlmann@elmicron.de>	2021-01-06 21:10:28 (GMT)
commit	b0485d1db2987e875693a1304438f2f98b4a0526 (patch)
tree	46c661bef6be93f19ef8ed3c4a98026802829ee7 /generic/tkImgSVGnano.c
parent	1754a52a4c38bb15ff6ceb6ac64514442ebbd989 (diff)
download	tk-b0485d1db2987e875693a1304438f2f98b4a0526.zip tk-b0485d1db2987e875693a1304438f2f98b4a0526.tar.gz tk-b0485d1db2987e875693a1304438f2f98b4a0526.tar.bz2