diff options
| author | Michael Stapelberg <michael@stapelberg.de> | 2013-07-09 22:45:48 +0200 |
|---|---|---|
| committer | Michael Stapelberg <michael@stapelberg.de> | 2013-07-09 22:45:48 +0200 |
| commit | e0166e72fa2672dd31d1e4a142e069487d1891b0 (patch) | |
| tree | fa7c1aa202901effb8387d7f17e683102aedb01b | |
| parent | e3887bd2d89876fcbd31edc75ea0848245ce2eed (diff) | |
catch integer overflows (Thanks psychon)
| -rw-r--r-- | cursor/parse_cursor_file.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/cursor/parse_cursor_file.c b/cursor/parse_cursor_file.c index 2a5713d..e8a47bc 100644 --- a/cursor/parse_cursor_file.c +++ b/cursor/parse_cursor_file.c @@ -146,6 +146,11 @@ int parse_cursor_file(xcb_cursor_context_t *c, const int fd, xcint_image_t **ima i->delay = le32toh(i->delay); /* Read the actual image data and convert it to host byte order */ + if (((uint64_t)i->width) * i->height > UINT32_MAX) { + /* Catch integer overflows */ + free(cf.tocs); + return -EINVAL; + } numpixels = i->width * i->height; i->pixels = malloc(numpixels * sizeof(uint32_t)); read(fd, i->pixels, numpixels * sizeof(uint32_t)); |