From cb6a5f76681cbd575a997450a9f33e729f459b05 Mon Sep 17 00:00:00 2001 From: ludwig Date: Tue, 12 Feb 2008 10:03:43 +0000 Subject: integer overflow safeguards git-svn-id: svn://svn.icculus.org/quake3/trunk@1254 edf5b092-35ff-0310-97b2-ce42778d08ea --- code/renderer/tr_image_png.c | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/code/renderer/tr_image_png.c b/code/renderer/tr_image_png.c index 30a8951..573ab12 100644 --- a/code/renderer/tr_image_png.c +++ b/code/renderer/tr_image_png.c @@ -23,6 +23,11 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. #include "../qcommon/puff.h" +// we could limit the png size to a lower value here +#ifndef INT_MAX +#define INT_MAX 0x1fffffff +#endif + /* ================= PNG LOADING @@ -287,7 +292,7 @@ static void CloseBufferedFile(struct BufferedFile *BF) * Get a pointer to the requested bytes. */ -static void *BufferedFileRead(struct BufferedFile *BF, int Length) +static void *BufferedFileRead(struct BufferedFile *BF, unsigned Length) { void *RetVal; @@ -329,9 +334,9 @@ static void *BufferedFileRead(struct BufferedFile *BF, int Length) * Rewind the buffer. */ -static qboolean BufferedFileRewind(struct BufferedFile *BF, int Offset) +static qboolean BufferedFileRewind(struct BufferedFile *BF, unsigned Offset) { - int BytesRead; + unsigned BytesRead; /* * input verification @@ -346,7 +351,7 @@ static qboolean BufferedFileRewind(struct BufferedFile *BF, int Offset) * special trick to rewind to the beginning of the buffer */ - if(Offset == -1) + if(Offset == (unsigned)-1) { BF->Ptr = BF->Buffer; BF->BytesLeft = BF->Length; @@ -383,7 +388,7 @@ static qboolean BufferedFileRewind(struct BufferedFile *BF, int Offset) * Skip some bytes. */ -static qboolean BufferedFileSkip(struct BufferedFile *BF, int Offset) +static qboolean BufferedFileSkip(struct BufferedFile *BF, unsigned Offset) { /* * input verification @@ -2041,10 +2046,13 @@ void LoadPNG(const char *name, byte **pic, int *width, int *height) * Check if Width and Height are valid. */ - if(!((IHDR_Width > 0) && (IHDR_Height > 0))) + if(!((IHDR_Width > 0) && (IHDR_Height > 0)) + || IHDR_Width > INT_MAX / Q3IMAGE_BYTESPERPIXEL / IHDR_Height) { CloseBufferedFile(ThePNG); + Com_Printf(S_COLOR_YELLOW "%s: invalid image size\n", name); + return; } -- cgit v1.2.3