Skip to content

Commit 60bfb40

Browse files
committed
Fix potential unsigned underflow
No need to decrease `u`, so we don't do it. While we're at it, we also factor out the overflow check of the loop, what improves performance and readability. This issue has been reported by Stefan Esser to security@libgd.org.
1 parent a49feea commit 60bfb40

File tree

1 file changed

+10
-9
lines changed

1 file changed

+10
-9
lines changed

Diff for: src/gd_interpolation.c

+10-9
Original file line numberDiff line numberDiff line change
@@ -829,8 +829,13 @@ static inline LineContribType * _gdContributionsAlloc(unsigned int line_length,
829829
{
830830
unsigned int u = 0;
831831
LineContribType *res;
832-
int overflow_error = 0;
832+
size_t weights_size;
833833

834+
if (overflow2(windows_size, sizeof(double))) {
835+
return NULL;
836+
} else {
837+
weights_size = windows_size * sizeof(double);
838+
}
834839
res = (LineContribType *) gdMalloc(sizeof(LineContribType));
835840
if (!res) {
836841
return NULL;
@@ -847,15 +852,11 @@ static inline LineContribType * _gdContributionsAlloc(unsigned int line_length,
847852
return NULL;
848853
}
849854
for (u = 0 ; u < line_length ; u++) {
850-
if (overflow2(windows_size, sizeof(double))) {
851-
overflow_error = 1;
852-
} else {
853-
res->ContribRow[u].Weights = (double *) gdMalloc(windows_size * sizeof(double));
854-
}
855-
if (overflow_error == 1 || res->ContribRow[u].Weights == NULL) {
855+
res->ContribRow[u].Weights = (double *) gdMalloc(weights_size);
856+
if (res->ContribRow[u].Weights == NULL) {
856857
unsigned int i;
857-
u--;
858-
for (i=0;i<=u;i++) {
858+
859+
for (i=0;i<u;i++) {
859860
gdFree(res->ContribRow[i].Weights);
860861
}
861862
gdFree(res->ContribRow);

0 commit comments

Comments
 (0)