Amebis/wxWidgets
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Avoid integer overflow when computing image data size in wxImage::Create()

Browse Source 
See #19326

Co-Authored-By: David Costanzo <david_costanzo@yahoo.com>
This commit is contained in:
Paul Cornett
2021-11-27 17:14:28 -08:00
parent deef116a09
commit b04c1ace47
9 changed files with 2473 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
src/common/image.cpp
View File

@@ -156,15 +156,22 @@ bool wxImage::Create( int width, int height, bool clear )
{
UnRef();
m_refData = new wxImageRefData();
M_IMGDATA->m_data = (unsigned char *) malloc( width*height*3 );
if (!M_IMGDATA->m_data)
{
UnRef();
if (width <= 0 || height <= 0)
return false;
}
const unsigned long long size = (unsigned long long)width * height * 3;
// In theory, 64-bit architectures could handle larger sizes,
// but wxImage code is riddled with int-based arithmetic which will overflow
if (size > INT_MAX)
return false;
unsigned char* p = (unsigned char*)malloc(size_t(size));
if (p == NULL)
return false;
m_refData = new wxImageRefData;
M_IMGDATA->m_data = p;
M_IMGDATA->m_width = width;
M_IMGDATA->m_height = height;
M_IMGDATA->m_ok = true;