Skip to content
Snippets Groups Projects
Commit 6f8678eb authored by Deucе's avatar Deucе :ok_hand_tone4:
Browse files

"Range check" RIP ICN width/height to untaint them. 

This is purely to shut up Coverity since there's no way the value
could be outside the range.
parent e15ba307
Branches
Tags
1 merge request!488Overhaul LZH code
Pipeline #7550 passed
Stage: build
Stage: test
Stage: cleanup
Show whitespace changes
Inline Side-by-side
Showing
with 8 additions and 0 deletions
src/syncterm/ripper.c
+ 8
0
View file @ 6f8678eb
...@@ -13844,12 +13844,20 @@ do_rip_command(int level, int sublevel, int cmd, const char *rawargs) ...@@ -13844,12 +13844,20 @@ do_rip_command(int level, int sublevel, int cmd, const char *rawargs)
break; break;
} }
pix->width = tmp + 1; pix->width = tmp + 1;
if (pix->width < 1)
pix->width = 1;
if (pix->width > 65536)
pix->width = 65536;
if (fread(&tmp, sizeof(tmp), 1, icn) != 1) { if (fread(&tmp, sizeof(tmp), 1, icn) != 1) {
free(pix); free(pix);
fclose(icn); fclose(icn);
break; break;
} }
pix->height = tmp + 1; pix->height = tmp + 1;
if (pix->height < 1)
pix->height = 1;
if (pix->height > 65536)
pix->height = 65536;
if ((x1 + rip.viewport.sx + pix->width - 1 if ((x1 + rip.viewport.sx + pix->width - 1
> rip.viewport.ex) > rip.viewport.ex)
|| (y1 + rip.viewport.sy + pix->height - 1 || (y1 + rip.viewport.sy + pix->height - 1
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment