summaryrefslogtreecommitdiffstats
path: root/abs/extra-testing/wxgtk/overflow.patch
diff options
context:
space:
mode:
authorJames Meyer <james.meyer@operamail.com>2010-03-21 17:53:37 (GMT)
committerJames Meyer <james.meyer@operamail.com>2010-03-21 17:53:37 (GMT)
commitae1bd59670b5cc296524d1d66fabdcbebca58d5b (patch)
tree68b661aecb0842eb49d2c2653e8e728ba371f663 /abs/extra-testing/wxgtk/overflow.patch
parentb6b7cd41b193c21fbed23c47dc56dbc16c113be9 (diff)
downloadlinhes_pkgbuild-ae1bd59670b5cc296524d1d66fabdcbebca58d5b.zip
linhes_pkgbuild-ae1bd59670b5cc296524d1d66fabdcbebca58d5b.tar.gz
linhes_pkgbuild-ae1bd59670b5cc296524d1d66fabdcbebca58d5b.tar.bz2
wxgtk: updated to 2.8.10.1
ref 508
Diffstat (limited to 'abs/extra-testing/wxgtk/overflow.patch')
-rw-r--r--abs/extra-testing/wxgtk/overflow.patch66
1 files changed, 66 insertions, 0 deletions
diff --git a/abs/extra-testing/wxgtk/overflow.patch b/abs/extra-testing/wxgtk/overflow.patch
new file mode 100644
index 0000000..543bdff
--- /dev/null
+++ b/abs/extra-testing/wxgtk/overflow.patch
@@ -0,0 +1,66 @@
+Index: /wxWidgets/branches/WX_2_8_BRANCH/src/common/imagpng.cpp
+===================================================================
+--- /wxWidgets/branches/WX_2_8_BRANCH/src/common/imagpng.cpp (revision 53479)
++++ /wxWidgets/branches/WX_2_8_BRANCH/src/common/imagpng.cpp (revision 60875)
+@@ -569,5 +569,7 @@
+ goto error;
+
+- lines = (unsigned char **)malloc( (size_t)(height * sizeof(unsigned char *)) );
++ // initialize all line pointers to NULL to ensure that they can be safely
++ // free()d if an error occurs before all of them could be allocated
++ lines = (unsigned char **)calloc(height, sizeof(unsigned char *));
+ if ( !lines )
+ goto error;
+@@ -576,9 +578,5 @@
+ {
+ if ((lines[i] = (unsigned char *)malloc( (size_t)(width * (sizeof(unsigned char) * 4)))) == NULL)
+- {
+- for ( unsigned int n = 0; n < i; n++ )
+- free( lines[n] );
+ goto error;
+- }
+ }
+
+Index: /wxWidgets/branches/WX_2_8_BRANCH/src/common/imagtiff.cpp
+===================================================================
+--- /wxWidgets/branches/WX_2_8_BRANCH/src/common/imagtiff.cpp (revision 48694)
++++ /wxWidgets/branches/WX_2_8_BRANCH/src/common/imagtiff.cpp (revision 60876)
+@@ -262,5 +262,4 @@
+
+ uint32 w, h;
+- uint32 npixels;
+ uint32 *raster;
+
+@@ -276,7 +275,18 @@
+ samplesInfo[0] == EXTRASAMPLE_UNASSALPHA));
+
+- npixels = w * h;
+-
+- raster = (uint32*) _TIFFmalloc( npixels * sizeof(uint32) );
++ // guard against integer overflow during multiplication which could result
++ // in allocating a too small buffer and then overflowing it
++ const double bytesNeeded = w * h * sizeof(uint32);
++ if ( bytesNeeded >= 4294967295U /* UINT32_MAX */ )
++ {
++ if ( verbose )
++ wxLogError( _("TIFF: Image size is abnormally big.") );
++
++ TIFFClose(tif);
++
++ return false;
++ }
++
++ raster = (uint32*) _TIFFmalloc( bytesNeeded );
+
+ if (!raster)
+Index: /wxWidgets/branches/WX_2_8_BRANCH/src/common/imagtiff.cpp
+===================================================================
+--- /wxWidgets/branches/WX_2_8_BRANCH/src/common/imagtiff.cpp (revision 60876)
++++ /wxWidgets/branches/WX_2_8_BRANCH/src/common/imagtiff.cpp (revision 60897)
+@@ -277,5 +277,5 @@
+ // guard against integer overflow during multiplication which could result
+ // in allocating a too small buffer and then overflowing it
+- const double bytesNeeded = w * h * sizeof(uint32);
++ const double bytesNeeded = (double)w * (double)h * sizeof(uint32);
+ if ( bytesNeeded >= 4294967295U /* UINT32_MAX */ )
+ {