On Sun, 23 Nov 2008 20:22:27 +0100
Thomas Viehmann <[EMAIL PROTECTED]> wrote:
> > Concretely: can't w*h still overflow in the code above, for a
> > suitably crafted header?
> ptr and end are both DATA32*.
>
> ptr is initialized to
> im->data = (DATA32 *) malloc(sizeof(DATA32) * im->w * im->h);
>
> (im->w and im->h are equal to w and h, respectively) and later on this
> is used as
>
> for (i = 0;
> ((i < 65536) && (ptr < end) && (line[i]));
> i++)
> {
> ...
> *ptr++ = ...
> }
>
> I think this should be OK even end ends up < ptr because some one of
> w,h is negative for some reason or an overflow, but I'm more happy to
> be corrected than have imlib2 in the release with an incorrect
> patch. :)
The code also checks that w and h are positive and at most 8192.
--
Peter De Wachter
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
