summaryrefslogtreecommitdiffstats
path: root/wxgtk/overflow.patch
blob: 543bdff12ac243641edb5f83187115e52244aad9 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
Index: /wxWidgets/branches/WX_2_8_BRANCH/src/common/imagpng.cpp
===================================================================
--- /wxWidgets/branches/WX_2_8_BRANCH/src/common/imagpng.cpp (revision 53479)
+++ /wxWidgets/branches/WX_2_8_BRANCH/src/common/imagpng.cpp (revision 60875)
@@ -569,5 +569,7 @@
         goto error;
 
-    lines = (unsigned char **)malloc( (size_t)(height * sizeof(unsigned char *)) );
+    // initialize all line pointers to NULL to ensure that they can be safely
+    // free()d if an error occurs before all of them could be allocated
+    lines = (unsigned char **)calloc(height, sizeof(unsigned char *));
     if ( !lines )
         goto error;
@@ -576,9 +578,5 @@
     {
         if ((lines[i] = (unsigned char *)malloc( (size_t)(width * (sizeof(unsigned char) * 4)))) == NULL)
-        {
-            for ( unsigned int n = 0; n < i; n++ )
-                free( lines[n] );
             goto error;
-        }
     }
 
Index: /wxWidgets/branches/WX_2_8_BRANCH/src/common/imagtiff.cpp
===================================================================
--- /wxWidgets/branches/WX_2_8_BRANCH/src/common/imagtiff.cpp (revision 48694)
+++ /wxWidgets/branches/WX_2_8_BRANCH/src/common/imagtiff.cpp (revision 60876)
@@ -262,5 +262,4 @@
 
     uint32 w, h;
-    uint32 npixels;
     uint32 *raster;
 
@@ -276,7 +275,18 @@
                             samplesInfo[0] == EXTRASAMPLE_UNASSALPHA));
 
-    npixels = w * h;
-
-    raster = (uint32*) _TIFFmalloc( npixels * sizeof(uint32) );
+    // guard against integer overflow during multiplication which could result
+    // in allocating a too small buffer and then overflowing it
+    const double bytesNeeded = w * h * sizeof(uint32);
+    if ( bytesNeeded >= 4294967295U /* UINT32_MAX */ )
+    {
+        if ( verbose )
+            wxLogError( _("TIFF: Image size is abnormally big.") );
+
+        TIFFClose(tif);
+
+        return false;
+    }
+
+    raster = (uint32*) _TIFFmalloc( bytesNeeded );
 
     if (!raster)
Index: /wxWidgets/branches/WX_2_8_BRANCH/src/common/imagtiff.cpp
===================================================================
--- /wxWidgets/branches/WX_2_8_BRANCH/src/common/imagtiff.cpp (revision 60876)
+++ /wxWidgets/branches/WX_2_8_BRANCH/src/common/imagtiff.cpp (revision 60897)
@@ -277,5 +277,5 @@
     // guard against integer overflow during multiplication which could result
     // in allocating a too small buffer and then overflowing it
-    const double bytesNeeded = w * h * sizeof(uint32);
+    const double bytesNeeded = (double)w * (double)h * sizeof(uint32);
     if ( bytesNeeded >= 4294967295U /* UINT32_MAX */ )
     {