[1/2] libv4lconvert: Prevent integer overflow by checking width and height
Commit Message
The Mayhem Team found a crash caused by an integer overflow.
Details are here:
http://www.forallsecure.com/bug-reports/8aae67d864bce76993f3f9812b4a2aeea0eb38da/
Signed-off-by: Gregor Jasny <gjasny@googlemail.com>
---
lib/libv4lconvert/ov511-decomp.c | 7 ++++++-
lib/libv4lconvert/ov518-decomp.c | 7 ++++++-
2 files changed, 12 insertions(+), 2 deletions(-)
@@ -14,6 +14,7 @@
* Free Software Foundation; version 2 of the License.
*/
+#include <limits.h>
#include <string.h>
#include <unistd.h>
#include "helper-funcs.h"
@@ -640,7 +641,11 @@ int main(int argc, char *argv[])
dest_size = width * height * 3 / 2;
- if (dest_size > sizeof(dest_buf)) {
+ if (width <= 0 || width > SHRT_MAX || height <= 0 || height > SHRT_MAX) {
+ fprintf(stderr, "%s: error: width or height out of bounds\n",
+ argv[0]);
+ dest_size = -1;
+ } else if (dest_size > sizeof(dest_buf)) {
fprintf(stderr, "%s: error: dest_buf too small, need: %d\n",
argv[0], dest_size);
dest_size = -1;
@@ -15,6 +15,7 @@
* Free Software Foundation; version 2 of the License.
*/
+#include <limits.h>
#include <string.h>
#include <unistd.h>
#include "helper-funcs.h"
@@ -1454,7 +1455,11 @@ int main(int argc, char *argv[])
dest_size = width * height * 3 / 2;
- if (dest_size > sizeof(dest_buf)) {
+ if (width <= 0 || width > SHRT_MAX || height <= 0 || height > SHRT_MAX) {
+ fprintf(stderr, "%s: error: width or height out of bounds\n",
+ argv[0]);
+ dest_size = -1;
+ } else if (dest_size > sizeof(dest_buf)) {
fprintf(stderr, "%s: error: dest_buf too small, need: %d\n",
argv[0], dest_size);
dest_size = -1;