diff options
author | Bastien Nocera <hadess@hadess.net> | 2017-12-05 10:26:49 +0100 |
---|---|---|
committer | Bastien Nocera <hadess@hadess.net> | 2017-12-05 11:38:54 +0100 |
commit | 1e513abdb55529f888233d3c96b27352d83aad5f (patch) | |
tree | af31e1c4add7cf5b9c8e7e3f613e100a76d255ea | |
parent | 8e60f4b0278c12c28b4a9145eb8835fb9c9ec04c (diff) | |
download | gdk-pixbuf-1e513abdb55529f888233d3c96b27352d83aad5f.tar.gz |
tiff: Avoid overflowing buffer size computation
Use g_uint_checked_mul() to avoid overflowing the guint used for buffer
size calculation.
https://bugzilla.gnome.org/show_bug.cgi?id=779020
-rw-r--r-- | gdk-pixbuf/io-tiff.c | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/gdk-pixbuf/io-tiff.c b/gdk-pixbuf/io-tiff.c index 7ca0a565a..49fe60eee 100644 --- a/gdk-pixbuf/io-tiff.c +++ b/gdk-pixbuf/io-tiff.c @@ -529,8 +529,15 @@ make_available_at_least (TiffContext *context, guint needed) need_alloc = context->used + needed; if (need_alloc > context->allocated) { guint new_size = 1; - while (new_size < need_alloc) - new_size *= 2; + while (new_size < need_alloc) { + if (!g_uint_checked_mul (&new_size, new_size, 2)) { + new_size = 0; + break; + } + } + + if (new_size == 0) + return FALSE; new_buffer = g_try_realloc (context->buffer, new_size); if (new_buffer) { |