[hackers] [farbfeld] Prevent overflow in rowlen and improve inaccuracies in style || FRIGN

From: <git_AT_suckless.org>
Date: Fri, 18 Mar 2016 19:49:36 +0100 (CET)

commit e637aae67ededf6a4a0b4d490d02f3294f297b71
Author: FRIGN <dev_AT_frign.de>
AuthorDate: Fri Mar 18 19:49:11 2016 +0100
Commit: FRIGN <dev_AT_frign.de>
CommitDate: Fri Mar 18 19:49:11 2016 +0100

    Prevent overflow in rowlen and improve inaccuracies in style

diff --git a/ff2png.c b/ff2png.c
index bf210fb..4304bbb 100644
--- a/ff2png.c
+++ b/ff2png.c
_AT_@ -61,7 +61,11 @@ main(int argc, char *argv[])
         png_write_info(pngs, pngi);
 
         /* write rows */
- rowlen = (sizeof("RGBA") - 1) * width;
+ if (width > SIZE_MAX / ((sizeof("RGBA") - 1) * sizeof(uint16_t))) {
+ fprintf(stderr, "%s: row length integer overflow\n", argv0);
+ return 1;
+ }
+ rowlen = width * (sizeof("RGBA") - 1);
         if (!(row = malloc(rowlen * sizeof(uint16_t)))) {
                 fprintf(stderr, "%s: malloc: out of memory\n", argv0);
                 return 1;
diff --git a/jpg2ff.c b/jpg2ff.c
index dc5b060..8ebc81d 100644
--- a/jpg2ff.c
+++ b/jpg2ff.c
_AT_@ -5,7 +5,6 @@
 #include <stdint.h>
 #include <stdio.h>
 #include <stdlib.h>
-#include <string.h>
 
 #include <jpeglib.h>
 
_AT_@ -58,7 +57,7 @@ main(int argc, char *argv[])
         jpgrow = (*js.mem->alloc_sarray)((j_common_ptr)&js,
                                          JPOOL_IMAGE, width *
                                          js.output_components, 1);
- rowlen = strlen("RGBA") * width;
+ rowlen = width * (sizeof("RGBA") - 1);
         if(!(row = malloc(rowlen * sizeof(uint16_t)))) {
                 fprintf(stderr, "%s: malloc: out of memory\n", argv0);
                 return 1;
_AT_@ -89,7 +88,7 @@ main(int argc, char *argv[])
                 }
 
                 /* write data */
- if (fwrite(row, 2, rowlen, stdout) != rowlen)
+ if (fwrite(row, sizeof(uint16_t), rowlen, stdout) != rowlen)
                         goto writerr;
         }
         jpeg_finish_decompress(&js);
diff --git a/png2ff.c b/png2ff.c
index cf85b32..55456e3 100644
--- a/png2ff.c
+++ b/png2ff.c
_AT_@ -5,7 +5,6 @@
 #include <stdint.h>
 #include <stdio.h>
 #include <stdlib.h>
-#include <string.h>
 
 #include <png.h>
 
_AT_@ -57,7 +56,11 @@ main(int argc, char *argv[])
         pngrows = png_get_rows(pngs, pngi);
 
         /* allocate output row buffer */
- rowlen = width * strlen("RGBA");
+ if (width > SIZE_MAX / ((sizeof("RGBA") - 1) * sizeof(uint16_t))) {
+ fprintf(stderr, "%s: row length integer overflow\n", argv0);
+ return 1;
+ }
+ rowlen = width * (sizeof("RGBA") - 1);
         if (!(row = malloc(rowlen * sizeof(uint16_t)))) {
                 fprintf(stderr, "%s: malloc: out of memory\n", argv0);
                 return 1;
_AT_@ -87,8 +90,8 @@ main(int argc, char *argv[])
                 break;
         case 16:
                 for (r = 0; r < height; ++r) {
- if (fwrite(pngrows[r], sizeof(uint16_t),
- rowlen, stdout) != rowlen) {
+ if (fwrite(pngrows[r], sizeof(uint16_t), rowlen,
+ stdout) != rowlen) {
                                 goto writerr;
                         }
                 }
Received on Fri Mar 18 2016 - 19:49:36 CET