summaryrefslogtreecommitdiffstats
path: root/wxgtk/overflow.patch
diff options
context:
space:
mode:
Diffstat (limited to 'wxgtk/overflow.patch')
-rw-r--r--wxgtk/overflow.patch66
1 files changed, 66 insertions, 0 deletions
diff --git a/wxgtk/overflow.patch b/wxgtk/overflow.patch
new file mode 100644
index 000000000..543bdff12
--- /dev/null
+++ b/wxgtk/overflow.patch
@@ -0,0 +1,66 @@
+Index: /wxWidgets/branches/WX_2_8_BRANCH/src/common/imagpng.cpp
+===================================================================
+--- /wxWidgets/branches/WX_2_8_BRANCH/src/common/imagpng.cpp (revision 53479)
++++ /wxWidgets/branches/WX_2_8_BRANCH/src/common/imagpng.cpp (revision 60875)
+@@ -569,5 +569,7 @@
+ goto error;
+
+- lines = (unsigned char **)malloc( (size_t)(height * sizeof(unsigned char *)) );
++ // initialize all line pointers to NULL to ensure that they can be safely
++ // free()d if an error occurs before all of them could be allocated
++ lines = (unsigned char **)calloc(height, sizeof(unsigned char *));
+ if ( !lines )
+ goto error;
+@@ -576,9 +578,5 @@
+ {
+ if ((lines[i] = (unsigned char *)malloc( (size_t)(width * (sizeof(unsigned char) * 4)))) == NULL)
+- {
+- for ( unsigned int n = 0; n < i; n++ )
+- free( lines[n] );
+ goto error;
+- }
+ }
+
+Index: /wxWidgets/branches/WX_2_8_BRANCH/src/common/imagtiff.cpp
+===================================================================
+--- /wxWidgets/branches/WX_2_8_BRANCH/src/common/imagtiff.cpp (revision 48694)
++++ /wxWidgets/branches/WX_2_8_BRANCH/src/common/imagtiff.cpp (revision 60876)
+@@ -262,5 +262,4 @@
+
+ uint32 w, h;
+- uint32 npixels;
+ uint32 *raster;
+
+@@ -276,7 +275,18 @@
+ samplesInfo[0] == EXTRASAMPLE_UNASSALPHA));
+
+- npixels = w * h;
+-
+- raster = (uint32*) _TIFFmalloc( npixels * sizeof(uint32) );
++ // guard against integer overflow during multiplication which could result
++ // in allocating a too small buffer and then overflowing it
++ const double bytesNeeded = w * h * sizeof(uint32);
++ if ( bytesNeeded >= 4294967295U /* UINT32_MAX */ )
++ {
++ if ( verbose )
++ wxLogError( _("TIFF: Image size is abnormally big.") );
++
++ TIFFClose(tif);
++
++ return false;
++ }
++
++ raster = (uint32*) _TIFFmalloc( bytesNeeded );
+
+ if (!raster)
+Index: /wxWidgets/branches/WX_2_8_BRANCH/src/common/imagtiff.cpp
+===================================================================
+--- /wxWidgets/branches/WX_2_8_BRANCH/src/common/imagtiff.cpp (revision 60876)
++++ /wxWidgets/branches/WX_2_8_BRANCH/src/common/imagtiff.cpp (revision 60897)
+@@ -277,5 +277,5 @@
+ // guard against integer overflow during multiplication which could result
+ // in allocating a too small buffer and then overflowing it
+- const double bytesNeeded = w * h * sizeof(uint32);
++ const double bytesNeeded = (double)w * (double)h * sizeof(uint32);
+ if ( bytesNeeded >= 4294967295U /* UINT32_MAX */ )
+ {