| From c92240c1670c20c2f854761d3a89ab61dd158c91 Mon Sep 17 00:00:00 2001 |
| From: "Christoph M. Becker" <cmbecker69@gmx.de> |
| Date: Sat, 6 Aug 2016 10:08:53 +0200 |
| Subject: [PATCH] Fix potential unsigned underflow |
| |
| No need to decrease `u`, so we don't do it. While we're at it, we also factor |
| out the overflow check of the loop, what improves performance and readability. |
| |
| This issue has been reported by Stefan Esser to security@libgd.org. |
| |
| Upstream-Status: Backport |
| CVE: CVE-2016-10166 |
| |
| Signed-off-by: Catalin Enache <catalin.enache@windriver.com> |
| --- |
| src/gd_interpolation.c | 19 ++++++++++--------- |
| 1 file changed, 10 insertions(+), 9 deletions(-) |
| |
| diff --git a/src/gd_interpolation.c b/src/gd_interpolation.c |
| index 7e7943d..9944349 100644 |
| --- a/src/gd_interpolation.c |
| +++ b/src/gd_interpolation.c |
| @@ -829,8 +829,13 @@ static inline LineContribType * _gdContributionsAlloc(unsigned int line_length, |
| { |
| unsigned int u = 0; |
| LineContribType *res; |
| - int overflow_error = 0; |
| + size_t weights_size; |
| |
| + if (overflow2(windows_size, sizeof(double))) { |
| + return NULL; |
| + } else { |
| + weights_size = windows_size * sizeof(double); |
| + } |
| res = (LineContribType *) gdMalloc(sizeof(LineContribType)); |
| if (!res) { |
| return NULL; |
| @@ -847,15 +852,11 @@ static inline LineContribType * _gdContributionsAlloc(unsigned int line_length, |
| return NULL; |
| } |
| for (u = 0 ; u < line_length ; u++) { |
| - if (overflow2(windows_size, sizeof(double))) { |
| - overflow_error = 1; |
| - } else { |
| - res->ContribRow[u].Weights = (double *) gdMalloc(windows_size * sizeof(double)); |
| - } |
| - if (overflow_error == 1 || res->ContribRow[u].Weights == NULL) { |
| + res->ContribRow[u].Weights = (double *) gdMalloc(weights_size); |
| + if (res->ContribRow[u].Weights == NULL) { |
| unsigned int i; |
| - u--; |
| - for (i=0;i<=u;i++) { |
| + |
| + for (i=0;i<u;i++) { |
| gdFree(res->ContribRow[i].Weights); |
| } |
| gdFree(res->ContribRow); |
| -- |
| 2.10.2 |
| |