1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-25 16:37:35 +00:00

LibGfx/TGA: Compute the number of pixels with a wider type

Both width and height are stored in an u16 inside the TGA header,
computing the total number of pixel without using another type can
easily lead to overflows.

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=55309&q=serenity&can=2
This commit is contained in:
Lucas CHOLLET 2023-07-18 14:55:51 -04:00 committed by Andreas Kling
parent b5658d75f5
commit b918dcd4db

View file

@ -195,8 +195,7 @@ ErrorOr<void> TGAImageDecoderPlugin::decode_tga_header()
auto bytes_remaining = reader->data().size() - reader->index();
// FIXME: Check for multiplication overflow!
if (m_context->header.data_type_code == TGADataType::UncompressedRGB && bytes_remaining < static_cast<size_t>(m_context->header.width * m_context->header.height * (m_context->header.bits_per_pixel / 8)))
if (m_context->header.data_type_code == TGADataType::UncompressedRGB && bytes_remaining < static_cast<u64>(m_context->header.width) * m_context->header.height * (m_context->header.bits_per_pixel / 8))
return Error::from_string_literal("Not enough data to read an image with the expected size");
if (m_context->header.bits_per_pixel < 8 || m_context->header.bits_per_pixel > 32)
@ -210,8 +209,7 @@ ErrorOr<bool> TGAImageDecoderPlugin::validate_before_create(ReadonlyBytes data)
if (data.size() < sizeof(TGAHeader))
return false;
TGAHeader const& header = *reinterpret_cast<TGAHeader const*>(data.data());
// FIXME: Check for multiplication overflow!
if (header.data_type_code == TGADataType::UncompressedRGB && data.size() < static_cast<size_t>(header.width * header.height * (header.bits_per_pixel / 8)))
if (header.data_type_code == TGADataType::UncompressedRGB && data.size() < static_cast<u64>(header.width) * header.height * (header.bits_per_pixel / 8))
return false;
if (header.bits_per_pixel < 8 || header.bits_per_pixel > 32)
return false;