Potential buffer overflow (integer overflow for insane image sizes) #14
Comments
|
Thank you, Christian, great ! May I ask you to continue the discussion on tk core, as the issue is also present there: https://core.tcl-lang.org/tk/info/822330269bd1da07 Thank you, |
|
I hope it is fixed by the following commit: Thank you, |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Here, the size of the image buffer is computed by 32bit signed integer math, which may lead to overflow for insane settings of width and height, or e.g. -scale:
tksvg/generic/tkImgSVG.c
Line 616 in 68cc55d
Due to the integer wrap-around, it may result in the successful allocation of a small buffer. Suggested fix: Use 64bit math, e.g.
(size_t)w * (size_t) h
and check for overflow (painful). Or don't use ckalloc, but malloc.
The text was updated successfully, but these errors were encountered: