Add some input param checks to sixel_helper_write_image_file()

saitoha · Dec 29, 2019 · d3be559 · d3be559
1 parent 739bd2b
commit d3be559
Show file tree

Hide file tree

Showing 3 changed files with 46 additions and 7 deletions.
diff --git a/include/sixel.h.in b/include/sixel.h.in
@@ -40,6 +40,8 @@ typedef unsigned char sixel_index_t;
 #define SIXEL_PALETTE_MAX            256
 #define SIXEL_USE_DEPRECATED_SYMBOLS 1
 #define SIXEL_ALLOCATE_BYTES_MAX     10248UL * 1024UL * 128UL   /* up to 128M */
+#define SIXEL_WIDTH_LIMIT            1000000
+#define SIXEL_HEIGHT_LIMIT           1000000
 
 /* return value */
 typedef int SIXELSTATUS;
@@ -370,9 +372,6 @@ typedef int SIXELSTATUS;
 #define SIXEL_OPTFLAG_VERSION           ('V')  /* -V, --version: show version and license info */
 #define SIXEL_OPTFLAG_HELP              ('H')  /* -H, --help: show this help */
 
-#define SIXEL_WIDTH_LIMIT               1000000
-#define SIXEL_HEIGHT_LIMIT              1000000
-
 #define SIXEL_DEFALUT_GIF_DELAY         1
 
 #if SIXEL_USE_DEPRECATED_SYMBOLS

diff --git a/src/frompnm.c b/src/frompnm.c
@@ -83,6 +83,7 @@ load_pnm(unsigned char      /* in */  *p,
     unsigned char *s;
     unsigned char *end;
     unsigned char tmp[256];
+    size_t size;
 
     (void) ppalette;
     (void) pncolors;
@@ -210,9 +211,8 @@ load_pnm(unsigned char      /* in */  *p,
         goto invalid;
     }
 
-    *result = (unsigned char *)sixel_allocator_malloc(
-        allocator,
-        (size_t)(width * height * 3 + 1));
+    size = (size_t)width * (size_t)height * 3 + 1;
+    *result = (unsigned char *)sixel_allocator_malloc(allocator, size);
 
     if (*result == NULL) {
         sixel_helper_set_additional_message(
@@ -221,7 +221,7 @@ load_pnm(unsigned char      /* in */  *p,
         goto end;
     }
 
-    memset(*result, 0, (size_t)(width * height * 3 + 1));
+    (void) memset(*result, 0, size);
 
     for (y = 0 ; y < height ; y++) {
         for (x = 0 ; x < width ; x++) {

diff --git a/src/writer.c b/src/writer.c
@@ -317,6 +317,46 @@ sixel_helper_write_image_file(
         sixel_allocator_ref(allocator);
     }
 
+    if (width > SIXEL_WIDTH_LIMIT) {
+        sixel_helper_set_additional_message(
+            "sixel_encode: bad width parameter."
+            " (width > SIXEL_WIDTH_LIMIT)");
+        status = SIXEL_BAD_INPUT;
+        goto end;
+    }
+
+    if (width > SIXEL_HEIGHT_LIMIT) {
+        sixel_helper_set_additional_message(
+            "sixel_encode: bad width parameter."
+            " (width > SIXEL_HEIGHT_LIMIT)");
+        status = SIXEL_BAD_INPUT;
+        goto end;
+    }
+
+    if (height < 1) {
+        sixel_helper_set_additional_message(
+            "sixel_encode: bad height parameter."
+            " (height < 1)");
+        status = SIXEL_BAD_INPUT;
+        goto end;
+    }
+
+    if (width < 1) {
+        sixel_helper_set_additional_message(
+            "sixel_encode: bad width parameter."
+            " (width < 1)");
+        status = SIXEL_BAD_INPUT;
+        goto end;
+    }
+
+    if (height < 1) {
+        sixel_helper_set_additional_message(
+            "sixel_encode: bad height parameter."
+            " (height < 1)");
+        status = SIXEL_BAD_INPUT;
+        goto end;
+    }
+
     switch (imageformat) {
     case SIXEL_FORMAT_PNG:
         status = write_png_to_file(data, width, height, palette,