farbfeld

suckless image format with conversion tools
git clone git://git.suckless.org/farbfeld
Log | Files | Refs | README | LICENSE

commit e637aae67ededf6a4a0b4d490d02f3294f297b71
parent 49cef794d9cef3c1ab8478963a7f778c8c28eb70
Author: FRIGN <dev@frign.de>
Date:   Fri, 18 Mar 2016 19:49:11 +0100

Prevent overflow in rowlen and improve inaccuracies in style

Diffstat:
Mff2png.c | 6+++++-
Mjpg2ff.c | 5++---
Mpng2ff.c | 11+++++++----
3 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/ff2png.c b/ff2png.c @@ -61,7 +61,11 @@ main(int argc, char *argv[]) png_write_info(pngs, pngi); /* write rows */ - rowlen = (sizeof("RGBA") - 1) * width; + if (width > SIZE_MAX / ((sizeof("RGBA") - 1) * sizeof(uint16_t))) { + fprintf(stderr, "%s: row length integer overflow\n", argv0); + return 1; + } + rowlen = width * (sizeof("RGBA") - 1); if (!(row = malloc(rowlen * sizeof(uint16_t)))) { fprintf(stderr, "%s: malloc: out of memory\n", argv0); return 1; diff --git a/jpg2ff.c b/jpg2ff.c @@ -5,7 +5,6 @@ #include <stdint.h> #include <stdio.h> #include <stdlib.h> -#include <string.h> #include <jpeglib.h> @@ -58,7 +57,7 @@ main(int argc, char *argv[]) jpgrow = (*js.mem->alloc_sarray)((j_common_ptr)&js, JPOOL_IMAGE, width * js.output_components, 1); - rowlen = strlen("RGBA") * width; + rowlen = width * (sizeof("RGBA") - 1); if(!(row = malloc(rowlen * sizeof(uint16_t)))) { fprintf(stderr, "%s: malloc: out of memory\n", argv0); return 1; @@ -89,7 +88,7 @@ main(int argc, char *argv[]) } /* write data */ - if (fwrite(row, 2, rowlen, stdout) != rowlen) + if (fwrite(row, sizeof(uint16_t), rowlen, stdout) != rowlen) goto writerr; } jpeg_finish_decompress(&js); diff --git a/png2ff.c b/png2ff.c @@ -5,7 +5,6 @@ #include <stdint.h> #include <stdio.h> #include <stdlib.h> -#include <string.h> #include <png.h> @@ -57,7 +56,11 @@ main(int argc, char *argv[]) pngrows = png_get_rows(pngs, pngi); /* allocate output row buffer */ - rowlen = width * strlen("RGBA"); + if (width > SIZE_MAX / ((sizeof("RGBA") - 1) * sizeof(uint16_t))) { + fprintf(stderr, "%s: row length integer overflow\n", argv0); + return 1; + } + rowlen = width * (sizeof("RGBA") - 1); if (!(row = malloc(rowlen * sizeof(uint16_t)))) { fprintf(stderr, "%s: malloc: out of memory\n", argv0); return 1; @@ -87,8 +90,8 @@ main(int argc, char *argv[]) break; case 16: for (r = 0; r < height; ++r) { - if (fwrite(pngrows[r], sizeof(uint16_t), - rowlen, stdout) != rowlen) { + if (fwrite(pngrows[r], sizeof(uint16_t), rowlen, + stdout) != rowlen) { goto writerr; } }