From 6df428ba24d8f244d08c4a205053e26b28cee0a9 Mon Sep 17 00:00:00 2001 From: Matthias Clasen Date: Mon, 24 Aug 2015 14:44:50 -0400 Subject: [PATCH] Fix some more integer overflows The scaling code had a similar problem to the one fixed in the previous commit: Expressions like ptr = base + y * rowstride are prone to overflow if y and rowstride are (possibly large) integers. --- gdk-pixbuf/pixops/pixops.c | 44 ++++++++++++++++++++++---------------------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/gdk-pixbuf/pixops/pixops.c b/gdk-pixbuf/pixops/pixops.c index 993223e..33aa32e 100644 --- a/gdk-pixbuf/pixops/pixops.c +++ b/gdk-pixbuf/pixops/pixops.c @@ -304,8 +304,8 @@ pixops_scale_nearest (guchar *dest_buf, guchar *dest; y_pos = ((i + render_y0) * y_step + y_step / 2) >> SCALE_SHIFT; y_pos = CLAMP (y_pos, 0, src_height - 1); - src = src_buf + y_pos * src_rowstride; - dest = dest_buf + i * dest_rowstride; + src = src_buf + (gsize)y_pos * src_rowstride; + dest = dest_buf + (gsize)i * dest_rowstride; x = render_x0 * x_step + x_step / 2; @@ -368,8 +368,8 @@ pixops_composite_nearest (guchar *dest_buf, guchar *dest; y_pos = ((i + render_y0) * y_step + y_step / 2) >> SCALE_SHIFT; y_pos = CLAMP (y_pos, 0, src_height - 1); - src = src_buf + y_pos * src_rowstride; - dest = dest_buf + i * dest_rowstride; + src = src_buf + (gsize)y_pos * src_rowstride; + dest = dest_buf + (gsize)i * dest_rowstride; x = render_x0 * x_step + x_step / 2; @@ -460,8 +460,8 @@ pixops_composite_color_nearest (guchar *dest_buf, guchar *dest; y_pos = ((i + render_y0) * y_step + y_step / 2) >> SCALE_SHIFT; y_pos = CLAMP (y_pos, 0, src_height - 1); - src = src_buf + y_pos * src_rowstride; - dest = dest_buf + i * dest_rowstride; + src = src_buf + (gsize)y_pos * src_rowstride; + dest = dest_buf + (gsize)i * dest_rowstride; x = render_x0 * x_step + x_step / 2; @@ -1303,7 +1303,7 @@ pixops_process (guchar *dest_buf, guchar *new_outbuf; guint32 tcolor1, tcolor2; - guchar *outbuf = dest_buf + dest_rowstride * i; + guchar *outbuf = dest_buf + (gsize)dest_rowstride * i; guchar *outbuf_end = outbuf + dest_channels * (render_x1 - render_x0); if (((i + check_y) >> check_shift) & 1) @@ -1322,9 +1322,9 @@ pixops_process (guchar *dest_buf, if (y_start < 0) line_bufs[j] = (guchar *)src_buf; else if (y_start < src_height) - line_bufs[j] = (guchar *)src_buf + src_rowstride * y_start; + line_bufs[j] = (guchar *)src_buf + (gsize)src_rowstride * y_start; else - line_bufs[j] = (guchar *)src_buf + src_rowstride * (src_height - 1); + line_bufs[j] = (guchar *)src_buf + (gsize)src_rowstride * (src_height - 1); y_start++; } @@ -1348,7 +1348,7 @@ pixops_process (guchar *dest_buf, } new_outbuf = (*line_func) (run_weights, filter->x.n, filter->y.n, - outbuf, dest_x, dest_buf + dest_rowstride * + outbuf, dest_x, dest_buf + (gsize)dest_rowstride * i + run_end_index * dest_channels, dest_channels, dest_has_alpha, line_bufs, src_channels, src_has_alpha, @@ -1866,7 +1866,7 @@ _pixops_composite (guchar *dest_buf, return; #endif - new_dest_buf = dest_buf + dest_y * dest_rowstride + dest_x * dest_channels; + new_dest_buf = dest_buf + (gsize)dest_y * dest_rowstride + (gsize)dest_x * dest_channels; render_x0 = dest_x - offset_x; render_y0 = dest_y - offset_y; render_x1 = dest_x + dest_region_width - offset_x; @@ -2026,7 +2026,7 @@ pixops_medialib_composite (guchar *dest_buf, if (!use_medialib) { /* Use non-mediaLib version */ - _pixops_composite_real (dest_buf + dest_y * dest_rowstride + dest_x * + _pixops_composite_real (dest_buf + (gsize)dest_y * dest_rowstride + (gsize)dest_x * dest_channels, dest_x - offset_x, dest_y - offset_y, dest_x + dest_region_width - offset_x, dest_y + dest_region_height - offset_y, @@ -2068,8 +2068,8 @@ pixops_medialib_composite (guchar *dest_buf, } else { - mlib_u8 *data = dest_buf + (dest_y * dest_rowstride) + - (dest_x * dest_channels); + mlib_u8 *data = dest_buf + (gsize)dest_y * dest_rowstride + + (gsize)dest_x * dest_channels; mlib_ImageSetStruct (&img_dest, MLIB_BYTE, dest_channels, dest_region_width, dest_region_height, @@ -2136,8 +2136,8 @@ pixops_medialib_composite (guchar *dest_buf, else { /* Should not happen - Use non-mediaLib version */ - _pixops_composite_real (dest_buf + dest_y * dest_rowstride + - dest_x * dest_channels, + _pixops_composite_real (dest_buf + (gsize)dest_y * dest_rowstride + + (gsize)dest_x * dest_channels, dest_x - offset_x, dest_y - offset_y, dest_x + dest_region_width - offset_x, dest_y + dest_region_height - offset_y, @@ -2260,7 +2260,7 @@ _pixops_scale (guchar *dest_buf, return; #endif - new_dest_buf = dest_buf + dest_y * dest_rowstride + dest_x * dest_channels; + new_dest_buf = dest_buf + (gsize)dest_y * dest_rowstride + (gsize)dest_x * dest_channels; render_x0 = dest_x - offset_x; render_y0 = dest_y - offset_y; render_x1 = dest_x + dest_region_width - offset_x; @@ -2314,8 +2314,8 @@ pixops_medialib_scale (guchar *dest_buf, */ if (!use_medialib) { - _pixops_scale_real (dest_buf + dest_y * dest_rowstride + dest_x * - dest_channels, dest_x - offset_x, dest_y - offset_y, + _pixops_scale_real (dest_buf + (gsize)dest_y * dest_rowstride + (gsize)dest_x * + dest_channels, dest_x - offset_x, dest_y - offset_y, dest_x + dest_region_width - offset_x, dest_y + dest_region_height - offset_y, dest_rowstride, dest_channels, dest_has_alpha, @@ -2343,8 +2343,8 @@ pixops_medialib_scale (guchar *dest_buf, } else { - mlib_u8 *data = dest_buf + (dest_y * dest_rowstride) + - (dest_x * dest_channels); + mlib_u8 *data = dest_buf + (gsize)dest_y * dest_rowstride + + (gsize)dest_x * dest_channels; mlib_ImageSetStruct (&img_dest, MLIB_BYTE, dest_channels, dest_region_width, dest_region_height, @@ -2379,7 +2379,7 @@ pixops_medialib_scale (guchar *dest_buf, int channels = 3; int rowstride = (channels * src_width + 3) & ~3; - tmp_buf = g_malloc (src_rowstride * src_height); + tmp_buf = g_malloc_n (src_rowstride, src_height); if (src_buf != NULL) { -- 2.5.1