Prevent overflow in rowlen and improve inaccuracies in style

author: FRIGN <dev@frign.de> 2016-03-18 19:49:11 +0100
committer: FRIGN <dev@frign.de> 2016-03-18 19:49:11 +0100
commit: e637aae67ededf6a4a0b4d490d02f3294f297b71 (patch)
tree: 8f09a69a6f68aed99205239f6eef1c11d3943b47
parent: 49cef794d9cef3c1ab8478963a7f778c8c28eb70 (diff)
3 files changed, 14 insertions, 8 deletions
diff --git a/ff2png.c b/ff2png.c
index bf210fb..4304bbb 100644
--- a/ff2png.c
+++ b/ff2png.c
@@ -61,7 +61,11 @@ main(int argc, char *argv[])
 	png_write_info(pngs, pngi);
 
 	/* write rows */
-	rowlen = (sizeof("RGBA") - 1) * width;
+	if (width > SIZE_MAX / ((sizeof("RGBA") - 1) * sizeof(uint16_t))) {
+		fprintf(stderr, "%s: row length integer overflow\n", argv0);
+		return 1;
+	}
+	rowlen = width * (sizeof("RGBA") - 1);
 	if (!(row = malloc(rowlen * sizeof(uint16_t)))) {
 		fprintf(stderr, "%s: malloc: out of memory\n", argv0);
 		return 1;
diff --git a/jpg2ff.c b/jpg2ff.c
index dc5b060..8ebc81d 100644
--- a/jpg2ff.c
+++ b/jpg2ff.c
@@ -5,7 +5,6 @@
 #include <stdint.h>
 #include <stdio.h>
 #include <stdlib.h>
-#include <string.h>
 
 #include <jpeglib.h>
 
@@ -58,7 +57,7 @@ main(int argc, char *argv[])
 	jpgrow = (*js.mem->alloc_sarray)((j_common_ptr)&js,
 	                                 JPOOL_IMAGE, width *
 	                                 js.output_components, 1);
-	rowlen = strlen("RGBA") * width;
+	rowlen = width * (sizeof("RGBA") - 1);
 	if(!(row = malloc(rowlen * sizeof(uint16_t)))) {
 		fprintf(stderr, "%s: malloc: out of memory\n", argv0);
 		return 1;
@@ -89,7 +88,7 @@ main(int argc, char *argv[])
 		}
 
 		/* write data */
-		if (fwrite(row, 2, rowlen, stdout) != rowlen)
+		if (fwrite(row, sizeof(uint16_t), rowlen, stdout) != rowlen)
 			goto writerr;
 	}
 	jpeg_finish_decompress(&js);
diff --git a/png2ff.c b/png2ff.c
index cf85b32..55456e3 100644
--- a/png2ff.c
+++ b/png2ff.c
@@ -5,7 +5,6 @@
 #include <stdint.h>
 #include <stdio.h>
 #include <stdlib.h>
-#include <string.h>
 
 #include <png.h>
 
@@ -57,7 +56,11 @@ main(int argc, char *argv[])
 	pngrows = png_get_rows(pngs, pngi);
 
 	/* allocate output row buffer */
-	rowlen = width * strlen("RGBA");
+	if (width > SIZE_MAX / ((sizeof("RGBA") - 1) * sizeof(uint16_t))) {
+		fprintf(stderr, "%s: row length integer overflow\n", argv0);
+		return 1;
+	}
+	rowlen = width * (sizeof("RGBA") - 1);
 	if (!(row = malloc(rowlen * sizeof(uint16_t)))) {
 		fprintf(stderr, "%s: malloc: out of memory\n", argv0);
 		return 1;
@@ -87,8 +90,8 @@ main(int argc, char *argv[])
 		break;
 	case 16:
 		for (r = 0; r < height; ++r) {
-			if (fwrite(pngrows[r], sizeof(uint16_t),
-			           rowlen, stdout) != rowlen) {
+			if (fwrite(pngrows[r], sizeof(uint16_t), rowlen,
+			           stdout) != rowlen) {
 				goto writerr;
 			}
 		}
author	FRIGN <dev@frign.de>	2016-03-18 19:49:11 +0100
committer	FRIGN <dev@frign.de>	2016-03-18 19:49:11 +0100
commit	e637aae67ededf6a4a0b4d490d02f3294f297b71 (patch)
tree	8f09a69a6f68aed99205239f6eef1c11d3943b47
parent	49cef794d9cef3c1ab8478963a7f778c8c28eb70 (diff)