Skip to content

Commit 82c7c05

Browse files
lovelllovell
authored
Avoid possible overflow when multiplication result is cast up/down (#4412)
1 parent d0b9bf8 commit 82c7c05

File tree

19 files changed

+23
-22
lines changed

19 files changed

+23
-22
lines changed

ChangeLog

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,7 @@
2626
- heifload: prevent possible int overflow for large images [kleisauke]
2727
- tiffload: add missing read loop [kleisauke]
2828
- prevent possible use-after-free when debugging via `--vips-leak` flag [lovell]
29+
- avoid possible overflow when multiplication result is cast up [lovell]
2930

3031
10/10/24 8.16.0
3132

libvips/arithmetic/hist_find_indexed.c

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -117,8 +117,8 @@ histogram_new(VipsHistFindIndexed *indexed)
117117
!(hist->reg = vips_region_new(indexed->index_ready)))
118118
return NULL;
119119

120-
memset(hist->bins, 0, bands * hist->size * sizeof(double));
121-
memset(hist->init, 0, hist->size * sizeof(int));
120+
memset(hist->bins, 0, (size_t) bands * hist->size * sizeof(double));
121+
memset(hist->init, 0, (size_t) hist->size * sizeof(int));
122122

123123
return hist;
124124
}

libvips/arithmetic/project.c

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -109,8 +109,8 @@ histogram_new(VipsProject *project)
109109
!hist->row_sums)
110110
return NULL;
111111

112-
memset(hist->column_sums, 0, psize * in->Xsize);
113-
memset(hist->row_sums, 0, psize * in->Ysize);
112+
memset(hist->column_sums, 0, (size_t) psize * in->Xsize);
113+
memset(hist->row_sums, 0, (size_t) psize * in->Ysize);
114114

115115
return hist;
116116
}

libvips/colour/LCh2UCS.c

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -165,9 +165,9 @@ vips_col_Ch2hcmc(float C, float h)
165165
}
166166

167167
P = cos(VIPS_RAD(k7 * h + k8));
168-
D = k4 + k5 * P * pow(VIPS_FABS(P), k6);
168+
D = k4 + k5 * P * powf(fabsf(P), k6);
169169
g = C * C * C * C;
170-
f = sqrt(g / (g + 1900.0));
170+
f = sqrtf(g / (g + 1900.0F));
171171
hcmc = h + D * f;
172172

173173
return hcmc;

libvips/conversion/bandfold.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -96,7 +96,7 @@ vips_bandfold_gen(VipsRegion *out_region,
9696
/* We can't use vips_region_region() since we change pixel
9797
* coordinates.
9898
*/
99-
memcpy(q, p, psize * r->width);
99+
memcpy(q, p, (size_t) psize * r->width);
100100
}
101101

102102
return 0;

libvips/conversion/bandunfold.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -99,7 +99,7 @@ vips_bandunfold_gen(VipsRegion *out_region,
9999
/* We can't use vips_region_region() since we change pixel
100100
* coordinates.
101101
*/
102-
memcpy(q, p, r->width * psize);
102+
memcpy(q, p, (size_t) r->width * psize);
103103
}
104104

105105
return 0;

libvips/conversion/composite.cpp

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -899,7 +899,7 @@ vips_composite_base_blend3(VipsCompositeSequence *seq,
899899
/* You can't sqrt a vector, so we must loop.
900900
*/
901901
for (int b = 0; b < 3; b++) {
902-
double g;
902+
float g;
903903

904904
if (B[b] <= 0.25)
905905
g = ((16 * B[b] - 12) * B[b] + 4) * B[b];

libvips/conversion/embed.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -217,7 +217,7 @@ vips_embed_base_paint_edge(VipsEmbedBase *base,
217217
*/
218218
for (y = 0; y < todo.height; y++) {
219219
q = VIPS_REGION_ADDR(out_region, todo.left, todo.top + y);
220-
memcpy(q, p, bs * todo.width);
220+
memcpy(q, p, (size_t) bs * todo.width);
221221
}
222222
}
223223

libvips/foreign/jp2ksave.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -482,7 +482,7 @@ vips_foreign_save_jp2k_sizeof_tile(VipsForeignSaveJp2k *jp2k, VipsRect *tile)
482482
(double) tile->height / comp->dy);
483483
;
484484

485-
size += output_width * output_height * sizeof_element;
485+
size += (size_t) output_width * output_height * sizeof_element;
486486
}
487487

488488
return size;

libvips/foreign/nsgifload.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -512,7 +512,7 @@ vips_foreign_load_nsgif_generate(VipsRegion *out_region,
512512
gif->frame_number = page;
513513
}
514514

515-
p = (VipsPel *) gif->bitmap + line * gif->info->width * sizeof(int);
515+
p = (VipsPel *) gif->bitmap + (size_t) line * gif->info->width * sizeof(int);
516516
q = VIPS_REGION_ADDR(out_region, 0, r->top + y);
517517
if (gif->has_transparency)
518518
memcpy(q, p, VIPS_REGION_SIZEOF_LINE(out_region));

0 commit comments

Comments
 (0)