lib: Fix fpi_img_is_sane()
The checks weren't: - checking whether the width or height were negative - whether img->width * img->height would overflow, or was bigger than G_MAXINT - whether img->width * img->height was bigger than the total length of the buffer The last one looks like a thinko, it checked for: (img->length * img->height) < img->length which is equivalent to: img->height < 1 which we already check for earlier. Closes: #85
This commit is contained in:
Bastien Nocera
parent
c35ad20249
commit
94450a1d74
1 changed files with 10 additions and 3 deletions
|
|
@ -69,12 +69,19 @@ struct fp_img *fpi_img_new_for_imgdev(struct fp_img_dev *imgdev)
|
||||||
|
|
||||||
gboolean fpi_img_is_sane(struct fp_img *img)
|
gboolean fpi_img_is_sane(struct fp_img *img)
|
||||||
{
|
{
|
||||||
|
guint len;
|
||||||
|
|
||||||
/* basic checks */
|
/* basic checks */
|
||||||
if (!img->length || !img->width || !img->height)
|
if (!img->length || img->width <= 0 || img->height <= 0)
|
||||||
return FALSE;
|
return FALSE;
|
||||||
|
|
||||||
/* buffer is big enough? */
|
/* Are width and height just too big? */
|
||||||
if ((img->length * img->height) < img->length)
|
if (!g_uint_checked_mul(&len, img->width, img->height) ||
|
||||||
|
len > G_MAXINT)
|
||||||
|
return FALSE;
|
||||||
|
|
||||||
|
/* buffer big enough? */
|
||||||
|
if (len > img->length)
|
||||||
return FALSE;
|
return FALSE;
|
||||||
|
|
||||||
return TRUE;
|
return TRUE;
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue