Branch yourbutterfly

include/sixel.h.in

@@ -60,6 +60,7 @@ typedef int SIXELSTATUS;
 #define SIXEL_BAD_ALLOCATION    (SIXEL_RUNTIME_ERROR | 0x0001)  /* malloc() failed */
 #define SIXEL_BAD_ARGUMENT      (SIXEL_RUNTIME_ERROR | 0x0002)  /* bad argument detected */
 #define SIXEL_BAD_INPUT         (SIXEL_RUNTIME_ERROR | 0x0003)  /* bad input detected */
+#define SIXEL_BAD_INTEGER_OVERFLOW (SIXEL_RUNTIME_ERROR | 0x0004)  /* integer overflow */
 
 #define SIXEL_NOT_IMPLEMENTED   (SIXEL_FEATURE_ERROR | 0x0001)  /* feature not implemented */
 

src/frompnm.c

@@ -166,7 +166,7 @@ load_pnm(unsigned char      /* in */  *p,
     height = 0;
     for (; *s >= '0' && *s <= '9'; ++s) {
         height = height * 10 + (*s - '0');
-        if (width > PNM_MAX_WIDTH) {
+        if (height > PNM_MAX_HEIGHT) {
             status = SIXEL_RUNTIME_ERROR;
             sprintf(
               message,
@@ -193,7 +193,7 @@ load_pnm(unsigned char      /* in */  *p,
         for (; *s >= '0' && *s <= '9'; ++s) {
             deps = deps * 10 + (*s - '0');
         }
-        if (width > PNM_MAX_WIDTH) {
+        if (deps > PNM_MAX_DEPTH) {
             status = SIXEL_RUNTIME_ERROR;
             sprintf(
               message,

src/fromsixel.c

@@ -52,6 +52,7 @@
 #include <stdio.h>
 #include <ctype.h>   /* isdigit */
 #include <string.h>  /* memcpy */
+#include <limits.h>
 
 #if defined(HAVE_INTTYPES_H)
 # include <inttypes.h>
@@ -367,6 +368,16 @@ parser_context_init(parser_context_t *context)
     return status;
 }
 
+SIXELSTATUS safe_addition_for_params(parser_context_t *context, unsigned char *p){
+    int x;
+
+    x = *p - '0'; /* 0 <= x <= 9 */
+    if ((context->param > INT_MAX / 10) || (x > INT_MAX - context->param * 10)) {
+        return SIXEL_BAD_INTEGER_OVERFLOW;
+    }
+    context->param = context->param * 10 + x;
+    return SIXEL_OK;
+}
 
 /* convert sixel data into indexed pixel bytes and palette data */
 SIXELAPI SIXELSTATUS
@@ -446,7 +457,10 @@ sixel_decode_raw_impl(
                 if (context->param < 0) {
                     context->param = 0;
                 }
-                context->param = context->param * 10 + *p - '0';
+                status = safe_addition_for_params(context, p);
+                if (SIXEL_FAILED(status)) {
+                    goto end;
+                }
                 p++;
                 break;
             case ';':
@@ -647,7 +661,10 @@ sixel_decode_raw_impl(
             case '7':
             case '8':
             case '9':
-                context->param = context->param * 10 + *p - '0';
+                status = safe_addition_for_params(context, p);
+                if (SIXEL_FAILED(status)) {
+                    goto end;
+                }
                 p++;
                 break;
             case ';':
@@ -721,7 +738,10 @@ sixel_decode_raw_impl(
             case '7':
             case '8':
             case '9':
-                context->param = context->param * 10 + *p - '0';
+                status = safe_addition_for_params(context, p);
+                if (SIXEL_FAILED(status)) {
+                    goto end;
+                }
                 p++;
                 break;
             default:
@@ -753,7 +773,10 @@ sixel_decode_raw_impl(
             case '7':
             case '8':
             case '9':
-                context->param = context->param * 10 + *p - '0';
+                status = safe_addition_for_params(context, p);
+                if (SIXEL_FAILED(status)) {
+                    goto end;
+                }
                 p++;
                 break;
             case ';':

src/status.c

@@ -46,6 +46,7 @@
 #define SIXEL_MESSAGE_BAD_ALLOCATION    ("runtime error: bad allocation error")
 #define SIXEL_MESSAGE_BAD_ARGUMENT      ("runtime error: bad argument detected")
 #define SIXEL_MESSAGE_BAD_INPUT         ("runtime error: bad input detected")
+#define SIXEL_MESSAGE_BAD_INTEGER_OVERFLOW  ("runtime error: integer overflow")
 #define SIXEL_MESSAGE_RUNTIME_ERROR     ("runtime error")
 #define SIXEL_MESSAGE_LOGIC_ERROR       ("logic error")
 #define SIXEL_MESSAGE_NOT_IMPLEMENTED   ("feature error: not implemented")
@@ -118,6 +119,9 @@ sixel_helper_format_error(
             case SIXEL_BAD_INPUT:
                 error_string = SIXEL_MESSAGE_BAD_INPUT;
                 break;
+            case SIXEL_BAD_INTEGER_OVERFLOW:
+                error_string = SIXEL_MESSAGE_BAD_INTEGER_OVERFLOW;
+                break;
             default:
                 error_string = SIXEL_MESSAGE_RUNTIME_ERROR;
                 break;

src/tosixel.c

@@ -21,6 +21,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <limits.h>
 
 #if defined(HAVE_INTTYPES_H)
 # include <inttypes.h>
@@ -502,6 +503,7 @@ sixel_encode_body(
     int mx;
     int len;
     int pix;
+    int check_integer_overflow;
     unsigned char *map = NULL;
     sixel_node_t *np, *tp, top;
     int fillable;
@@ -557,8 +559,30 @@ sixel_encode_body(
             fillable = 1;
         }
         for (x = 0; x < width; x++) {
-            pix = pixels[y * width + x];  /* color index */
+            if (y > INT_MAX / width) {
+                /* integer overflow */
+                status = SIXEL_BAD_INTEGER_OVERFLOW;
+                goto end;
+            }
+            check_integer_overflow = y * width;
+            if (check_integer_overflow > INT_MAX - x) {
+                /* integer overflow */
+                status = SIXEL_BAD_INTEGER_OVERFLOW;
+                goto end;
+            }
+            pix = pixels[check_integer_overflow + x];  /* color index */
             if (pix >= 0 && pix < ncolors && pix != keycolor) {
+                if (pix > INT_MAX / width) {
+                    /* integer overflow */
+                    status = SIXEL_BAD_INTEGER_OVERFLOW;
+                    goto end;
+                }
+                check_integer_overflow = pix * width;
+                if (check_integer_overflow > INT_MAX - x) {
+                    /* integer overflow */
+                    status = SIXEL_BAD_INTEGER_OVERFLOW;
+                    goto end;
+                }
                 map[pix * width + x] |= (1 << i);
             }
             else if (!palstate) {