diff options
author | tabe <none@none> | 2008-07-30 01:53:13 +0000 |
---|---|---|
committer | tabe <none@none> | 2008-07-30 01:53:13 +0000 |
commit | 84f0bdeb962b564d32f92369abe59bc912ddf98e (patch) | |
tree | d46b32151f53e6119acc53f9f6a8f858a11c5cd4 /src | |
parent | ea53082be1411bb3e80066dae5102876c669e05b (diff) | |
download | libgd-84f0bdeb962b564d32f92369abe59bc912ddf98e.tar.gz |
check integer overflows.
Diffstat (limited to 'src')
-rw-r--r-- | src/gd_nnquant.c | 4 | ||||
-rw-r--r-- | src/gd_tga.c | 4 |
2 files changed, 8 insertions, 0 deletions
diff --git a/src/gd_nnquant.c b/src/gd_nnquant.c index c9f6859..7e07160 100644 --- a/src/gd_nnquant.c +++ b/src/gd_nnquant.c @@ -496,6 +496,10 @@ BGD_DECLARE(gdImagePtr) gdImageNeuQuant(gdImagePtr im, const int max_color, int * It alos lets us convert palette image, if one likes to reduce * a palette */ + if (overflow2(gdImageSX(im), gdImageSY(im)) + || overflow2(gdImageSX(im) * gdImageSY(im), 4)) { + goto done; + } rgba = (unsigned char *) gdMalloc(gdImageSX(im) * gdImageSY(im) * 4); if (!rgba) { goto done; diff --git a/src/gd_tga.c b/src/gd_tga.c index 3f18451..f04ebec 100644 --- a/src/gd_tga.c +++ b/src/gd_tga.c @@ -202,6 +202,10 @@ int read_image_tga( gdIOCtx *ctx, oTga *tga ) { return -1; } + if(overflow2(image_block_size, sizeof(byte))) { + return -1; + } + /*! \brief Allocate memmory for image block * Allocate a chunk of memory for the image block to be passed into. */ |