Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix potential unsigned underflow
No need to decrease `u`, so we don't do it. While we're at it, we also factor
out the overflow check of the loop, what improves performance and readability.

This issue has been reported by Stefan Esser to security@libgd.org.
  • Loading branch information
cmb69 committed Dec 13, 2016
1 parent a49feea commit 60bfb40
Showing 1 changed file with 10 additions and 9 deletions.
19 changes: 10 additions & 9 deletions src/gd_interpolation.c
Expand Up @@ -829,8 +829,13 @@ static inline LineContribType * _gdContributionsAlloc(unsigned int line_length,
{
unsigned int u = 0;
LineContribType *res;
int overflow_error = 0;
size_t weights_size;

if (overflow2(windows_size, sizeof(double))) {
return NULL;
} else {
weights_size = windows_size * sizeof(double);
}
res = (LineContribType *) gdMalloc(sizeof(LineContribType));
if (!res) {
return NULL;
Expand All @@ -847,15 +852,11 @@ static inline LineContribType * _gdContributionsAlloc(unsigned int line_length,
return NULL;
}
for (u = 0 ; u < line_length ; u++) {
if (overflow2(windows_size, sizeof(double))) {
overflow_error = 1;
} else {
res->ContribRow[u].Weights = (double *) gdMalloc(windows_size * sizeof(double));
}
if (overflow_error == 1 || res->ContribRow[u].Weights == NULL) {
res->ContribRow[u].Weights = (double *) gdMalloc(weights_size);
if (res->ContribRow[u].Weights == NULL) {
unsigned int i;
u--;
for (i=0;i<=u;i++) {

for (i=0;i<u;i++) {
gdFree(res->ContribRow[i].Weights);
}
gdFree(res->ContribRow);
Expand Down

1 comment on commit 60bfb40

@carnil
Copy link

@carnil carnil commented on 60bfb40 Jan 28, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is CVE-2016-10166

Please sign in to comment.