aboutsummaryrefslogtreecommitdiffstats
path: root/code
diff options
context:
space:
mode:
authorludwig <ludwig@edf5b092-35ff-0310-97b2-ce42778d08ea>2008-02-12 10:03:43 +0000
committerludwig <ludwig@edf5b092-35ff-0310-97b2-ce42778d08ea>2008-02-12 10:03:43 +0000
commitcb6a5f76681cbd575a997450a9f33e729f459b05 (patch)
treec5f2bf8de185c23737bff23becd604e88ff0f376 /code
parent076d997a8181c536a593075367602b0676ddcefd (diff)
downloadioquake3-aero-cb6a5f76681cbd575a997450a9f33e729f459b05.tar.gz
ioquake3-aero-cb6a5f76681cbd575a997450a9f33e729f459b05.zip
integer overflow safeguards
git-svn-id: svn://svn.icculus.org/quake3/trunk@1254 edf5b092-35ff-0310-97b2-ce42778d08ea
Diffstat (limited to 'code')
-rw-r--r--code/renderer/tr_image_png.c20
1 files changed, 14 insertions, 6 deletions
diff --git a/code/renderer/tr_image_png.c b/code/renderer/tr_image_png.c
index 30a8951..573ab12 100644
--- a/code/renderer/tr_image_png.c
+++ b/code/renderer/tr_image_png.c
@@ -23,6 +23,11 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
#include "../qcommon/puff.h"
+// we could limit the png size to a lower value here
+#ifndef INT_MAX
+#define INT_MAX 0x1fffffff
+#endif
+
/*
=================
PNG LOADING
@@ -287,7 +292,7 @@ static void CloseBufferedFile(struct BufferedFile *BF)
* Get a pointer to the requested bytes.
*/
-static void *BufferedFileRead(struct BufferedFile *BF, int Length)
+static void *BufferedFileRead(struct BufferedFile *BF, unsigned Length)
{
void *RetVal;
@@ -329,9 +334,9 @@ static void *BufferedFileRead(struct BufferedFile *BF, int Length)
* Rewind the buffer.
*/
-static qboolean BufferedFileRewind(struct BufferedFile *BF, int Offset)
+static qboolean BufferedFileRewind(struct BufferedFile *BF, unsigned Offset)
{
- int BytesRead;
+ unsigned BytesRead;
/*
* input verification
@@ -346,7 +351,7 @@ static qboolean BufferedFileRewind(struct BufferedFile *BF, int Offset)
* special trick to rewind to the beginning of the buffer
*/
- if(Offset == -1)
+ if(Offset == (unsigned)-1)
{
BF->Ptr = BF->Buffer;
BF->BytesLeft = BF->Length;
@@ -383,7 +388,7 @@ static qboolean BufferedFileRewind(struct BufferedFile *BF, int Offset)
* Skip some bytes.
*/
-static qboolean BufferedFileSkip(struct BufferedFile *BF, int Offset)
+static qboolean BufferedFileSkip(struct BufferedFile *BF, unsigned Offset)
{
/*
* input verification
@@ -2041,10 +2046,13 @@ void LoadPNG(const char *name, byte **pic, int *width, int *height)
* Check if Width and Height are valid.
*/
- if(!((IHDR_Width > 0) && (IHDR_Height > 0)))
+ if(!((IHDR_Width > 0) && (IHDR_Height > 0))
+ || IHDR_Width > INT_MAX / Q3IMAGE_BYTESPERPIXEL / IHDR_Height)
{
CloseBufferedFile(ThePNG);
+ Com_Printf(S_COLOR_YELLOW "%s: invalid image size\n", name);
+
return;
}