Benjamin A. Beasley
1 year ago
parent
02ead735ca
commit
1daaa29033
@ -0,0 +1,24 @@
|
||||
From f100bfc302c0e095856c71a174714cce0a22e30a Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= <jarlob@github.com>
|
||||
Date: Thu, 19 Oct 2023 15:30:26 +0200
|
||||
Subject: [PATCH] Fix integer overflow
|
||||
|
||||
Cast to `size_t` to avoid multiplication overflow.
|
||||
Fixes #1529
|
||||
---
|
||||
stb_image.h | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/stb_image.h b/stb_image.h
|
||||
index 5e807a0a6..552129bc4 100644
|
||||
--- a/stb_image.h
|
||||
+++ b/stb_image.h
|
||||
@@ -1207,7 +1207,7 @@ static stbi__uint16 *stbi__convert_8_to_16(stbi_uc *orig, int w, int h, int chan
|
||||
int img_len = w * h * channels;
|
||||
stbi__uint16 *enlarged;
|
||||
|
||||
- enlarged = (stbi__uint16 *) stbi__malloc(img_len*2);
|
||||
+ enlarged = (stbi__uint16 *) stbi__malloc(((size_t)img_len)*2);
|
||||
if (enlarged == NULL) return (stbi__uint16 *) stbi__errpuc("outofmem", "Out of memory");
|
||||
|
||||
for (i = 0; i < img_len; ++i)
|
||||
@ -0,0 +1,36 @@
|
||||
From 178e1ab7684c46f233082a4f15308a54c9ae5a15 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= <jarlob@github.com>
|
||||
Date: Thu, 19 Oct 2023 15:38:33 +0200
|
||||
Subject: [PATCH] Add overflow checks
|
||||
|
||||
Fixes #1531
|
||||
---
|
||||
stb_image.h | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/stb_image.h b/stb_image.h
|
||||
index 5e807a0a6..aac3653ac 100644
|
||||
--- a/stb_image.h
|
||||
+++ b/stb_image.h
|
||||
@@ -6990,6 +6990,10 @@ static void *stbi__load_gif_main(stbi__context *s, int **delays, int *x, int *y,
|
||||
stride = g.w * g.h * 4;
|
||||
|
||||
if (out) {
|
||||
+ if (!stbi__mul2sizes_valid(layers, stride)) {
|
||||
+ void *ret = stbi__load_gif_main_outofmem(&g, out, delays);
|
||||
+ return ret;
|
||||
+ }
|
||||
void *tmp = (stbi_uc*) STBI_REALLOC_SIZED( out, out_size, layers * stride );
|
||||
if (!tmp)
|
||||
return stbi__load_gif_main_outofmem(&g, out, delays);
|
||||
@@ -7006,6 +7010,10 @@ static void *stbi__load_gif_main(stbi__context *s, int **delays, int *x, int *y,
|
||||
delays_size = layers * sizeof(int);
|
||||
}
|
||||
} else {
|
||||
+ if (!stbi__mul2sizes_valid(layers, stride)) {
|
||||
+ void *ret = stbi__load_gif_main_outofmem(&g, out, delays);
|
||||
+ return ret;
|
||||
+ }
|
||||
out = (stbi_uc*)stbi__malloc( layers * stride );
|
||||
if (!out)
|
||||
return stbi__load_gif_main_outofmem(&g, out, delays);
|
||||
@ -0,0 +1,23 @@
|
||||
From d66d0fe8c1a6ed393817791e4376374fa7f4ecc1 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Jaroslav=20Loba=C4=8Devski?= <jarlob@github.com>
|
||||
Date: Thu, 19 Oct 2023 15:42:23 +0200
|
||||
Subject: [PATCH] Fix int overflow
|
||||
|
||||
Fixes #1533
|
||||
---
|
||||
stb_image.h | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/stb_image.h b/stb_image.h
|
||||
index 5e807a0a6..6d63ab32b 100644
|
||||
--- a/stb_image.h
|
||||
+++ b/stb_image.h
|
||||
@@ -2222,7 +2222,7 @@ static int stbi__jpeg_decode_block(stbi__jpeg *j, short data[64], stbi__huffman
|
||||
dc = j->img_comp[b].dc_pred + diff;
|
||||
j->img_comp[b].dc_pred = dc;
|
||||
if (!stbi__mul2shorts_valid(dc, dequant[0])) return stbi__err("can't merge dc and ac", "Corrupt JPEG");
|
||||
- data[0] = (short) (dc * dequant[0]);
|
||||
+ data[0] = (short) ((size_t)dc * dequant[0]);
|
||||
|
||||
// decode AC components, see JPEG spec
|
||||
k = 1;
|
||||
Loading…
Reference in new issue