From 62eab9b3d73a07f1b1821ff05eda6ccf5e2c5901 Mon Sep 17 00:00:00 2001 From: Matthias Clasen Date: Mon, 13 Jul 2015 00:33:40 -0400 Subject: [PATCH] pixops: Be more careful about integer overflow Our loader code is supposed to handle out-of-memory and overflow situations gracefully, reporting errors instead of aborting. But if you load an image at a specific size, we also execute our scaling code, which was not careful enough about overflow in some places. This commit makes the scaling code silently return if it fails to allocate filter tables. https://bugzilla.gnome.org/show_bug.cgi?id=752297 --- gdk-pixbuf/pixops/pixops.c | 22 +++++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/gdk-pixbuf/pixops/pixops.c b/gdk-pixbuf/pixops/pixops.c index 29a1c14..226ad09 100644 --- a/gdk-pixbuf/pixops/pixops.c +++ b/gdk-pixbuf/pixops/pixops.c @@ -1272,7 +1272,16 @@ make_filter_table (PixopsFilter *filter) int i_offset, j_offset; int n_x = filter->x.n; int n_y = filter->y.n; - int *weights = g_new (int, SUBSAMPLE * SUBSAMPLE * n_x * n_y); + gsize n_weights; + int *weights; + + n_weights = SUBSAMPLE * SUBSAMPLE * n_x * n_y; + if (n_weights / (SUBSAMPLE * SUBSAMPLE) != n_x * n_y) + return NULL; /* overflow, bail */ + + weights = g_new (int, n_weights); + if (!weights) + return NULL; /* overflow, bail */ for (i_offset=0; i_offset < SUBSAMPLE; i_offset++) for (j_offset=0; j_offset < SUBSAMPLE; j_offset++) @@ -1347,8 +1356,11 @@ pixops_process (guchar *dest_buf, if (x_step == 0 || y_step == 0) return; /* overflow, bail out */ - line_bufs = g_new (guchar *, filter->y.n); filter_weights = make_filter_table (filter); + if (!filter_weights) + return; /* overflow, bail out */ + + line_bufs = g_new (guchar *, filter->y.n); check_shift = check_size ? get_check_shift (check_size) : 0; @@ -1468,7 +1480,7 @@ tile_make_weights (PixopsFilterDimension *dim, double scale) { int n = ceil (1 / scale + 1); - double *pixel_weights = g_new (double, SUBSAMPLE * n); + double *pixel_weights = g_malloc_n (sizeof (double) * SUBSAMPLE, n); int offset; int i; @@ -1526,7 +1538,7 @@ bilinear_magnify_make_weights (PixopsFilterDimension *dim, } dim->n = n; - dim->weights = g_new (double, SUBSAMPLE * n); + dim->weights = g_malloc_n (sizeof (double) * SUBSAMPLE, n); pixel_weights = dim->weights; @@ -1617,7 +1629,7 @@ bilinear_box_make_weights (PixopsFilterDimension *dim, double scale) { int n = ceil (1/scale + 3.0); - double *pixel_weights = g_new (double, SUBSAMPLE * n); + double *pixel_weights = g_malloc_n (sizeof (double) * SUBSAMPLE, n); double w; int offset, i; -- 2.4.3