[librsvg] Avoid overflow in gint multiplication
- From: Federico Mena Quintero <federico src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [librsvg] Avoid overflow in gint multiplication
- Date: Sat, 7 Feb 2015 00:03:50 +0000 (UTC)
commit 53c50caecc970aef91cf8e3f1fde919f848d6f0c
Author: Federico Mena Quintero <federico gnome org>
Date: Fri Feb 6 16:33:25 2015 -0600
Avoid overflow in gint multiplication
In the convolution matrix filter code, we read the orderx and ordery for the convolution
matrix. However, multiplying them as gints may overflow.
Found by fuzz testing when orderx = ordery = 65536
Fuzz testing kindly provided by Atte Kettunen <attekett gmail com>
From librsvg-fuzz case rsvgconvert-060-3ef-705-f72.svg
Signed-off-by: Federico Mena Quintero <federico gnome org>
rsvg-filter.c | 7 +++----
1 files changed, 3 insertions(+), 4 deletions(-)
---
diff --git a/rsvg-filter.c b/rsvg-filter.c
index 0d7e77b..f2596cf 100644
--- a/rsvg-filter.c
+++ b/rsvg-filter.c
@@ -1251,9 +1251,8 @@ rsvg_filter_primitive_convolve_matrix_set_atts (RsvgNode * self,
if ((value = rsvg_property_bag_lookup (atts, "order"))) {
double tempx, tempy;
rsvg_css_parse_number_optional_number (value, &tempx, &tempy);
- filter->orderx = tempx;
- filter->ordery = tempy;
-
+ filter->orderx = MAX (tempx, G_MAXINT);
+ filter->ordery = MAX (tempy, G_MAXINT);
}
if ((value = rsvg_property_bag_lookup (atts, "kernelUnitLength")))
rsvg_css_parse_number_optional_number (value, &filter->dx, &filter->dy);
@@ -1273,7 +1272,7 @@ rsvg_filter_primitive_convolve_matrix_set_atts (RsvgNode * self,
rsvg_defs_register_name (ctx->priv->defs, value, &filter->super.super);
}
- if ((gint) listlen != filter->orderx * filter->ordery)
+ if ((gint64) listlen != (gint64) filter->orderx * filter->ordery)
filter->orderx = filter->ordery = 0;
if (filter->divisor == 0) {
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]