RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-25 03:27:44 +00:00
Code Issues Activity Actions

LibGfx: Eliminate multiplication integer overflow in planar_to_chunky

Browse source 
Multiplying two u16s will result in a i32 sized result, which will
overflow to negative values for large input values.

Fixes ossfuzz-64198.
This commit is contained in:
Idan Horowitz 2023-12-02 12:37:23 +02:00 committed by Andreas Kling
parent e1b438bb1a
commit 1a35621930
1 changed files with 1 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
Userland/Libraries/LibGfx/ImageFormats/ILBMLoader.cpp
View file

@ -153,7 +153,7 @@ static ErrorOr<ByteBuffer> planar_to_chunky(ReadonlyBytes bitplanes, ILBMLoading
auto chunky = TRY(ByteBuffer::create_zeroed(static_cast<size_t>(width) * height));
for (u16 y = 0; y < height; y++) {
size_t scanline = y * width;
size_t scanline = static_cast<size_t>(y) * width;
for (u8 p = 0; p < planes; p++) {
u8 const plane_mask = 1 << p;
size_t offset_base = (pitch * planes * y) + (p * pitch);