Fix T99705: fix integer overflow in thumbnail extractor

It was smart enough to check if the buffer had the right size but neglected to cast to a 64 bit value so it overflowed. Differential Revision: https://developer.blender.org/D15457 Reviewed By: brecht
Referenced by issue #99705, Out-of-bounds memory access due to blender-thumbnailer Referenced by issue #98661, 3.2: Potential candidates for corrective releases
2022-07-14 12:18:35 -06:00 · 2022-07-14 12:18:35 -06:00 · 32df09b241 · 2023-02-14 06:49:54 +01:00
parent afb82199a3
commit 32df09b241
1 changed files with 2 additions and 1 deletions
--- a/source/blender/blendthumb/src/blendthumb_extract.cc
+++ b/source/blender/blendthumb/src/blendthumb_extract.cc
@ -134,7 +134,8 @@ static eThumbStatus blendthumb_extract_from_file_impl(FileReader *file,

        /* Verify that image dimensions and data size make sense. */
        size_t data_size = block_size - 8;
-        const size_t expected_size = thumb->width * thumb->height * 4;
+        const uint64_t expected_size = static_cast<uint64_t>(thumb->width) *
+                                       static_cast<uint64_t>(thumb->height) * 4;
        if (thumb->width < 0 || thumb->height < 0 || data_size != expected_size) {
          return BT_INVALID_THUMB;
        }