diff options
-rw-r--r-- | ff2png.c | 6 | ||||
-rw-r--r-- | jpg2ff.c | 5 | ||||
-rw-r--r-- | png2ff.c | 11 |
3 files changed, 14 insertions, 8 deletions
@@ -61,7 +61,11 @@ main(int argc, char *argv[]) png_write_info(pngs, pngi); /* write rows */ - rowlen = (sizeof("RGBA") - 1) * width; + if (width > SIZE_MAX / ((sizeof("RGBA") - 1) * sizeof(uint16_t))) { + fprintf(stderr, "%s: row length integer overflow\n", argv0); + return 1; + } + rowlen = width * (sizeof("RGBA") - 1); if (!(row = malloc(rowlen * sizeof(uint16_t)))) { fprintf(stderr, "%s: malloc: out of memory\n", argv0); return 1; @@ -5,7 +5,6 @@ #include <stdint.h> #include <stdio.h> #include <stdlib.h> -#include <string.h> #include <jpeglib.h> @@ -58,7 +57,7 @@ main(int argc, char *argv[]) jpgrow = (*js.mem->alloc_sarray)((j_common_ptr)&js, JPOOL_IMAGE, width * js.output_components, 1); - rowlen = strlen("RGBA") * width; + rowlen = width * (sizeof("RGBA") - 1); if(!(row = malloc(rowlen * sizeof(uint16_t)))) { fprintf(stderr, "%s: malloc: out of memory\n", argv0); return 1; @@ -89,7 +88,7 @@ main(int argc, char *argv[]) } /* write data */ - if (fwrite(row, 2, rowlen, stdout) != rowlen) + if (fwrite(row, sizeof(uint16_t), rowlen, stdout) != rowlen) goto writerr; } jpeg_finish_decompress(&js); @@ -5,7 +5,6 @@ #include <stdint.h> #include <stdio.h> #include <stdlib.h> -#include <string.h> #include <png.h> @@ -57,7 +56,11 @@ main(int argc, char *argv[]) pngrows = png_get_rows(pngs, pngi); /* allocate output row buffer */ - rowlen = width * strlen("RGBA"); + if (width > SIZE_MAX / ((sizeof("RGBA") - 1) * sizeof(uint16_t))) { + fprintf(stderr, "%s: row length integer overflow\n", argv0); + return 1; + } + rowlen = width * (sizeof("RGBA") - 1); if (!(row = malloc(rowlen * sizeof(uint16_t)))) { fprintf(stderr, "%s: malloc: out of memory\n", argv0); return 1; @@ -87,8 +90,8 @@ main(int argc, char *argv[]) break; case 16: for (r = 0; r < height; ++r) { - if (fwrite(pngrows[r], sizeof(uint16_t), - rowlen, stdout) != rowlen) { + if (fwrite(pngrows[r], sizeof(uint16_t), rowlen, + stdout) != rowlen) { goto writerr; } } |