From bf46a7bd2e705c700fe49552bfdf1a6aa7a0eafc Mon Sep 17 00:00:00 2001 From: pwd Date: Mon, 2 Dec 2019 18:36:55 +0800 Subject: [PATCH] check integer overflow in 'map[pix * width + x] |= (1 << i);' --- src/tosixel.c | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/src/tosixel.c b/src/tosixel.c index 0166dc4f..220940c1 100644 --- a/src/tosixel.c +++ b/src/tosixel.c @@ -21,6 +21,7 @@ #include #include #include +#include #if defined(HAVE_INTTYPES_H) # include @@ -502,6 +503,7 @@ sixel_encode_body( int mx; int len; int pix; + int check_integer_overflow; unsigned char *map = NULL; sixel_node_t *np, *tp, top; int fillable; @@ -557,8 +559,30 @@ sixel_encode_body( fillable = 1; } for (x = 0; x < width; x++) { - pix = pixels[y * width + x]; /* color index */ + if (y > INT_MAX / width) { + /* integer overflow */ + status = SIXEL_BAD_INTEGER_OVERFLOW; + goto end; + } + check_integer_overflow = y * width; + if (check_integer_overflow > INT_MAX - x) { + /* integer overflow */ + status = SIXEL_BAD_INTEGER_OVERFLOW; + goto end; + } + pix = pixels[check_integer_overflow + x]; /* color index */ if (pix >= 0 && pix < ncolors && pix != keycolor) { + if (pix > INT_MAX / width) { + /* integer overflow */ + status = SIXEL_BAD_INTEGER_OVERFLOW; + goto end; + } + check_integer_overflow = pix * width; + if (check_integer_overflow > INT_MAX - x) { + /* integer overflow */ + status = SIXEL_BAD_INTEGER_OVERFLOW; + goto end; + } map[pix * width + x] |= (1 << i); } else if (!palstate) {