r1254 - trunk/code/renderer
DONOTREPLY at icculus.org
DONOTREPLY at icculus.org
Tue Feb 12 05:03:46 EST 2008
Author: ludwig
Date: 2008-02-12 05:03:43 -0500 (Tue, 12 Feb 2008)
New Revision: 1254
Modified:
trunk/code/renderer/tr_image_png.c
Log:
integer overflow safeguards
Modified: trunk/code/renderer/tr_image_png.c
===================================================================
--- trunk/code/renderer/tr_image_png.c 2008-02-12 10:03:21 UTC (rev 1253)
+++ trunk/code/renderer/tr_image_png.c 2008-02-12 10:03:43 UTC (rev 1254)
@@ -23,6 +23,11 @@
#include "../qcommon/puff.h"
+// we could limit the png size to a lower value here
+#ifndef INT_MAX
+#define INT_MAX 0x1fffffff
+#endif
+
/*
=================
PNG LOADING
@@ -287,7 +292,7 @@
* Get a pointer to the requested bytes.
*/
-static void *BufferedFileRead(struct BufferedFile *BF, int Length)
+static void *BufferedFileRead(struct BufferedFile *BF, unsigned Length)
{
void *RetVal;
@@ -329,9 +334,9 @@
* Rewind the buffer.
*/
-static qboolean BufferedFileRewind(struct BufferedFile *BF, int Offset)
+static qboolean BufferedFileRewind(struct BufferedFile *BF, unsigned Offset)
{
- int BytesRead;
+ unsigned BytesRead;
/*
* input verification
@@ -346,7 +351,7 @@
* special trick to rewind to the beginning of the buffer
*/
- if(Offset == -1)
+ if(Offset == (unsigned)-1)
{
BF->Ptr = BF->Buffer;
BF->BytesLeft = BF->Length;
@@ -383,7 +388,7 @@
* Skip some bytes.
*/
-static qboolean BufferedFileSkip(struct BufferedFile *BF, int Offset)
+static qboolean BufferedFileSkip(struct BufferedFile *BF, unsigned Offset)
{
/*
* input verification
@@ -2041,10 +2046,13 @@
* Check if Width and Height are valid.
*/
- if(!((IHDR_Width > 0) && (IHDR_Height > 0)))
+ if(!((IHDR_Width > 0) && (IHDR_Height > 0))
+ || IHDR_Width > INT_MAX / Q3IMAGE_BYTESPERPIXEL / IHDR_Height)
{
CloseBufferedFile(ThePNG);
+ Com_Printf(S_COLOR_YELLOW "%s: invalid image size\n", name);
+
return;
}
More information about the quake3-commits
mailing list