76 lines
2.6 KiB
Diff
76 lines
2.6 KiB
Diff
Index: src/common/imagpng.cpp
|
|
===================================================================
|
|
--- src/common/imagpng.cpp (revision 60874)
|
|
+++ src/common/imagpng.cpp (revision 60875)
|
|
@@ -568,18 +568,16 @@
|
|
if (!image->Ok())
|
|
goto error;
|
|
|
|
- lines = (unsigned char **)malloc( (size_t)(height * sizeof(unsigned char *)) );
|
|
+ // initialize all line pointers to NULL to ensure that they can be safely
|
|
+ // free()d if an error occurs before all of them could be allocated
|
|
+ lines = (unsigned char **)calloc(height, sizeof(unsigned char *));
|
|
if ( !lines )
|
|
goto error;
|
|
|
|
for (i = 0; i < height; i++)
|
|
{
|
|
if ((lines[i] = (unsigned char *)malloc( (size_t)(width * (sizeof(unsigned char) * 4)))) == NULL)
|
|
- {
|
|
- for ( unsigned int n = 0; n < i; n++ )
|
|
- free( lines[n] );
|
|
goto error;
|
|
- }
|
|
}
|
|
|
|
png_read_image( png_ptr, lines );
|
|
Index: src/common/imagtiff.cpp
|
|
===================================================================
|
|
--- src/common/imagtiff.cpp (revision 60875)
|
|
+++ src/common/imagtiff.cpp (revision 60876)
|
|
@@ -261,7 +261,6 @@
|
|
}
|
|
|
|
uint32 w, h;
|
|
- uint32 npixels;
|
|
uint32 *raster;
|
|
|
|
TIFFGetField( tif, TIFFTAG_IMAGEWIDTH, &w );
|
|
@@ -275,10 +274,21 @@
|
|
(samplesInfo[0] == EXTRASAMPLE_ASSOCALPHA ||
|
|
samplesInfo[0] == EXTRASAMPLE_UNASSALPHA));
|
|
|
|
- npixels = w * h;
|
|
+ // guard against integer overflow during multiplication which could result
|
|
+ // in allocating a too small buffer and then overflowing it
|
|
+ const double bytesNeeded = w * h * sizeof(uint32);
|
|
+ if ( bytesNeeded >= 4294967295U /* UINT32_MAX */ )
|
|
+ {
|
|
+ if ( verbose )
|
|
+ wxLogError( _("TIFF: Image size is abnormally big.") );
|
|
|
|
- raster = (uint32*) _TIFFmalloc( npixels * sizeof(uint32) );
|
|
+ TIFFClose(tif);
|
|
|
|
+ return false;
|
|
+ }
|
|
+
|
|
+ raster = (uint32*) _TIFFmalloc( bytesNeeded );
|
|
+
|
|
if (!raster)
|
|
{
|
|
if (verbose)
|
|
Index: src/common/imagtiff.cpp
|
|
===================================================================
|
|
--- src/common/imagtiff.cpp (revision 60896)
|
|
+++ src/common/imagtiff.cpp (revision 60897)
|
|
@@ -276,7 +276,7 @@
|
|
|
|
// guard against integer overflow during multiplication which could result
|
|
// in allocating a too small buffer and then overflowing it
|
|
- const double bytesNeeded = w * h * sizeof(uint32);
|
|
+ const double bytesNeeded = (double)w * (double)h * sizeof(uint32);
|
|
if ( bytesNeeded >= 4294967295U /* UINT32_MAX */ )
|
|
{
|
|
if ( verbose )
|