Skip to content

Commit

Permalink
prevent integer overflow
Browse files Browse the repository at this point in the history
  • Loading branch information
Cristy committed Oct 4, 2023
1 parent 2a88880 commit 6b472d8
Showing 1 changed file with 14 additions and 5 deletions.
19 changes: 14 additions & 5 deletions magick/cache.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2925,14 +2925,21 @@ static inline ssize_t EdgeY(const ssize_t y,const size_t rows)
return(y);
}

static inline MagickBooleanType IsOffsetOverflow(const ssize_t x,const size_t y)
{
if (((y > 0) && (x > (MAGICK_SSIZE_MAX-y))) ||
((y < 0) && (x < (MAGICK_SSIZE_MIN-y))))
return(MagickFalse);
return(MagickTrue);
}

static inline MagickBooleanType IsValidOffset(const ssize_t y,
const size_t columns)
{
if (columns == 0)
return(MagickTrue);
if (y >= (MAGICK_SSIZE_MAX/(ssize_t) columns))
return(MagickFalse);
if (y <= (MAGICK_SSIZE_MIN/(ssize_t) columns))
if ((y >= (MAGICK_SSIZE_MAX/(ssize_t) columns)) ||
(y <= (MAGICK_SSIZE_MIN/(ssize_t) columns)))
return(MagickFalse);
return(MagickTrue);
}
Expand Down Expand Up @@ -3025,8 +3032,10 @@ MagickExport const PixelPacket *GetVirtualPixelCacheNexus(const Image *image,
return((const PixelPacket *) NULL);
if (IsValidOffset(nexus_info->region.y,cache_info->columns) == MagickFalse)
return((const PixelPacket *) NULL);
offset=nexus_info->region.y*(MagickOffsetType) cache_info->columns+
nexus_info->region.x;
offset=nexus_info->region.y*(MagickOffsetType) cache_info->columns;
if (IsOffsetOverflow(offset,nexus_info->region.x) == MagickFalse)
return((const PixelPacket *) NULL);
offset+=nexus_info->region.x;
length=(MagickSizeType) (nexus_info->region.height-1L)*cache_info->columns+
nexus_info->region.width-1L;
number_pixels=(MagickSizeType) cache_info->columns*cache_info->rows;
Expand Down

0 comments on commit 6b472d8

Please sign in to comment.