diff options
Diffstat (limited to 'wxgtk/overflow.patch')
-rw-r--r-- | wxgtk/overflow.patch | 66 |
1 files changed, 66 insertions, 0 deletions
diff --git a/wxgtk/overflow.patch b/wxgtk/overflow.patch new file mode 100644 index 000000000..543bdff12 --- /dev/null +++ b/wxgtk/overflow.patch @@ -0,0 +1,66 @@ +Index: /wxWidgets/branches/WX_2_8_BRANCH/src/common/imagpng.cpp +=================================================================== +--- /wxWidgets/branches/WX_2_8_BRANCH/src/common/imagpng.cpp (revision 53479) ++++ /wxWidgets/branches/WX_2_8_BRANCH/src/common/imagpng.cpp (revision 60875) +@@ -569,5 +569,7 @@ + goto error; + +- lines = (unsigned char **)malloc( (size_t)(height * sizeof(unsigned char *)) ); ++ // initialize all line pointers to NULL to ensure that they can be safely ++ // free()d if an error occurs before all of them could be allocated ++ lines = (unsigned char **)calloc(height, sizeof(unsigned char *)); + if ( !lines ) + goto error; +@@ -576,9 +578,5 @@ + { + if ((lines[i] = (unsigned char *)malloc( (size_t)(width * (sizeof(unsigned char) * 4)))) == NULL) +- { +- for ( unsigned int n = 0; n < i; n++ ) +- free( lines[n] ); + goto error; +- } + } + +Index: /wxWidgets/branches/WX_2_8_BRANCH/src/common/imagtiff.cpp +=================================================================== +--- /wxWidgets/branches/WX_2_8_BRANCH/src/common/imagtiff.cpp (revision 48694) ++++ /wxWidgets/branches/WX_2_8_BRANCH/src/common/imagtiff.cpp (revision 60876) +@@ -262,5 +262,4 @@ + + uint32 w, h; +- uint32 npixels; + uint32 *raster; + +@@ -276,7 +275,18 @@ + samplesInfo[0] == EXTRASAMPLE_UNASSALPHA)); + +- npixels = w * h; +- +- raster = (uint32*) _TIFFmalloc( npixels * sizeof(uint32) ); ++ // guard against integer overflow during multiplication which could result ++ // in allocating a too small buffer and then overflowing it ++ const double bytesNeeded = w * h * sizeof(uint32); ++ if ( bytesNeeded >= 4294967295U /* UINT32_MAX */ ) ++ { ++ if ( verbose ) ++ wxLogError( _("TIFF: Image size is abnormally big.") ); ++ ++ TIFFClose(tif); ++ ++ return false; ++ } ++ ++ raster = (uint32*) _TIFFmalloc( bytesNeeded ); + + if (!raster) +Index: /wxWidgets/branches/WX_2_8_BRANCH/src/common/imagtiff.cpp +=================================================================== +--- /wxWidgets/branches/WX_2_8_BRANCH/src/common/imagtiff.cpp (revision 60876) ++++ /wxWidgets/branches/WX_2_8_BRANCH/src/common/imagtiff.cpp (revision 60897) +@@ -277,5 +277,5 @@ + // guard against integer overflow during multiplication which could result + // in allocating a too small buffer and then overflowing it +- const double bytesNeeded = w * h * sizeof(uint32); ++ const double bytesNeeded = (double)w * (double)h * sizeof(uint32); + if ( bytesNeeded >= 4294967295U /* UINT32_MAX */ ) + { |