diff options
| author | ludwig <ludwig@edf5b092-35ff-0310-97b2-ce42778d08ea> | 2008-02-12 10:03:43 +0000 |
|---|---|---|
| committer | ludwig <ludwig@edf5b092-35ff-0310-97b2-ce42778d08ea> | 2008-02-12 10:03:43 +0000 |
| commit | cb6a5f76681cbd575a997450a9f33e729f459b05 (patch) | |
| tree | c5f2bf8de185c23737bff23becd604e88ff0f376 /code | |
| parent | 076d997a8181c536a593075367602b0676ddcefd (diff) | |
| download | ioquake3-aero-cb6a5f76681cbd575a997450a9f33e729f459b05.tar.gz ioquake3-aero-cb6a5f76681cbd575a997450a9f33e729f459b05.zip | |
integer overflow safeguards
git-svn-id: svn://svn.icculus.org/quake3/trunk@1254 edf5b092-35ff-0310-97b2-ce42778d08ea
Diffstat (limited to 'code')
| -rw-r--r-- | code/renderer/tr_image_png.c | 20 |
1 files changed, 14 insertions, 6 deletions
diff --git a/code/renderer/tr_image_png.c b/code/renderer/tr_image_png.c index 30a8951..573ab12 100644 --- a/code/renderer/tr_image_png.c +++ b/code/renderer/tr_image_png.c @@ -23,6 +23,11 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. #include "../qcommon/puff.h" +// we could limit the png size to a lower value here +#ifndef INT_MAX +#define INT_MAX 0x1fffffff +#endif + /* ================= PNG LOADING @@ -287,7 +292,7 @@ static void CloseBufferedFile(struct BufferedFile *BF) * Get a pointer to the requested bytes. */ -static void *BufferedFileRead(struct BufferedFile *BF, int Length) +static void *BufferedFileRead(struct BufferedFile *BF, unsigned Length) { void *RetVal; @@ -329,9 +334,9 @@ static void *BufferedFileRead(struct BufferedFile *BF, int Length) * Rewind the buffer. */ -static qboolean BufferedFileRewind(struct BufferedFile *BF, int Offset) +static qboolean BufferedFileRewind(struct BufferedFile *BF, unsigned Offset) { - int BytesRead; + unsigned BytesRead; /* * input verification @@ -346,7 +351,7 @@ static qboolean BufferedFileRewind(struct BufferedFile *BF, int Offset) * special trick to rewind to the beginning of the buffer */ - if(Offset == -1) + if(Offset == (unsigned)-1) { BF->Ptr = BF->Buffer; BF->BytesLeft = BF->Length; @@ -383,7 +388,7 @@ static qboolean BufferedFileRewind(struct BufferedFile *BF, int Offset) * Skip some bytes. */ -static qboolean BufferedFileSkip(struct BufferedFile *BF, int Offset) +static qboolean BufferedFileSkip(struct BufferedFile *BF, unsigned Offset) { /* * input verification @@ -2041,10 +2046,13 @@ void LoadPNG(const char *name, byte **pic, int *width, int *height) * Check if Width and Height are valid. */ - if(!((IHDR_Width > 0) && (IHDR_Height > 0))) + if(!((IHDR_Width > 0) && (IHDR_Height > 0)) + || IHDR_Width > INT_MAX / Q3IMAGE_BYTESPERPIXEL / IHDR_Height) { CloseBufferedFile(ThePNG); + Com_Printf(S_COLOR_YELLOW "%s: invalid image size\n", name); + return; } |