From 0396bb3dd2946c9d3827609118b442413bc74311 Mon Sep 17 00:00:00 2001 From: Thomas Debesse Date: Tue, 25 Jun 2024 19:30:16 +0200 Subject: [PATCH] stb_image_write: prevent int to overflow before converting it to size_t --- stb_image_write.h | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/stb_image_write.h b/stb_image_write.h index e4b32ed1bc..1db82dc44e 100644 --- a/stb_image_write.h +++ b/stb_image_write.h @@ -141,6 +141,7 @@ github:ignotion Adam Schackart Andrew Kensler + Thomas Debesse LICENSE @@ -826,7 +827,7 @@ STBIWDEF int stbi_write_hdr(char const *filename, int x, int y, int comp, const static void *stbiw__sbgrowf(void **arr, int increment, int itemsize) { int m = *arr ? 2*stbiw__sbm(*arr)+increment : increment+1; - void *p = STBIW_REALLOC_SIZED(*arr ? stbiw__sbraw(*arr) : 0, *arr ? (stbiw__sbm(*arr)*itemsize + sizeof(int)*2) : 0, itemsize * m + sizeof(int)*2); + void *p = STBIW_REALLOC_SIZED(*arr ? stbiw__sbraw(*arr) : 0, *arr ? (stbiw__sbm(*arr)*itemsize + sizeof(int)*2) : 0, (size_t)itemsize * (size_t)m + sizeof(int)*2); STBIW_ASSERT(p); if (p) { if (!*arr) ((int *) p)[1] = 0; @@ -1100,7 +1101,7 @@ static void stbiw__encode_png_line(unsigned char *pixels, int stride_bytes, int int signed_stride = stbi__flip_vertically_on_write ? -stride_bytes : stride_bytes; if (type==0) { - memcpy(line_buffer, z, width*n); + memcpy(line_buffer, z, (size_t)width * (size_t)n); return; } @@ -1141,8 +1142,8 @@ STBIWDEF unsigned char *stbi_write_png_to_mem(const unsigned char *pixels, int s force_filter = -1; } - filt = (unsigned char *) STBIW_MALLOC((x*n+1) * y); if (!filt) return 0; - line_buffer = (signed char *) STBIW_MALLOC(x * n); if (!line_buffer) { STBIW_FREE(filt); return 0; } + filt = (unsigned char *) STBIW_MALLOC(((size_t)x * (size_t)n + 1) * (size_t)y); if (!filt) return 0; + line_buffer = (signed char *) STBIW_MALLOC((size_t)x * (size_t)n); if (!line_buffer) { STBIW_FREE(filt); return 0; } for (j=0; j < y; ++j) { int filter_type; if (force_filter > -1) { @@ -1169,8 +1170,8 @@ STBIWDEF unsigned char *stbi_write_png_to_mem(const unsigned char *pixels, int s } } // when we get here, filter_type contains the filter type, and line_buffer contains the data - filt[j*(x*n+1)] = (unsigned char) filter_type; - STBIW_MEMMOVE(filt+j*(x*n+1)+1, line_buffer, x*n); + filt[(size_t)j * ((size_t)x * (size_t)n + 1)] = (unsigned char) filter_type; + STBIW_MEMMOVE(filt + (size_t)j * ((size_t)x * (size_t)n + 1) + 1, line_buffer, (size_t)x * (size_t)n); } STBIW_FREE(line_buffer); zlib = stbi_zlib_compress(filt, y*( x*n+1), &zlen, stbi_write_png_compression_level);