From 334581000bbb132d9b4f87cc608b81b0dd0b43ff Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Deuc=D0=B5?= <shurd@sasktel.net>
Date: Fri, 3 Jan 2025 13:46:32 -0500
Subject: [PATCH] "Range check" RIP ICN width/height to untaint them.

This is purely to shut up Coverity since there's no way the value
could be outside the range.
---
 src/syncterm/ripper.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/syncterm/ripper.c b/src/syncterm/ripper.c
index 572fda99ab..2f83e97db7 100644
--- a/src/syncterm/ripper.c
+++ b/src/syncterm/ripper.c
@@ -13844,12 +13844,20 @@ do_rip_command(int level, int sublevel, int cmd, const char *rawargs)
 									break;
 								}
 								pix->width = tmp + 1;
+								if (pix->width < 1)
+									pix->width = 1;
+								if (pix->width > 65536)
+									pix->width = 65536;
 								if (fread(&tmp, sizeof(tmp), 1, icn) != 1) {
 									free(pix);
 									fclose(icn);
 									break;
 								}
 								pix->height = tmp + 1;
+								if (pix->height < 1)
+									pix->height = 1;
+								if (pix->height > 65536)
+									pix->height = 65536;
 								if ((x1 + rip.viewport.sx + pix->width - 1
 								    > rip.viewport.ex)
 								    || (y1 + rip.viewport.sy + pix->height - 1
-- 
GitLab