From b918dcd4db512c3cb7b9871bdc1439a9a6b8c1b1 Mon Sep 17 00:00:00 2001
From: Lucas CHOLLET <lucas.chollet@free.fr>
Date: Tue, 18 Jul 2023 14:55:51 -0400
Subject: [PATCH] LibGfx/TGA: Compute the number of pixels with a wider type

Both width and height are stored in an u16 inside the TGA header,
computing the total number of pixel without using another type can
easily lead to overflows.

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=55309&q=serenity&can=2
---
 Userland/Libraries/LibGfx/ImageFormats/TGALoader.cpp | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/Userland/Libraries/LibGfx/ImageFormats/TGALoader.cpp b/Userland/Libraries/LibGfx/ImageFormats/TGALoader.cpp
index afd825f62b..888efe7c0a 100644
--- a/Userland/Libraries/LibGfx/ImageFormats/TGALoader.cpp
+++ b/Userland/Libraries/LibGfx/ImageFormats/TGALoader.cpp
@@ -195,8 +195,7 @@ ErrorOr<void> TGAImageDecoderPlugin::decode_tga_header()
 
     auto bytes_remaining = reader->data().size() - reader->index();
 
-    // FIXME: Check for multiplication overflow!
-    if (m_context->header.data_type_code == TGADataType::UncompressedRGB && bytes_remaining < static_cast<size_t>(m_context->header.width * m_context->header.height * (m_context->header.bits_per_pixel / 8)))
+    if (m_context->header.data_type_code == TGADataType::UncompressedRGB && bytes_remaining < static_cast<u64>(m_context->header.width) * m_context->header.height * (m_context->header.bits_per_pixel / 8))
         return Error::from_string_literal("Not enough data to read an image with the expected size");
 
     if (m_context->header.bits_per_pixel < 8 || m_context->header.bits_per_pixel > 32)
@@ -210,8 +209,7 @@ ErrorOr<bool> TGAImageDecoderPlugin::validate_before_create(ReadonlyBytes data)
     if (data.size() < sizeof(TGAHeader))
         return false;
     TGAHeader const& header = *reinterpret_cast<TGAHeader const*>(data.data());
-    // FIXME: Check for multiplication overflow!
-    if (header.data_type_code == TGADataType::UncompressedRGB && data.size() < static_cast<size_t>(header.width * header.height * (header.bits_per_pixel / 8)))
+    if (header.data_type_code == TGADataType::UncompressedRGB && data.size() < static_cast<u64>(header.width) * header.height * (header.bits_per_pixel / 8))
         return false;
     if (header.bits_per_pixel < 8 || header.bits_per_pixel > 32)
         return false;