[hackers] [farbfeld] Prevent overflow in rowlen and improve inaccuracies in style || FRIGN

Sat, 19 Mar 2016 18:30:52 -0700 

commit e637aae67ededf6a4a0b4d490d02f3294f297b71
Author:     FRIGN <[email protected]>
AuthorDate: Fri Mar 18 19:49:11 2016 +0100
Commit:     FRIGN <[email protected]>
CommitDate: Fri Mar 18 19:49:11 2016 +0100

    Prevent overflow in rowlen and improve inaccuracies in style

diff --git a/ff2png.c b/ff2png.c
index bf210fb..4304bbb 100644
--- a/ff2png.c
+++ b/ff2png.c
@@ -61,7 +61,11 @@ main(int argc, char *argv[])
        png_write_info(pngs, pngi);
 
        /* write rows */
-       rowlen = (sizeof("RGBA") - 1) * width;
+       if (width > SIZE_MAX / ((sizeof("RGBA") - 1) * sizeof(uint16_t))) {
+               fprintf(stderr, "%s: row length integer overflow\n", argv0);
+               return 1;
+       }
+       rowlen = width * (sizeof("RGBA") - 1);
        if (!(row = malloc(rowlen * sizeof(uint16_t)))) {
                fprintf(stderr, "%s: malloc: out of memory\n", argv0);
                return 1;
diff --git a/jpg2ff.c b/jpg2ff.c
index dc5b060..8ebc81d 100644
--- a/jpg2ff.c
+++ b/jpg2ff.c
@@ -5,7 +5,6 @@
 #include <stdint.h>
 #include <stdio.h>
 #include <stdlib.h>
-#include <string.h>
 
 #include <jpeglib.h>
 
@@ -58,7 +57,7 @@ main(int argc, char *argv[])
        jpgrow = (*js.mem->alloc_sarray)((j_common_ptr)&js,
                                         JPOOL_IMAGE, width *
                                         js.output_components, 1);
-       rowlen = strlen("RGBA") * width;
+       rowlen = width * (sizeof("RGBA") - 1);
        if(!(row = malloc(rowlen * sizeof(uint16_t)))) {
                fprintf(stderr, "%s: malloc: out of memory\n", argv0);
                return 1;
@@ -89,7 +88,7 @@ main(int argc, char *argv[])
                }
 
                /* write data */
-               if (fwrite(row, 2, rowlen, stdout) != rowlen)
+               if (fwrite(row, sizeof(uint16_t), rowlen, stdout) != rowlen)
                        goto writerr;
        }
        jpeg_finish_decompress(&js);
diff --git a/png2ff.c b/png2ff.c
index cf85b32..55456e3 100644
--- a/png2ff.c
+++ b/png2ff.c
@@ -5,7 +5,6 @@
 #include <stdint.h>
 #include <stdio.h>
 #include <stdlib.h>
-#include <string.h>
 
 #include <png.h>
 
@@ -57,7 +56,11 @@ main(int argc, char *argv[])
        pngrows = png_get_rows(pngs, pngi);
 
        /* allocate output row buffer */
-       rowlen = width * strlen("RGBA");
+       if (width > SIZE_MAX / ((sizeof("RGBA") - 1) * sizeof(uint16_t))) {
+               fprintf(stderr, "%s: row length integer overflow\n", argv0);
+               return 1;
+       }
+       rowlen = width * (sizeof("RGBA") - 1);
        if (!(row = malloc(rowlen * sizeof(uint16_t)))) {
                fprintf(stderr, "%s: malloc: out of memory\n", argv0);
                return 1;
@@ -87,8 +90,8 @@ main(int argc, char *argv[])
                break;
        case 16:
                for (r = 0; r < height; ++r) {
-                       if (fwrite(pngrows[r], sizeof(uint16_t),
-                                  rowlen, stdout) != rowlen) {
+                       if (fwrite(pngrows[r], sizeof(uint16_t), rowlen,
+                                  stdout) != rowlen) {
                                goto writerr;
                        }
                }

Reply via email to