Fix T99705: fix integer overflow in thumbnail extractor
It was smart enough to check if the buffer had the right size but neglected to cast to a 64 bit value so it overflowed. Differential Revision: https://developer.blender.org/D15457 Reviewed By: brecht
This commit is contained in:
parent
afb82199a3
commit
32df09b241
Notes:
blender-bot
2023-02-14 06:49:54 +01:00
Referenced by issue #99705, Out-of-bounds memory access due to blender-thumbnailer Referenced by issue #98661, 3.2: Potential candidates for corrective releases
|
@ -134,7 +134,8 @@ static eThumbStatus blendthumb_extract_from_file_impl(FileReader *file,
|
|||
|
||||
/* Verify that image dimensions and data size make sense. */
|
||||
size_t data_size = block_size - 8;
|
||||
const size_t expected_size = thumb->width * thumb->height * 4;
|
||||
const uint64_t expected_size = static_cast<uint64_t>(thumb->width) *
|
||||
static_cast<uint64_t>(thumb->height) * 4;
|
||||
if (thumb->width < 0 || thumb->height < 0 || data_size != expected_size) {
|
||||
return BT_INVALID_THUMB;
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue