[dece631375] More mem alloc overflow check and init with proper unsigneds.

1 files changed, 13 insertions, 2 deletions

diff --git a/generic/tkImgGIF.c b/generic/tkImgGIF.c
index 6273c69..fbfe621 100644
--- a/generic/tkImgGIF.c
+++ b/generic/tkImgGIF.c
@@ -393,7 +393,8 @@ FileReadGIF(
 				 * image being read. */
 {
     int fileWidth, fileHeight, imageWidth, imageHeight;
-    int nBytes, index = 0, argc = 0, i, result = TCL_ERROR;
+    unsigned int nBytes;
+    int index = 0, argc = 0, i, result = TCL_ERROR;
     Tcl_Obj **objv;
     unsigned char buf[100];
     unsigned char *trashBuffer = NULL;
@@ -426,8 +427,9 @@ FileReadGIF(
 	return TCL_ERROR;
     }
     for (i = 1; i < argc; i++) {
+	int optionIdx;
 	if (Tcl_GetIndexFromObjStruct(interp, objv[i], optionStrings,
-		sizeof(char *), "option name", 0, &nBytes) != TCL_OK) {
+		sizeof(char *), "option name", 0, &optionIdx) != TCL_OK) {
 	    return TCL_ERROR;
 	}
 	if (i == (argc-1)) {
@@ -591,6 +593,9 @@ FileReadGIF(
 	     */
 
 	    if (trashBuffer == NULL) {
+		if (fileWidth > (UINT_MAX/3)/fileHeight) {
+		    goto error;
+		}
 		nBytes = fileWidth * fileHeight * 3;
 		trashBuffer = ckalloc(nBytes);
 		if (trashBuffer) {
@@ -679,7 +684,13 @@ FileReadGIF(
 	block.offset[1] = 1;
 	block.offset[2] = 2;
 	block.offset[3] = (transparent>=0) ? 3 : 0;
+	if (imageWidth > INT_MAX/block.pixelSize) {
+	    goto error;
+	}
 	block.pitch = block.pixelSize * imageWidth;
+	if (imageHeight > UINT_MAX/block.pitch) {
+	    goto error;
+	}
 	nBytes = block.pitch * imageHeight;
 	block.pixelPtr = ckalloc(nBytes);
 	if (block.pixelPtr) {