Commit 94450a1d authored by Bastien Nocera's avatar Bastien Nocera

lib: Fix fpi_img_is_sane()

The checks weren't:
- checking whether the width or height were negative
- whether img->width * img->height would overflow, or
  was bigger than G_MAXINT
- whether img->width * img->height was bigger than the total
  length of the buffer

The last one looks like a thinko, it checked for:
(img->length * img->height) < img->length
which is equivalent to:
img->height < 1
which we already check for earlier.

Closes: #85
parent c35ad202
Pipeline #5611 passed with stage
in 2 minutes and 11 seconds
......@@ -69,12 +69,19 @@ struct fp_img *fpi_img_new_for_imgdev(struct fp_img_dev *imgdev)
gboolean fpi_img_is_sane(struct fp_img *img)
{
guint len;
/* basic checks */
if (!img->length || !img->width || !img->height)
if (!img->length || img->width <= 0 || img->height <= 0)
return FALSE;
/* Are width and height just too big? */
if (!g_uint_checked_mul(&len, img->width, img->height) ||
len > G_MAXINT)
return FALSE;
/* buffer is big enough? */
if ((img->length * img->height) < img->length)
/* buffer big enough? */
if (len > img->length)
return FALSE;
return TRUE;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment