Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 0d31f12

Browse files
oehharoehhar
committed
Issue tcltk-depot#14 / Tk Ticket [822330269b]: Check potential int overflow in following ckalloc
1 parent 68cc55d commit 0d31f12

File tree

1 file changed

+10
-1
lines changed

1 file changed

+10
-1
lines changed

generic/tkImgSVG.c

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,7 @@
2424
#endif
2525
#include <stdio.h>
2626
#include <string.h>
27+
#include <limits.h>
2728
#ifdef _MSC_VER
2829
#define strcasecmp _stricmp
2930
#endif
@@ -213,7 +214,7 @@ FileMatchSVG(
213214
Tcl_DecrRefCount(dataObj);
214215
return 0;
215216
}
216-
data = Tcl_GetStringFromObj(dataObj, &length);
217+
data = TkGetStringFromObj(dataObj, &length);
217218
nsvgImage = ParseSVGWithOptions(interp, data, length, formatObj, &ropts);
218219
Tcl_DecrRefCount(dataObj);
219220
if (nsvgImage != NULL) {
@@ -613,6 +614,14 @@ RasterizeSVG(
613614
NULL);
614615
goto cleanAST;
615616
}
617+
618+
/* Tk Ticket [822330269b] Check potential int overflow in following ckalloc */
619+
if ( w * h < 0 || w * h > INT_MAX / 4) {
620+
Tcl_SetObjResult(interp, Tcl_NewStringObj("image size overflow", -1));
621+
Tcl_SetErrorCode(interp, "TK", "IMAGE", "SVG", "IMAGE_SIZE_OVERFLOW", NULL);
622+
goto cleanRAST;
623+
}
624+
616625
imgData = (unsigned char *)attemptckalloc(w * h *4);
617626
if (imgData == NULL) {
618627
Tcl_SetObjResult(interp, Tcl_NewStringObj("cannot alloc image buffer", -1));

0 commit comments

Comments
 (0)