[Gnash-commit] [SCM] Gnash branch, master, updated. release_0_8_9

gnash-commit

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Gnash-commit] [SCM] Gnash branch, master, updated. release_0_8_9_final-

From:	Benjamin Wolsey
Subject:	[Gnash-commit] [SCM] Gnash branch, master, updated. release_0_8_9_final-1437-gbb4dc77
Date:	Sun, 11 Mar 2012 08:37:38 +0000

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Gnash".

The branch, master has been updated
       via  bb4dc77eecb6ed1b967e3ecbce3dac6c5e6f1527 (commit)
      from  031ebbff7f9f41bfd88938e2e66bac00928b7de1 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
http://git.savannah.gnu.org/cgit//commit/?id=bb4dc77eecb6ed1b967e3ecbce3dac6c5e6f1527


commit bb4dc77eecb6ed1b967e3ecbce3dac6c5e6f1527
Author: Benjamin Wolsey <address@hidden>
Date:   Sat Mar 10 15:52:50 2012 +0100

    Fix crash in GnashImage.cpp

diff --git a/libbase/GnashImage.cpp b/libbase/GnashImage.cpp
index 11c6956..03a6939 100644
--- a/libbase/GnashImage.cpp
+++ b/libbase/GnashImage.cpp
@@ -26,6 +26,7 @@
 #include <boost/scoped_array.hpp>
 #include <boost/shared_ptr.hpp>
 #include <algorithm>
+#include <cassert>
 
 #ifdef USE_PNG
 # include "GnashImagePng.h"
@@ -44,6 +45,21 @@ namespace image {
 
 namespace {
     void processAlpha(GnashImage::iterator imageData, size_t pixels);
+    bool checkValidSize(size_t width, size_t height, size_t channels) {
+
+        if (width == 0 || height == 0) return false;
+
+        assert(channels > 0);
+
+        boost::uint32_t maxSize = std::numeric_limits<boost::int32_t>::max();
+        if (width >= maxSize || height >= maxSize) return false;
+
+        maxSize /= channels;
+        maxSize /= width;
+        maxSize /= height;
+
+        return maxSize > 0;
+    }
 }
 
 GnashImage::GnashImage(iterator data, size_t width, size_t height,
@@ -55,6 +71,8 @@ GnashImage::GnashImage(iterator data, size_t width, size_t 
height,
     _height(height),
     _data(data)
 {
+    // Callers should check dimensions
+    assert(checkValidSize(_width, _height, channels()));
 }
 
 /// Create an image allocating a buffer of height*pitch bytes
@@ -66,8 +84,9 @@ GnashImage::GnashImage(size_t width, size_t height, ImageType 
type,
     _width(width),
     _height(height)
 {
-    const size_t max = std::numeric_limits<boost::int32_t>::max();
-    if (size() > max) {
+    // Constructed from external input, so restrict dimensions to avoid
+    // overflow in size calculations
+    if (!checkValidSize(_width, _height, channels())) {
         throw std::bad_alloc();
     }
     _data.reset(new value_type[size()]);

-----------------------------------------------------------------------

Summary of changes:
 libbase/GnashImage.cpp |   23 +++++++++++++++++++++--
 1 files changed, 21 insertions(+), 2 deletions(-)


hooks/post-receive
-- 
Gnash

[Prev in Thread]

Current Thread

[Next in Thread]

[Gnash-commit] [SCM] Gnash branch, master, updated. release_0_8_9_final-1437-gbb4dc77, Benjamin Wolsey <=

Prev by Date: [Gnash-commit] buildbot success in Gnash on natty-linux-i386
Next by Date: [Gnash-commit] buildbot success in Gnash on lenny-linux-x86
Previous by thread: [Gnash-commit] buildbot success in Gnash on natty-linux-i386
Next by thread: [Gnash-commit] buildbot success in Gnash on lenny-linux-x86
Index(es):
- Date
- Thread