Skip to content
Snippets Groups Projects
Commit 6f8678eb authored by Deucе's avatar Deucе :ok_hand_tone4:
Browse files

"Range check" RIP ICN width/height to untaint them. 

This is purely to shut up Coverity since there's no way the value
could be outside the range.
parent e15ba307
No related branches found
No related tags found
1 merge request!488Overhaul LZH code
Pipeline #7550 passed
Stage: build
Stage: test
Stage: cleanup
Hide whitespace changes
Inline Side-by-side
Showing
with 8 additions and 0 deletions
src/syncterm/ripper.c
+ 8
0
View file @ 6f8678eb
...@@ -13844,12 +13844,20 @@ do_rip_command(int level, int sublevel, int cmd, const char *rawargs) ...@@ -13844,12 +13844,20 @@ do_rip_command(int level, int sublevel, int cmd, const char *rawargs)
break; break;
} }
pix->width = tmp + 1; pix->width = tmp + 1;
if (pix->width < 1)
pix->width = 1;
if (pix->width > 65536)
pix->width = 65536;
if (fread(&tmp, sizeof(tmp), 1, icn) != 1) { if (fread(&tmp, sizeof(tmp), 1, icn) != 1) {
free(pix); free(pix);
fclose(icn); fclose(icn);
break; break;
} }
pix->height = tmp + 1; pix->height = tmp + 1;
if (pix->height < 1)
pix->height = 1;
if (pix->height > 65536)
pix->height = 65536;
if ((x1 + rip.viewport.sx + pix->width - 1 if ((x1 + rip.viewport.sx + pix->width - 1
> rip.viewport.ex) > rip.viewport.ex)
|| (y1 + rip.viewport.sy + pix->height - 1 || (y1 + rip.viewport.sy + pix->height - 1
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment